CooolWebSearch & Home Search Assistent still exists

[wickedfunlady]

Hi,
After running all the tools indicated on the "how to remove" post, prob still existed.
Attached is current hjt file.
Also, any suggestions to help prevent this again? lol, hubby is not familiar with how to determine if a search result from google is legit so this is the 2nd time I've had to do this on 2 home pc's

Thanks in advance!

 

[RealBlackStuff]

You should get SP4 and install that. Your W2K will run smoother after that.
Next, stop using IE, install Firefox from www.getfirefox.com and use that exclusively.
Use IE ONLY for Windows-updates.

Boot in Safe Mode
Run Spybot again and let it IMMUNIZE your files, takes only a few seconds.
Press ctrl/alt/del and in Taskmanager try to STOP:
sdkvh.exe
mshta.exe
mfcrs32.exe
56.tmp.exe
tibs5.exe
loadqm.exe

Decide what you want to do with this program. You should NOT have it running all the time:
C:\Program Files\pcANYWHERE\awhost32.exe
Either STOP the process, or change settings to only start when YOU need it.

Next, run Hijackthis on its own and let it 'fix' (if still there):
C:\WINNT\system32\sdkvh.exe
C:\WINNT\System32\mshta.exe
C:\WINNT\system32\mfcrs32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\uomdv.dll/sp.html#28129
--->> there could be two files, one of them: sp.html <<---
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\gvxoc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\gvxoc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\uomdv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\gvxoc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\gvxoc.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\gvxoc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=sas.ne2.attbb.net:8000;gopher=sas.ne2.attbb.net:8000;http=sas.ne2.attbb.net:8000;https=sas.ne2.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.ne2.attbb.net
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9D869910-F044-4661-4B01-57F9883F0DAA} - C:\WINNT\system32\winwm.dll
O4 - HKLM\..\Run: [sdkvh.exe] C:\WINNT\system32\sdkvh.exe
O4 - HKLM\..\Run: [56.tmp] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\56.tmp.exe 1 28129
O4 - HKLM\..\Run: [tibs5] C:\WINNT\System32\tibs5.exe
O4 - HKLM\..\Run: [56.tmp.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\56.tmp.exe 1 28129
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: pcANYWHERE Host Service - Symantec Corporation - C:\Program Files\pcANYWHERE\awhost32.exe <<== YOU DECIDE ==
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINNT\system32\mfcmu32.exe (file missing)

When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

Clean everything in your Temp directory, your temp. internet files, all your cookies etc.
Boot back in normal.

 

[wickedfunlady]

Hello, Thanks for the info, but after performing all the tasks described below, prob still persists.
At this point, is there any suggested software to purchase (I hate buying them since I am a deskside tech)?

again, I truly appreciate your help!

 

[RealBlackStuff]

There are good freebies at http://www.javacoolsoftware.com/products.html
SpywareBlaster and SpywareGuard.
Lots of good things are said about Pestpatrol from www.pestpatrol.com ($30)

But there is no single program yet that can protect you, only YOUR diligence.

Show us a fresh HJT-log, perhaps something was overlooked?

 

[Eigfrost]

If you're thinking about getting PestPatrol and want to see a recent review, there's one here which may be helpful:

http://www.itreviews.co.uk/s289-computer-associates-etrust-pestpatrol-review.htm