home search assistent bug

Please help I managed to infect my friends pc with this home search assistant bug and need to get rid of it for him, here is the hijack this log.

Logfile of HijackThis v1.97.7
Scan saved at 17:47:51, on 01/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\avgcc32.exe
C:\Documents and Settings\Martin\Application Data\pdoa.exe
C:\WINDOWS\System32\NDrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.shopnav.com/search/9886/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lidat.dll/sp.html#27063
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lidat.dll/index.html#27063
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lidat.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2001 Basic\Search Bar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lidat.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lidat.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lidat.dll/sp.html#27063
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shopnav.com/search/9886/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SUPANET
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.123found.com
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {74573A6C-C0FD-80B4-5489-3A6D60261E63} - C:\WINDOWS\system32\ntrv32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG_CC] E:\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [msms.exe] C:\WINDOWS\system32\msms.exe
O4 - HKCU\..\Run: [Roan] C:\Documents and Settings\Martin\Application Data\pdoa.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKLM\..\RunOnce: [appun.exe] C:\WINDOWS\system32\appun.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/Ud3rT0n2.cab
O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://www.xzoomy.com/media/hoover/fullgames2.exe
O16 - DPF: {04FB811E-5D2E-4E94-AAF4-A86CBE22765C} (pdplugin control) - http://www.thepaymentcentre.com/plugin/pdplugin.cab
O16 - DPF: {0873478E-E67A-4876-B0A9-9A36D3AB3602} (vviewer control) - http://www.thepaymentcentre.com/build/vviewer.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/110095.exe
O16 - DPF: {23273A1C-C870-43C4-A3E3-67DC98630AC6} (IntSOFTEC Class) - http://213.229.160.209/dialers/it.cab
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} (Loader Class) - http://www.tnc4u.com/MCInst.cab
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://64.156.31.98/060128uk.exe
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {91413D86-9F27-402C-B5E3-DEBDD122C339} - http://content.netvenda.com/sites/games-uk/uk/games5.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37587.3514467593
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/loader.cab
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D534A0F8-E0F2-4F11-8E53-345819B2451F} (Streaming VisualFX) - http://www.rmgdrs.com/update/x1ff.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1018067.exe
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.i-lookup.com/toolbar2/windec32.cab

Thanks dannyg

 

Hi,

Tick the items below in HijackThis
Close all browser windows
Choose fix checked
Reboot and then post a new log


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.shopnav.com/search/9886/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lidat.dll/sp.html#27063
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lidat.dll/index.html#27063
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lidat.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lidat.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lidat.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lidat.dll/sp.html#27063

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shopnav.com/search/9886/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.123found.com
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

O2 - BHO: (no name) - {74573A6C-C0FD-80B4-5489-3A6D60261E63} - C:\WINDOWS\system32\ntrv32.dll

O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE

O4 - HKLM\..\Run: [msms.exe] C:\WINDOWS\system32\msms.exe
O4 - HKCU\..\Run: [Roan] C:\Documents and Settings\Martin\Application Data\pdoa.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKLM\..\RunOnce: [appun.exe] C:\WINDOWS\system32\appun.exe

O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://www.xzoomy.com/media/hoover/fullgames2.exe

O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/110095.exe
O16 - DPF: {23273A1C-C870-43C4-A3E3-67DC98630AC6} (IntSOFTEC Class) - http://213.229.160.209/dialers/it.cab
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} (Loader Class) - http://www.tnc4u.com/MCInst.cab
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://64.156.31.98/060128uk.exe

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/loader.cab
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll

O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1018067.exe
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.i-lookup.com/toolbar2/windec32.cab

 

Thanks Gavin that did the trick, sorry for the delay in replying been away for the weekend.

DannyG

 

Hi DannyG,

Could you please post another log, just to be sure there's nothing else that may have popped up unwanted.

Regards,

snap