Home Search Assistant...

tiredofthiscrap (so are we)

Do your homework first.
Go to this post here and follow the instructions EXACTLY.
How to remove Begin2Search / Coolwebsearch
Then see How to post your Hijackthis log-files.

The file you posted is useless, what did you do to it?

Hsa

I am not a computer geek, and digging in to remove files is kind of scary to me. I read threads concerning this parasite. I did find the hijack this program and read how to just run a scan and save a log. but it would not upload. I then tried to turn it into a .txt file so it would upload. I guess it was not the correct way to do it. I suppose I should just format I was so hoping I would not have to do that and lose all my files. If you do have the patience to explain how to turn the hijackthis file into a uploadable file I can try again. Another question I have is do I check the box of the file I want to get rid of or are the checked boxes the ones I dont want to delete? Thank you for taking the time to respond to my post, I can see you must be extremely busy with this particular parasist.

Thank you

I am going to just have someone format my computer, this stuff is way over my head, thank you for your time and I think it is great that there are sites such as this out here. GL all

If you read the instructions, it tells you to 'fix' certain things. This means clicking on the little square in front of the 'offender' and do that will all the ones that need to be 'fixed'. They will get a tick-mark when you click on them. Clicking them again will remove the tick-mark, if you made a mistake.

When done, you click on the button "fix checked". HJT makes a backup off all its fixes, so it can 'undo' a wrong fix.
Quite simple really.

Don't format yet, we'll do yours in "stages".
Make a new directory (AS INSTRUCTED!), e.g. \Program Files\HJT and copy the program there, DON'T run it from your desktop.

Switch off the Restore Points (Hope you know how to, I don't, have Win2000)

Boot in Safe Mode,

UNinstall anything to do with these programs:
C:\Program Files\XoftSpy\XoftSpy.exe
C:\freescan\freescan.exe -FastScan [=Spyware Begone]
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe

Then (still in Safe Mode) run Hijackthis on its own and put 'tick-marks' in (if still there):

Tick these running processes:
C:\WINDOWS\system32\syscw32.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\system32\crge.exe

ALL lines starting with R0
ALL lines starting with R1
ALL lines starting with R3

O2 - BHO: (no name) - {C3C7FD25-8011-C8E8-25B7-34DF607095C5} - C:\WINDOWS\system32\sdkvk.dll

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [crge.exe] C:\WINDOWS\system32\crge.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm11795US
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

ALL lines starting with O15 - Trusted Zone: --->>> You do NOT trust ANYbody EVER <<<---
ALL lines starting with O16 - DPF:

O23 - Service: BrSplService - Unknown - C:\WINDOWS\System32\brsvc01a.exe (file missing)
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\syscw32.exe

Now hit the button 'Fix Checked'.

When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

RBS, as your tag says, you are a genius

I cannot say thank you enough. I think I got through the instructions well. You were so precise and made it very easy to follow instructions. I am now using foxfire for a browser. I hope I got it all. Here is another HJT log just to make sure. Again, thank you so very much, you are the best :grinthumb

ToTC

Where do you get this crap:
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)

FIX IT!!!!!!!!!!

HJT can't seem to get rid of these files

I ran HJT and checked off the trusted zone files, but HJT can't seem to delete them. I restarted the computer to make sure that was not the issue but they are still there. I ran HJT again, checked them off again and tried to fix but they are still there /sigh.

ToTC

I did a search on my computer and could not find those files, so I searched the registry and found them in there so I deleted from the registry. here is a new HJT file and they are no longer listed

Thank you again,
ToTC

tiredofthiscrap:
The second log looks OK.
I just hope you are not using Internet Explorer anymore (except for Windoze updates), but Firefox instead.
Much less chance of getting infected.

Help!!!!

i hav had home search assistant on my PC for 6 months or sumfin like dat!!!
at first all dat happens was minor fings da net didnt work properly...
dats all.
now my pc is soooo slow
its like eatin my pc away
i cant seem 2 get rid of it
i tried 2 get rid of it like all the other people usin hijackthis but i dnt no what file it is?????

i was tryin 2 paste the Hijackthis log but its says i hav one or 2 many URLs???
i dnt no wat 2 do plz help me...

Gurpz_Da-G (how did you come up with a name like that?)

Go to this post here first, and follow the instructions EXACTLY.
How to remove Begin2Search / Coolwebsearch
Do NOT SKIP any steps in that Post!!!

When done, Boot in Safe Mode
Switch off System Restore
Try to UNinstall anything to do with these:
C:\Program Files\Security Administrator\newadmin.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\XoftSpy\XoftSpy.exe

Next, press ctrl/alt/del and try to STOP these processes (if still there):
newadmin.exe
MsgPlus.exe
XoftSpy.exe
systf32.exe
atlwf32.exe
iplo32.exe

Next, run HJT on its own and let it 'fix' (if still there):
C:\WINDOWS\system32\systf32.exe
C:\Program Files\Security Administrator\newadmin.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\atlwf32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D063C2EF-C5DC-955F-1F55-F0A8F80FE9FC} - C:\WINDOWS\iewi.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [00saskda] "C:\Program Files\Security Administrator\newadmin.exe" saskda
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [atlwf32.exe] C:\WINDOWS\atlwf32.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\RunOnce: [systf32.exe] C:\WINDOWS\system32\systf32.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://008i.com/pic//28129.chm::/open.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\iplo32.exe (file missing)

When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

Reboot in normal mode and see how it goes.
If all is well, switch System Restore back on.

Now you should install at least XP-SP1. If you want XP-SP2, you don't need to install SP1 first.
But you MUST install one of them!

RBS, I am no longer using IE, I am using Firefox. Thanks again for all your help, you are indeed a genius.

ToTC

I did it!!!!!!!

yoooohooooo!!!!!!!!!!!!!!!!!!!!!!
its gone!!!!!!
yeaaa!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

well thanx 4 da help i neva wud
of gotten rid of the bug
wow, im so happy

fanx
jus hav a look at dis nice clean
HTJ txt, but the real question is
how long will my pc last????
there wud be an even stronger problem
it always happens
Shud get XP-SP2 soon

Gurpz
P.s--->da name easy Gurpz 4 shot eh????

Noooo!!!!!!!!!!!!!!!!!!!!!!

NOOOOOOO!!!!!!!
HSA is 2 powerful!!!!!
jus wen i got rid of it
it ask me 2 install it again
i rememba it sayin update msn messener
den my pc got messed
nooo
i cant even get rid of it
wen eva i open msn messedger
dis message appears

heres a pic of da installin HSA fing

Gurpz
If you switched System Restore back on after the cleanup, you should be able to rollback to that clean state! Then UNinstall anything to do with ANY messenger programs if you can.
I've never used any messenger service at all and removed it completely from my PC. That probably explains why I have no virus/spyware/adware problems at all.

hi can you help me too, im having trouble uninstalling homesearchassistant. heres my hijackthis.txt thanks in advance.

susmariosep
Go to this post here first, and follow the instructions EXACTLY.
How to remove Begin2Search/Coolwebsearch and Other Nasties
Then post a new Hijackthis log please.

help!

Can somebody please help me? I did the hijack thing, but it might as well be in french i dont understand this, somebody please help me!

Logfile of HijackThis v1.99.1
Scan saved at 9:33:57 PM, on 2/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\netog.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetZero\exec.exe
C:\Documents and Settings\Jesus\Application Data\elat.exe
C:\WINDOWS\System32\d?xplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\netui.exe
C:\Program Files\Yahoo!\YPSR\ypsr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jesus\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {ABFE0A70-E434-9846-C0AE-F9DCC2E3AF39} - C:\WINDOWS\iehc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [netui.exe] C:\WINDOWS\system32\netui.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Lerm] C:\Documents and Settings\Jesus\Application Data\elat.exe
O4 - HKCU\..\Run: [Ssaliu] C:\WINDOWS\System32\d?xplore.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuxxx.mht!http://defcon.rr.nu/stats/loud.chm::/bridge-c139.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - ms-its:mhtml:file://c:\nosuxxx.mht!http://defcon.rr.nu/stats/mt.chm::/MediaTicketsInstaller.cab
O21 - SSODL: DXMediax - {3CC5DDBD-3705-4b96-909A-FF9341B63E2E} - C:\WINDOWS\System32\dxmediax.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\netog.exe

realus

Get the program 'DeleteFXPFiles' here: http://www.deletefxpfiles.com/index2.html Read the instructions carefully!

Boot in Safe Mode
Switch System restore OFF
Press ctrl/alt/del and in Taskmanager try to STOP:
netog.exe
elat.exe
d?xplore.exe
netui.exe

Next, run HJT on its own and let it 'fix':
C:\WINDOWS\netog.exe
C:\Documents and Settings\Jesus\Application Data\elat.exe
C:\WINDOWS\System32\d?xplore.exe
C:\WINDOWS\system32\netui.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345 ==>> wherever sp.html is <<==
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fctjk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {ABFE0A70-E434-9846-C0AE-F9DCC2E3AF39} - C:\WINDOWS\iehc.dll
O4 - HKLM\..\Run: [netui.exe] C:\WINDOWS\system32\netui.exe
O4 - HKCU\..\Run: [Lerm] C:\Documents and Settings\Jesus\Application Data\elat.exe
O4 - HKCU\..\Run: [Ssaliu] C:\WINDOWS\System32\d?xplore.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com

ALL lines with O16 - DPF:

O21 - SSODL: DXMediax - {3CC5DDBD-3705-4b96-909A-FF9341B63E2E} - C:\WINDOWS\System32\dxmediax.dll
O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\netog.exe

When done, delete the bold files.

To get rid of the file: d?xplore.exe use the program 'DeleteFXPFiles'.

Boot normal. If all OK, switch System Restore back on.

more please

realblackstuff

i greatly appreciate ur help, and im gonna sound like a ******* but i need a little more, i dont really understand what you said in your post, i cant even figure out how to boot my computer in safe mode. im not very good with computers, i can use one and thats about as far as it goes. Can you help me again but dumb it down for me? thanks.

realus

Read the instructions (with links to help) in my post here first, and follow these instructions EXACTLY where they concern you. Print them out if you like.
How to remove Begin2Search/Coolwebsearch and Other Nasties
Then see How to post your Hijackthis log-files.

Press ctrl/alt/del and in Taskmanager try to STOP:
Press the 3 keys, marked "ctrl", "alt" and "del" at the same time, and on the new screen select the "Taskmanager" button, select the tab "Processes" and click on one of the indicated program-names (if it is in that taskmanager process-list), then click on the button "End Process". Repeat until you have tried all the names in my list.

When done, delete the bold files.
Delete those files that have been "highlighted" by me and show up as bold

Now go do your homework, and post again if you still have problems.

Help can't get rid of Home search or search extender

Please someone help me!!!
I can't get rid of Home search assistant or search extender, and this is what my hijack this shows


Logfile of HijackThis v1.97.7 <<== outdated version
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE <<== wrong location

Rest of rubbish deleted