Help With Home Search Assistent Please

You have a bunch of problems besides HSA hijack. We need to address the others before fixing the HSA problem.

It appears like you you have two antivirus applications installed. You must only run one. Pick one and uninstall he other.

You should go to Add/Remove programs and uninstall WeatherBug unless this is a version that you paid for. While there also look for anything to do with Web Offer .

Run HJT and with all browsers closed Fix these lines:
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)

Some of those may come back.

Start on that while I look at your log. There are a load of trojans. Let me know the results of the above and post a new log.

I also see that you still play too many online games! LOL!!!

 

It is VERY IMPORTANT to remember to ALWAYS exit browsers (all of them) before using HJT. You had two IE sessions running.

What about Weather Bug?

I still see two antivirus apps! That is not going to help you!

A few more questions. Do you use these:
Viewpoint Manager\ViewMgr.exe
QuickTime
WildTangent

What is your expected home page?

 

Another question:

Did you put this here:
C:\documents and settings\continentalhc\local settings\temp\WMqrSVI.exe

This is not a good way to install something that you may need. Many trojans install themselves this way in the documents and settings folder. It is not a place you should install (or save anything you want to keep). Cleanup programs and procedures we need to use to fix malware problems will typically go in and delete everything in folders like this. Temp basically means...you don't need it.

 

I still need to know your expected home page for later cleanup work.


Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.


Go to Add/Remove Programs and uninstall anything to do with (if found):
- BullsEye Network
- Viewpoint or Viewpoint Manager
- WildTangent

I'm still leaving steps in the clean procedures below related to the above items. Just in case they do not have an uninstall.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side.
Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\documents and settings\continentalhc\local settings\temp\WMqrSVI.exe
C:\windows\system32\i6xmVphx.exe
C:\windows\system32\QuHTH.exe
C:\WINDOWS\system32\6to4svc9.exe
C:\WINDOWS\Xhrmy.exe
C:\Documents and Settings\continentalhc\Application Data\rpen.exe
C:\WINDOWS\system32\QuHTH.exe
C:\WINDOWS\system32\m?config.exe
C:\PROGRA~1\Web Offer\wo.exe


After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [79D.tmp] C:\DOCUME~1\CONTIN~1\LOCALS~1\Temp\79D.tmp.exe 1 10001
O4 - HKLM\..\Run: [WMqrSVI] C:\documents and settings\continentalhc\local settings\temp\WMqrSVI.exe
O4 - HKLM\..\Run: [i6xmVphx] C:\windows\system32\i6xmVphx.exe
O4 - HKLM\..\Run: [QuHTH.exe] c:\windows\system32\QuHTH.exe
O4 - HKLM\..\Run: [5d5662def334] C:\WINDOWS\system32\6to4svc9.exe
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\continentalhc\Application Data\rpen.exe
O4 - HKCU\..\Run: [Yqgbhn] C:\WINDOWS\system32\m?config.exe
O4 - HKCU\..\RunOnce: [Web Offer] Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\system32\toolbar.dll/SEARCH.HTML
O9 - Extra button: BingoNova Lobby - {4E975845-1BA1-495E-95A3-2698978E3D4B} - C:\Program Files\BingoNova Lobby\osix.exe (file missing)
O9 - Extra 'Tools' menuitem: BingoNova Lobby - {4E975845-1BA1-495E-95A3-2698978E3D4B} - C:\Program Files\BingoNova Lobby\osix.exe (file missing)
O9 - Extra button: BingoHead Lobby - {A90D8DF7-13D6-40EE-8DFC-D1A9CBCC0622} - C:\Program Files\BingoHead Lobby\osix.exe (file missing)
O9 - Extra 'Tools' menuitem: BingoHead Lobby - {A90D8DF7-13D6-40EE-8DFC-D1A9CBCC0622} - C:\Program Files\BingoHead Lobby\osix.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {12B574CE-A702-E7AD-358C-597D3BCEA9FA} (IEplugin Class) - http://www.mrketing.biz/IE_plugin.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/20b637ed/enter.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50122/QDow_AS2.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\documents and settings\continentalhc\local settings\temp\WMqrSVI.exe
C:\Documents and Settings\continentalhc\Application Data\rpen.exe
C:\documents and settings\continentalhc\local settings\temp\79D.tmp.exe
C:\windows\system32\i6xmVphx.exe
C:\windows\system32\QuHTH.exe
C:\WINDOWS\system32\6to4svc9.exe
C:\WINDOWS\Xhrmy.exe
C:\WINDOWS\system32\QuHTH.exe
C:\WINDOWS\system32\EZPOPS~1.EXE
C:\WINDOWS\system32\toolbar.dll
C:\PROGRA~1\Web Offer <--- the whole folder
C:\Program Files\Viewpoint <--- the whole folder
C:\Program Files\WildTangent <--- the whole folder
C:\Program Files\BullsEye Network <--- the whole folder


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

After posting this log DO NOT REBOOT or the HSA hijacker symptoms may change. That would make any fixes I suggest worthless. Leave your PC running until you get a procedure from me. In the meantime make sure you do have About:Buster and HSremove on download and ready to use (just in case).

 

Yes, you can do other things but be very careful and selective about where you go.

I see a few more items have show up now. The other problems may have masked them or they could be new. Again we need to fix these before the HSA problem.

Any problems fixing/deleting stuff last time?

Make sure you have system restore disabled and viewing of hidden files enabled.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Middadle\Clicks10017.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [QuHTH.exe] C:\WINDOWS\system32\QuHTH.exe
After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\SEP <-- the whole folder
C:\Program Files\eSyndicate <-- the whole folder
C:\Program Files\Middadle <-- the whole folder
C:\WINDOWS\system32\QuHTH.exe

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

And again (even the it did not change last time):
After posting this log DO NOT REBOOT or the HSA hijacker symptoms may change. That would make any fixes I suggest worthless. Leave your PC running until you get a procedure from me. In the meantime make sure you do have about:Buster and HSremove on download and ready to use (just in case).

 

Make sure system restore is disabled and viewing of hidden files is enabled.

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your PC to the internet and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Now run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lidnm.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lidnm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lidnm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lidnm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lidnm.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lidnm.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lidnm.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0B908CAD-3C8E-F8BB-BABB-D566F522D77D} - C:\WINDOWS\netua32.dll

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete (if you find them):
C:\WINDOWS\system32\lidnm.dll
C:\WINDOWS\netua32.dll

If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

Right now you look clean! Is it still clean? Have you reboot again and run a few browser sessions and still clean?

 

You're welcome! Happy I could help!

Now you should make sure you have do the stuff in the below link (or their equivalent counter parts - for example I mention antivirus apps and firewalls - you do not have to use the ones indicate, but you should have an antivirus and a firewall):

How to Protect yourself from malware!