Home Search Assistant will not go away

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by lutzclan, Jul 13, 2004.

  1. lutzclan

    lutzclan Private E-2

    I have been casing this way to long. After my first go with Hijack this I cleaned up some of the stuff, but clearly I am still missing something.

    I have run Ad-Aware with the latest update and the plug-in for this proglem. I have run spybot. I have run HSREMOVE in safe mode. I have removed the registry entries for HSA\SW\SE. I believe it is being reinstalled as part of Windows 2000 "File Protection" feature - can not turn off the System Restore in Windows 2000. Help!

    Logfile of HijackThis v1.97.7
    Scan saved at 2:51:51 PM, on 7/13/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
    c:\edmwin\EDMEXECD.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\sysyg.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
    C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\Mcshield.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
    C:\WINNT\system32\Atiptaxx.exe
    C:\Program Files\DELL\AccessDirect\dadapp.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\apirk.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
    C:\PROGRA~1\Netscape\Netscape\Netscp.exe
    C:\WINNT\explorer.exe
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    E:\User Profiles\goatwoman\Desktop\Fix\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ximfd.dll/sp.html#27859
    O2 - BHO: (no name) - {B9B11C7D-86D4-3AF4-04BE-B066307AC07B} - C:\WINNT\netgu32.dll
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [apirk.exe] C:\WINNT\apirk.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    lutzclan, Jul 13, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Get the current HijackThis please: http://www.majorgeeks.com/download3155.html

    Also get the current HSremove 2.36: http://www.majorgeeks.com/download4286.html

    This is not the same as the log you posted in the other thread (the one I deleted). You had about 6 R1 & R0 lines before. In addition, you can see the filenames have changed. If you are working on this in between message exchanges you are only going to mess us up on this end and our recommendations will not work. Stop trying to fix it and stop rebooting your PC.

    Hopefully it has not changed again from your post.

    Check to see if a Windows service name "Network Security Service" is running. To do this:
    Click Start, Run, and enter this in the Open box: services.msc Then click OK.
    Now in the Services window that pops up look for Network SecurityService. If you find that service, you must stop it by right clicking on
    it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "
    Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, I need to know the info in the "Path
    to executable" box.
     
    chaslang, Jul 13, 2004
    #2
  3. lutzclan

    lutzclan Private E-2

    Sorry about the confusion with the log - I could see that there was stuff that needed to be removed.

    I disabled the security service as requested. The path is C:\WINNT\System32\lsass.exe.

    I have NOT run the HSREMOVE.EXE 2.36 version in safe mode - waiting for your recommendation.

    Current Log...
    Logfile of HijackThis v1.98.0
    Scan saved at 4:39:53 PM, on 7/13/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
    c:\edmwin\EDMEXECD.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\sysyg.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
    C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\Mcshield.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\DELL\AccessDirect\dadapp.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\apirk.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
    E:\User Profiles\goatwoman\Desktop\Fix\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\mpodm.dll/sp.html#27859
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mpodm.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mpodm.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\mpodm.dll/sp.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\mpodm.dll/sp.html#27859
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mpodm.dll/index.html#27859
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {DFB2AA15-E401-4849-EC8D-09D78BFC8D4A} - C:\WINNT\iejf32.dll
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [apirk.exe] C:\WINNT\apirk.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
     
    lutzclan, Jul 13, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No no no! Re-enable that! I said "Network Security Service". I did not say Security Accounts Manager.

    If you do not see Network Security Service that's okay. Just tell me so. Usually this is running and is one of the under lying problems with HSA coming back.
     
    chaslang, Jul 13, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    1) go here and download Registrar lite and install it: http://www.resplendence.com/reglite
    2) Run it, copy and paste this line to reglite's address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

    3) Click the "go" tab
    4) Find: "AppInit_Dlls" value on the right side panel.
    5) DoubleClick on AppInit_Dlls tell me exactly what you see in the Value.
     
    chaslang, Jul 13, 2004
    #5
  6. lutzclan

    lutzclan Private E-2

    That was not running, so I thought you intend to have me stop this. I have re-started that service.
     
    lutzclan, Jul 13, 2004
    #6
  7. lutzclan

    lutzclan Private E-2

    I did not have that registry value so I searched for AppInit_DLLs and found it in the following key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\\AppInit_DLLs

    Value was: SYS:Microsoft\Windows NT\CurrentVersion\Windows
     
    lutzclan, Jul 13, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's okay. Just leave that item alone.

    Let's work on cleaning now:

    1) if system restore is not disabled, then disable it but don't reboot when it tells you it is required. To do that see: http://forums.majorgeeks.com/showthread.php?t=31668

    2) **** this is very important disconnect from the internet (physically unplug cables) **** Don't re-connect until told to!
    3) reboot in safe mode (I assume you already know how to do that)
    4) run HSremove 2.36
    5) Reset Web Settings by right clicking on IE and selecting Tools, Internet Options, Programs, then click Reset Web Settings. Now go back to the General tab and specify your home page (like www.majorgeeks.com)
    6) run HijackThis and fix the following if still present:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\mpodm.dll/sp.html#27859
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mpodm.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mpodm.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\mpodm.dll/sp.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\mpodm.dll/sp.html#27859
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mpodm.dll/index.html#27859
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {DFB2AA15-E401-4849-EC8D-09D78BFC8D4A} - C:\WINNT\iejf32.dll
    O4 - HKLM\..\Run: [apirk.exe] C:\WINNT\apirk.exe

    7) boot normal and reconnect to internet
    8) see how things look. Post new HijackThis log. Do not cut off any info. Last time you cut off after the O6 lines when I know from your previous log you had info beyond that.
     
    chaslang, Jul 13, 2004
    #8
  9. lutzclan

    lutzclan Private E-2

    Regarding the "system restore" - I'm running Win2K and it doesn't have a system restore. At least I could not find anything. Please advise if you know how to do this in Win2k. I'll take a shot at what you suggested.
     
    lutzclan, Jul 13, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's my mistake. I was cutting and pasting from some similar threads and forgot to change that for your Win2K system.


    Also one more thing. If you still have a problem when finished with this, try running this:
    a² anti virus: http://www.majorgeeks.com/download4281.html

    Some people have had success using that.
     
    chaslang, Jul 13, 2004
    #10
  11. lutzclan

    lutzclan Private E-2

    wow IT WORKED - I will get to bed before 1:00AM tonight. THanks so much. I have rebooted 6 or 7 times now and it has not come back. I am sooooo happy.
     
    lutzclan, Jul 13, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Great news! Happy I could help.
     
    chaslang, Jul 14, 2004
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds