Looking-For.Home Search Assistant Browser Modifier

[savant127]

Thank you for the opportunity to work with whoever will be helping me. I will treat it as a learning experience, for sure.

I have read and followed the instructions pertaining to posting into this forum.

CounterSpy is the only program in my arsonal that recognizes Looking-For.Home Search Assistant Browser Modifier. I've tried both removing & quarantining but it continues to come back with every scan. My OS is XP Home, fully updated. The reported locations for the modifier are:

Infected registry entries detected
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000
Service 11Fßä#·ºÄÖ`I
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000
Class LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000
ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000
DeviceDesc Network Security Service (NSS)

Is there any way to completely rid my computer of this pest?

Tim J.


Logfile of HijackThis v1.99.1
Scan saved at 11:49:27 AM, on 2/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SlimServer\server\slim.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Palm\AlarmApp.exe
C:\Program Files\Pocket TV Browser\PTVManager.exe
C:\Program Files\SlimServer\SlimTray.exe
C:\Program Files\DeskSweeper\DeskSweeper.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
C:\WINDOWS\system32\tbctray.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\DeskSweeper\DeskSweeper.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunServer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\FraudEliminator\2.3.4\FraudEliminator Helper.exe
C:\Documents and Settings\Tim\My Documents\Desktop Programs\Maintenance Applications\Special Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...faults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?Link...8&clcid=0x0409
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [QOELOADER] "c:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: DeskSweeper.lnk = C:\Program Files\DeskSweeper\DeskSweeper.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: SyncBack.lnk = C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
O4 - Startup: TimeSync.lnk = C:\Program Files\Tools For Selling\Time Synchro\tsyn.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
O4 - Global Startup: Pocket TV Manager.lnk = C:\Program Files\Pocket TV Browser\PTVManager.exe
O4 - Global Startup: SlimServer Tray Tool.lnk = C:\Program Files\SlimServer\SlimTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {A1C77AB3-F941-462B-9B58-E4182540BA6F} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {CD402293-6008-4903-8C8A-6B1960E7C5B7} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {E3592413-3E6D-4403-B0CB-81D7D7AD11C7} - http://www.comcastsupport.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...install.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/088171a031663d7...p/RdxIE601.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europ...call/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...waredetector/WebAAS.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: SlimServer (slimsvc) - Unknown owner - C:\Program Files\SlimServer\server\slim.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

[tetonbob]

Please disable (uncheck) the Wordwrap feature in Notepad, under Format when posting logs.

I see you have Ewido installed. Please do this:

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

-----------------------------------------------


1.Download About Buster 6.0 and unzip it to your desktop.

2. Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


3.Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.


4. Run AboutBuster 6.0 and select "Begin Removal". Make sure you click "Yes" to every message box that appears.
5. Restart your computer and run AboutBuster one final time. Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.

That should remove the Legacy Service locations. Run CounterSpy again afterwards, and let us know.

Also, please perform this online scan:

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please return with results from:

Ewido
AboutBuster
Kaspersky

[savant127]

Thank you tetonbob for taking on this problem.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:37:00 PM, 2/13/2006
+ Report-Checksum: 17375EDE

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{66100307-54EE-8324-718F-DA7041322625} -> Adware.CoolWebSearch : Cleaned with backup
:mozilla.737:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies-1.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.738:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies-1.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.739:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies-1.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.740:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies-1.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.741:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies-1.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.742:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies-1.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.769:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies-1.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Abcsearch : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Abcsearch : Cleaned with backup
:mozilla.713:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.714:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.762:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.763:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.764:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.765:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.766:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.767:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fur5ybvr.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@com[2].txt -> TrackingCookie.Com : Cleaned with backup

::Report End

---------------------------------------------------------------------------
AboutBuster 6.0
Scan started on [2/13/2006] at [7:38:42 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:39:33 PM


AboutBuster 6.0
Scan started on [2/13/2006] at [7:53:18 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!

Scan was COMPLETED SUCCESSFULLY at 7:55:02 PM

---------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, February 13, 2006 23:13:25
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/02/2006
Kaspersky Anti-Virus database records: 176633
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 136399
Number of viruses found: 3
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 11128 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Tim\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\BD2E5526-FD97-479B-B964-CDDE8F\4925F22E-8009-4DD3-B1C7-428DB1 Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\Documents and Settings\Tim\My Documents\stealthwebsitelogger.exe/data0008 Infected: not-a-virus:Monitor.Win32.Amplusnet.b
C:\Documents and Settings\Tim\My Documents\stealthwebsitelogger.exe/data0009 Infected: not-a-virus:Monitor.Win32.Amplusnet.b
C:\Documents and Settings\Tim\My Documents\stealthwebsitelogger.exe Infected: not-a-virus:Monitor.Win32.Amplusnet.b
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612
C:\Program Files\mIRC2\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612
C:\RECYCLER\S-1-5-21-3849205493-4024994690-2552189465-501\Dc1.exe/data0008 Infected: not-a-virus:Monitor.Win32.Amplusnet.b
C:\RECYCLER\S-1-5-21-3849205493-4024994690-2552189465-501\Dc1.exe/data0009 Infected: not-a-virus:Monitor.Win32.Amplusnet.b
C:\RECYCLER\S-1-5-21-3849205493-4024994690-2552189465-501\Dc1.exe Infected: not-a-virus:Monitor.Win32.Amplusnet.b

Scan process completed.

---------------------------------------------------------------------------
Spyware Scan Details
Start Date: 2/13/2006 11:24:31 PM
End Date: 2/13/2006 11:57:07 PM
Total Time: 32 mins 36 secs

Detected spyware

RemoteComputer Commercial Remote Control more information...
Details: RemoteComputer is remote control software based on the TCP/IP protocol. Use RemoteComputer to contol a remote host over a local network or the Internet, including screen control, mouse and keyboard simulation, File Transfer Protocol, and net phone. T
Status: Deleted

Infected files detected
C:\WINDOWS\SYSTEM32\ss2uinst.exe


Looking-For.Home Search Assistant Browser Modifier more information...
Details: Home Search Assistant is an Internet Explorer browser helper object that was recently identified by the SpyNet community; research is currently under way to further identify its risks.
Status: Quarantined

Infected registry entries detected
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 Service 11Fßä#·ºÄÖ`I
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 Class LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 DeviceDesc Network Security Service (NSS)

[tetonbob]

It seems as though CounterSpy is saying those have been Quarantined.

What happens when you empty the Quarantine Folder and then run the tool? I believe in CounterSpy it's under Tools>Spyware Scan>Manage Spyware Quarantine

If it still finds the registry entries.....after emptying the Quarantine, or if those entries are not quarantined as I suspect......

Run this:

Download and save to your C: drive HSfix.zip
Unzip the contents of HSFix.zip and an HSFix directory will be created
From within the HSFix directory, doubleclick on hsfix.reg, and allow it to merge with your registry.

Next, Empty your Recycle Bin.

Delete these files:


C:\Documents and Settings\Tim\My Documents\stealthwebsitelogger.exe
C:\WINDOWS\SYSTEM32\ss2uinst.exe


If they resist deletion, boot to safe mode and delete them from there.

Post a new HJT log.

How is your system behaving now, please?

[savant127]

The system operates great. The only constant flaw is the reporting of HS every time CounterSpy runs its scan. I deleted out all references of HS from Quarantine and ran the scan with the following results:

Spyware Scan Details
Start Date: 2/14/2006 7:34:36 PM
End Date: 2/14/2006 8:05:20 PM
Total Time: 30 mins 44 secs

Detected spyware

RemoteComputer Commercial Remote Control more information...
Details: RemoteComputer is remote control software based on the TCP/IP protocol. Use RemoteComputer to contol a remote host over a local network or the Internet, including screen control, mouse and keyboard simulation, File Transfer Protocol, and net phone. T
Status: Deleted

Infected files detected
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1372\A0208608.exe


Looking-For.Home Search Assistant Browser Modifier more information...
Details: Home Search Assistant is an Internet Explorer browser helper object that was recently identified by the SpyNet community; research is currently under way to further identify its risks.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 Service 11Fßä#·ºÄÖ`I
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 Class LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 DeviceDesc Network Security Service (NSS)


Com.com Cookie more information...
Details: Redirects to cnet.com
Status: Deleted

Infected cookies detected
c:\documents and settings\tim\cookies\tim@com[2].txt

-------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:23:51 PM, on 2/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SlimServer\server\slim.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Palm\AlarmApp.exe
C:\Program Files\Pocket TV Browser\PTVManager.exe
C:\Program Files\SlimServer\SlimTray.exe
C:\Palm\HOTSYNC.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunServer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\DeskSweeper\DeskSweeper.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\system32\tbctray.exe
C:\Documents and Settings\Tim\My Documents\Desktop Programs\Maintenance Applications\Special Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?Link...8&clcid=0x0409
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [QOELOADER] "c:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: DeskSweeper.lnk = C:\Program Files\DeskSweeper\DeskSweeper.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: SyncBack.lnk = C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
O4 - Startup: TimeSync.lnk = C:\Program Files\Tools For Selling\Time Synchro\tsyn.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
O4 - Global Startup: Pocket TV Manager.lnk = C:\Program Files\Pocket TV Browser\PTVManager.exe
O4 - Global Startup: SlimServer Tray Tool.lnk = C:\Program Files\SlimServer\SlimTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {A1C77AB3-F941-462B-9B58-E4182540BA6F} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {CD402293-6008-4903-8C8A-6B1960E7C5B7} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {E3592413-3E6D-4403-B0CB-81D7D7AD11C7} - http://www.comcastsupport.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/088171a031663d7...p/RdxIE601.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: SlimServer (slimsvc) - Unknown owner - C:\Program Files\SlimServer\server\slim.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

[tetonbob]

Status has moved from Quarantined to deleted. Be sure to read the whole note.

Quote:

Details: Home Search Assistant is an Internet Explorer browser helper object that was recently identified by the SpyNet community; research is currently under way to further identify its risks.
Status: Deleted

Did you run the regfix from the link I posted yet? I can't say that I think it's required, but it will do no harm to run it, as it is designed for those very entries. So, too is AboutBuster, which already ran.


.....I think CounterSpy is telling you how proud it is of itself for doing it's job, and wants you to know.

Your logs appear clean. Tell CounterSpy to leave you alone. Honest.

Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
• IE-SPYAD
  IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
• AVG
  
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Avast Antivirus/Firewall
• Tiny Personal Firewall
• OutPost Firewall

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please respond to this thread one more time so we can mark this thread as resolved.

[savant127]

I think we are interpreting CounterSpy differently teton...the last report indicated "Deleted" because I manually deleted it rather than quartantine it. And yes, I did install the HSFix.reg file. Every night since the middle of December '05, CounterSpy has reported the same finding regardless of whether I delete or quarantine. I don't use IE. I never use Yahoo. I run all of my antivirus, antispyware, adware programs on a regular basis and it's always the same thing. CounterSpy reports HS every night. I can run it, delete the file and then run it right away and it shows up again.

As I mentioned in my last post, my system runs good with no visable problems.

[tetonbob]

Are you manually deleting these registry entries each time using regedit, or removing them with CounterSpy?

[tetonbob]

This is a problem known to CounterSpy which was to have been adressed by now. Is your software and it's definitions up-to-date?

Let's try it this way.

Go to Start>Run - type REGEDIT

1. Navigate to these keys -
   
   Quote:

   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\ 0000
   Service 11Fßä#·ºÄÖ`I
   
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\ 0000
   Class LegacyDriver
   
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\ 0000
   ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1}
   
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\ 0000
   DeviceDesc Network Security Service (NSS)

2. Right click & delete the keys in blue first followed by the keys listed in RED
3. Close the Registry Editor when you've finished

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Please let me know your findings.

[savant127]

I remove them using CounterSpy. Let me try the "Regedit" route and I'll get back with you. Thanks again for your help.

[savant127]

Unable to delete. I did ensure the "Advanced" criteria was set. Following message pops up:

"Unable to delete all specified values"

tetonbob...this will have to be my last post for the night. Will get back to this in the AM.

[tetonbob]

Let's try this again, this time be sure to also put a check mark in replace permission entries on all child objects.

I have another plan yet, should that not produce the results we want.

Quote:

From Sunbelt Support;

"I just heard back from our research team, the items below are not a false positive, but there is a problem. The way CounterSpy works right now it can not change the permissions on the registry keys so it can delete them. We are working on a new version that addresses this, and expect it to be out early next year.

Once we take complete ownership, we should be able to delete those keys.

[savant127]

OK tetonbob...I'm tentatively jumping up & down with glee. The "Permissions" adjustment had to include a setting for allowing "Everyone" "Full Cntrol" before I was able to delete. Once deleted, I reset the Permissions back to what it was.

I ran a CounterSpy scan which came up negative. Should I reboot or run a registry program before doing the following?

Reset hidden/system files and folders
Create a new System Restore point

[tetonbob]

Excellent news. Well Done. Might be a good idea to email CS support, and put a fire underneath them, as they've known about this issue since November.

If you have a regcleaner handy, it wouldn't hurt. Although I think you're good to go.

If you need a recommendation, I use CCleaner.

Download and install CCleaner..http://www.ccleaner.com/ccdownload.asp

1. Open the program and the "Cleaner" button should be active.
2. Click on "Run Cleaner"
3. Once thats done it will clean out the TEMP folder.
4. Now click on "Issues" and then "Scan for Issues"
5. Once it's done checkmark ALL it finds and click "Fix Selected Issues"
6. It will ask you if you want to back up the registry entrys it's removing so please do so. If it removes anything important..just locate the .reg file you saved...double click on it to add the entrys back.

Any other questions, feel free, otherwise, let me know, and we'll move this to Resolved.

[savant127]

Well Sir...ran CCleaner and rebooted without incident. All seems to be running nicely. If there isn't anything else I need to do, I can't thank you enough for solving this nuisance. It's a big relief to know HS is gone.

[tetonbob]

Follow up on the other protection, particularly IESpyad, MVPS hosts file, SpywareBlaster, and SpywareGuard.

These add layers of protection without using system resources.

Other than that.... Nice effort!

[savant127]

Okay tetonbob...thanks again.