Help! Im lost with this damn Home Search thing

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by happylarry, Jul 22, 2004.

  1. happylarry

    happylarry Private E-2

    Help!!
    I have tried everything!
    im pulling my hair out. how do i get rid of this nasty thing?

    following is my HJT log after i have run. Ad-aware, and HPRemove.exe
    but it just keeps coming back.
    thanks in advance for any help or advice....



    Logfile of HijackThis v1.98.0
    Scan saved at 8:09:22 p.m., on 22/07/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\ipqb32.exe
    C:\PROGRA~1\Navnt\alertsvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\PCI Audio Applications\Mixer.exe
    C:\Program Files\Navnt\POPROXY.EXE
    C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\itunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Navnt\navapw32.exe
    C:\Documents and Settings\My Documents\My Pictures\albumcovers\CWShredder.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\My Documents\My Pictures\hs\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AE94B296-D27E-F9C3-97E8-2CE5655E2B5A} - C:\WINNT\system32\d3ma.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
    O4 - HKLM\..\Run: [EPSON Stylus C61 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C61 Series" /O6 "USB001" /M "Stylus C61"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] D:\itunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
     
    happylarry, Jul 22, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    I dont see it, these 2 lines show it worked and you need to reset your home page:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm


    It will keep coming back if you did not follow the directions and run from safe mode. As I read this, your clean.
     
    Major Attitude, Jul 22, 2004
    #2
  3. happylarry

    happylarry Private E-2

    Thanks for your response
    Yup, I did the searches in Safe Mode, but then after restarting and going online for about 10 minutes it all comes back...
    here is my HJT Log now the sytem is infected... again...
    thanks.


    Logfile of HijackThis v1.98.0
    Scan saved at 10:03:06 a.m., on 23/07/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\ipqb32.exe
    C:\PROGRA~1\Navnt\alertsvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\PCI Audio Applications\Mixer.exe
    C:\Program Files\Navnt\POPROXY.EXE
    C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\itunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Navnt\navapw32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\ntbr32.exe
    C:\Documents and Settings\My Documents\My Pictures\hs\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\atscz.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://atscz.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://atscz.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\atscz.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\atscz.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://atscz.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AE94B296-D27E-F9C3-97E8-2CE5655E2B5A} - C:\WINNT\system32\d3ma.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
    O4 - HKLM\..\Run: [EPSON Stylus C61 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C61 Series" /O6 "USB001" /M "Stylus C61"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] D:\itunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ntbr32.exe] C:\WINNT\system32\ntbr32.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1F22E4F4-D425-4D71-920F-C514FF5C4FFE}: NameServer = 203.97.33.14 203.97.37.14
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1F22E4F4-D425-4D71-920F-C514FF5C4FFE}: NameServer = 203.97.33.14 203.97.37.14
     
    happylarry, Jul 22, 2004
    #3
  4. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Did you follow the directions on the HSRemove download page and\or try About:Buster?
     
    Major Attitude, Jul 22, 2004
    #4
  5. NeoNemesis

    NeoNemesis Moutharrhea

    since im not sure on all of these im asking mt if these are right. Don't go by this though im still learning and im not sure on everything.



    mt are these lines the ones you are looking for because in the other thread that had home search on it it had the same line as these so im not sure. I'm just trying to help so i don't want this person to go delete these things. please just tell me if im right or wrong.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\atscz.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://atscz.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://atscz.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\atscz.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\atscz.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://atscz.dll/index.html#96676
     
    NeoNemesis, Jul 22, 2004
    #5
  6. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Thats right, but he can remove em all day long and they come back. He didnt mention safe mode, trying About:Buster, VX2 plug-in for ad-aware or reading some of the longer threads here where Chaslang has helped. Basically these threads, with a lot of posts have Chaslang fixing these after repeated problems. Odds are, your answer might be in there :)

    Let me know.
     
    Major Attitude, Jul 22, 2004
    #6
  7. NeoNemesis

    NeoNemesis Moutharrhea

    so im right? yay! woot woot.... finally. you can tell he didn't read the post then because the information for this is in the post.
     
    NeoNemesis, Jul 22, 2004
    #7
  8. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    I know, I leave an answer and wander off... I can lead a horse to water, but cant make it drink.
     
    Major Attitude, Jul 22, 2004
    #8
  9. happylarry

    happylarry Private E-2

    Sorry Im totally confused. ive tried following the instructions left on the longer threads but they just dont seem to work, i cant figure it out.
    these are the programs i have run all in Safe Mode...

    1. HSRemove
    2. Adaware 6.0 181
    3. About:Buster
    4. Spybot (updated)

    I followed all the instructions on HSRemove download page.
    HS looks like it is removed but then just comes on back after i reboot and go back online.
    most of the HS problems i see in the threads are for XP does it make a difference with win2k?

    i think im going mad...

    sorry if im being stoopid
     
    happylarry, Jul 22, 2004
    #9
  10. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Your not being stupid, its just very difficult to figure these out especially explain it to someone, you know :)
    Please read this thread, it mentions both Windows 98 and the network security service. Chaslang knows this parasite better then I and theres some great info in there that should fix you up! So, read through it taking special attention to Chaslangs comments.

    http://forums.majorgeeks.com/showthread.php?t=36310
     
    Major Attitude, Jul 22, 2004
    #10
  11. happylarry

    happylarry Private E-2

    im going through your ATTENTION:res://<random>.dll/<random>.html#<random> Victims, Step In!
    thread and im trying to identify this line in my hijack this log
    O4 - HKLM\..\Run: [sysjj32.exe] C:\WINNT\system32\sysjj32.exe
    do you know what sysjj32.exe is? whether its important, it looks like the only odd one out (apart from the obvious ones of course)...

    cheers
     
    happylarry, Jul 23, 2004
    #11
  12. happylarry

    happylarry Private E-2

    happylarry, Jul 23, 2004
    #12
  13. happylarry

    happylarry Private E-2

    Hi
    Ive been through the "GENERIC SOLUTION FOR "Only the Best" HIJACKER" point by point, but i can't seem to shake this one...
    what do i do now?? throw the computer through the window perhaps?
     
    happylarry, Jul 23, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In your first post in this thread you had a HijackThis log were you and others though it was clean.
    It was not. These two items were the problems that brought it back:
    C:\WINNT\system32\ipqb32.exe
    O2 - BHO: (no name) - {AE94B296-D27E-F9C3-97E8-2CE5655E2B5A} - C:\WINNT\system32\d3ma.dll

    Prior to running Internet Explorer, if the ipqb32.exe process had been killed and the d3ma.dll line had been fix in HijackThis. And the two of those files need to be deleted. If that had occurred, it is possible (but not absolute) that the problem may have been gone.

    If you look in your second log, you can see when it came back with the R0 & R1 lines easily. The lines I mentioned above were still there too but there was another new process spawned and another O4 line to make it run at startup. Here they are.
    C:\WINNT\system32\ntbr32.exe
    O4 - HKLM\..\Run: [ntbr32.exe] C:\WINNT\system32\ntbr32.exe

    This problem is a real pain and takes perserverance to conquer. Right now though I must get some sleep (4:08 am). I would suggest this. If you can follow how to substitute all of you info into the Generic Solution Thread, do it again but this time when you get to step 13, try adding these in and then after these continue on with step 14 and above:

    Before starting make sure you download and install CCleaner from here:
    http://www.majorgeeks.com/download4191.html

    13A. Search the registry for every instance of xxxxx.dll (the file from step 5). Change the values for your home and search pages to what you want (www.majorgeeks.com will do).
    13B. Search the registry for every instance of the suspicious exe files found by Hijack This from step 8. Delete every instance.
    13C. Run CCleaner and on the Windows tab (you'll see when you run it) leave the defaults and click Run Cleaner.
    13D. Search your computer for xxxxx.dll. Delete each instance.
    13E. Search your computer for the suspicious exe files. Delete each instance.
    13F. Delete the Prefetch folder in C:\WINDOWS.
    13G. Delete Memory.dmp in C:\WINDOWS or was it C:\WINDOWS\System32
    13H. Run HSRemover.
    13I. Run about:Buster.
     
    chaslang, Jul 23, 2004
    #14
  15. happylarry

    happylarry Private E-2

    thank you thank you chaslang and major attitude. HS is now gone!! Thanks to you guys my system is now clean.
    thanks so much for your help i was seriously going mental... and now i am truly a HAPPY larry
    cheers
     
    happylarry, Jul 23, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds good Happy! But please perform a few reboots and a open and close Internet Explorer and due some surfing a few times. Just to double check. Then come back here again and let us know if you are still OK. THX!
     
    chaslang, Jul 23, 2004
    #16
  17. happylarry

    happylarry Private E-2

    so far so good.
    thanks again!
     
    happylarry, Jul 25, 2004
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds