home search assistent

First, I have done all of the steps that you included in your tutorial. I still have several things that I can't get rid of. I keep getting pop ups asking me if I want to stop malicious code lol. My first hjt log is what I scanned in safe mode and the second is when i restarted my computer. I turned off restore and used two scans. I used ewido as well. My computer was also shutting off in the middle of several scans for no reason. I am unsure if this maybe resulting from any of this or maybe another problem altogether. Also the site is saying my hjt file is invalid now. Ah well its 3am. Any help is appreciated great thing you guys do here.

 

We need a HijackThis log from NORMAL MODE.

 

ok here is my hjt log from normal mode.

 

zer0gh0st,

Your HJT is WAY out dated, first you must update this to 1.99.1 and then you must follow the READ ME.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

Downloading, Installing, and Running HijackThis

 

Yep did everything, however I did neglect to update my hjt this really just didnt think of it. Anyways I ran the scans I could get to work before, but my computer just shut off during some of them so the ones I could get to work are here.

Trojan scan showed c:\\windows\xiimk.dll
Trend Micro showed troj keenval.e c:\\programfiles\yahoo\ypsr\quarantine
it also reported the xiimk.dll as well.

here is my new hjt log. I don't see anything about it on here, but in my add/remove programs I have "home search assistent" which only links me to a web page. I am also receiving pop ups and my browser keeps being hijacked and having my homepeage changed. Also my computer has started randomly turning off I believe that is everything Ican think of. I did run all the other programs and do about once a week or so, but the only thing that shows infection was the two scans there and spyboit search and destroy which shows tnn.news as what it found. No idea on that. I have used the fix options for all of these and they still return once i reboot my computer.

 

Please follow the instructions in the below thread:

about:Blank and HSA Hijacker - Simplified Removal

 

Followed the steps in your last post. hsremove removed 8 objects. here are my other log files. I still have hsa in my add/remove programs. My computer turned off a few times during the scans for some reason. Both logs are from normal mode. I saved ones from safe mode as well if you need them.

 

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Post a fresh HijackThis

 

Tried killing the C:\WINDOWS\system32\appqo32.exe but it said it may be protected or may be a service. I didnt see it in services. I killed C:\WINDOWS\system32\atlhs32.exe but it came back as well as the rest of the objects i had hjt fix. It told me to restart to ensue everything was fixed but when i ran hjt again they were all back.

 

Please follow the instructions in the following threads:
How to view hidden, system files & folders!
Searching for Hidden Files on WinXP

Please make sure System Restore is OFF.

Please print these instructions out for use while not connected with the internet.

Now we are going to use notepad to erase the contents of the DLL file shown in the R0 & R1 lines of your HijaakThis log. To do this click Start, Run, and enter the following command "notepad C:\WINDOWS\system32\gyzib.dll" (without the quotes) and click OK.

Now in the notepad window, hit CTRL-A to select all contents of the file then hit the Delete key to delete all lines of the file. Now save the file (yes as an empty file). Now using Windows Explorer, locate the file ovdtv.dll and right click on it and select Properties and change the attributes to Read Only and click OK. Do the same for cekua.dll.

Shutdown (not minimize) all applications (especially IE and Windows explorer) and run HijaakThis.

Now reboot in safe mode

Open Windows Explorer and navigate to and DELETE the following:

If you have a problem deleting any of these files (like it is denied because it is in use), run ProcessExplorer and try to locate the running process and kill it. Then try to delete the file.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now while still in safe mode, run only Hijaak This and have it fix the following:

Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now click on Start, Run, type regedit, click OK. When regedit opens click on Edit, select Find, ipgi32.dll and delete every instance. Do the same for ovdtv.dll, cekua.dll, gvuqt.dll, qtyux.dll, crjp32.dll.

Now click on Start, Search, select All files and folder, in the top box search for the follwoing:

Delete each instance.

Once again delete the contents of C:\WINDOWS\Prefetch.

Delete Memory.dmp if found in either C:\WINDOWS or C:\WINDOWS\System32

Now run CCleaner.

Run HSRemover.

Run about:Buster (copy the output to a file ablog1.txt)

Also while still in Safe Mode to finish the cleanup process, please do the following:
Go to Start --> Run and type Regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:
__NS_Service
__NS_Service_2
__NS_Service_3
If any are listed, right-click that entry in the right pane and choose Delete.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
and highlight Root in the Left Pane. In the right pane, look for these entries:
LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3
If you find it, right-click it in the right-pane and choose delete.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Workstation NetLogon Service

If Workstation NetLogon Service exists , right click on it and choose delete from the menu.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Workstation NetLogon Service

If LEGACY_Workstation NetLogon Service exists then right click on it and choose delete from the menu.

Now navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Procedure Call (RPC) Helper

If Remote Procedure Call (RPC) Helper exists, right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Remote Procedure Call (RPC) Helper

If LEGACY_Remote Procedure Call (RPC) Helper exists, right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Now (still in safe mode) run Ad-aware SE and under scan select Perform Full System Scan and then SpyBot S&D and clean what they find.

Now click Start, Run, and in the Open box enter "regedit" (without the quotes). Now navigate thru the registry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Click the [+] next to uninstall. Scroll down until you see the NAMES of programs (skip past the lines with numbers in {,} ). See if you can find any of the following listed:

HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of
assistant is wrong)
SA = Search Assistant
SE = Search Extender
SW = Shopping Wizzard

If you find any of them, select one at a time, and hit your delete key. Once you delete all three, you can exit the registry editor.

Now reboot normal mode. And run about:Buster one more time saving the output again (ablog2.txt do not overwrite the first log)

Before running anything else run HijaakThis and save a log.

Reconnect your internet connection, run your browser, and connect here to MG's and post the new HijackThis and about:Buster logs as attachments. Then continue running and let's see how everything is working.

 

I did all the steps and I couldnt find some of the things in several steps, but it appears that everything is gone. My last spybot and about buster scans showed nothing. Here are my hijack this logs and about buster logs. I will post the ones that are in normal mode after everything unless you need the old ones. My add/remove list no longer has hsa or the shoper thing in it. Thanks for the help it is very appreciated. You guys kickass. But I may be prematurely celebrating so we'll see.

 

Your log is clean. How is your computer performing?

 

Well, I just ran another adaware scan and it showed wintrojan so i cleaned it and I am now running everything again. I am still experiencing shutdowns which is what made me decide to check again. The hsa is gone though as well as the other shoping thing.

 

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments

 

Ok here are my logs. guess I was speaking too soon. I also can't use search now for some reason. It says I need to use setup since it is missing a file.

 

last one

 

Please make sure System Restore is OFF.

Do the following:
How to view hidden, system files & folders!
Searching for Hidden Files on WinXP

Reboot to Safe Mode.

Open Windows Explorer, navigate to a delete the follwoing:

Please follow the directions in the below thread:
Running Ewido Security Suite

 

ok I deleted all of those files that i could find however search doesn't work it says i am missing a file and may need to run setup for some reason. Here is the ewido log. Do you want me to post any others?

 

Please post a fresh HijackThis log as an ATTACHMENT.

 

ok, here you are.

 

Your HijackThis log is clean. How is your computer running?

 

sorry been gone a few days, my cpu is running well except for the turning off randomly and search not working other than that nothing.

 

Computer turning off randomly could be a hardware problem, Search not working would be an issue for the software forum.