Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get rid of Home Search Assistant


  • Please log in to reply
5 replies to this topic

#1 cxr

cxr

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 23 February 2005 - 12:44 PM

Here's my problem. My home computer (Windows XP Professional OS) has been infected with the Home Search Assistant, among other things. I followed the instructions at http://www.bleepingcomputer.com/forums/t/3341/how-to-remove-home-search-assistant-cws-ns3-backdoor-bdd/ ALMOST exactly, but the hijacking continues. The one step that I could not perform was step 6, viz., removing the file used by the service. The problem is that the service file, as discovered according to step 2 in the Remote Procedure Call (RPC) Helper, is Windows\netlc.exe /s. When I tried to delete this file in step 6, I could not FIND this file anywhere on my system, even though I followed all of the preparation steps needed to see the hidden files (Preparation steps, part 1). I am stuck. Is there any way to find this file (netlc.exe) so that it can be deleted? If not, perhaps I can remove Internet Explorer entirely, which seems to be the hijacker's browser of choice. (Normally I use Netscape 7.1, so the absence of IE6 may be of little consequence, unless of course Microsoft has devilishly tied IE6 into other parts of the operating system).

Thanks.

BC AdBot (Login to Remove)

 


#2 TexasAngel67

TexasAngel67

    Bleeping Helper


  • Members
  • 1,551 posts
  • OFFLINE
  •  
  • Location:Fort Worth
  • Local time:03:26 AM

Posted 23 February 2005 - 12:47 PM

Hi. I've moved your thread to the appropriate forum, I apologize for any inconvenience.

Please click the link below in my signature for HijackThis. Follow the instructions given there and post the log into HijackThis Logs and Analysis, not here. The HijackThis team of experts will only see it if it's in the right forum.

Thanks and good luck.

~67~

#3 cxr

cxr
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 23 February 2005 - 12:51 PM

Thanks. I'll run HijackThis again tonight, and post the results tomorrow.

Chuck

#4 cxr

cxr
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 24 February 2005 - 07:58 AM

I ran HijackThis, and I've posted the log file below. As a reminder, my home computer has been infected with the Home Search Assistant, among other things. I followed the instructions at http://www.bleepingcomputer.com/forums/t/3341/how-to-remove-home-search-assistant-cws-ns3-backdoor-bdd/ ALMOST exactly, but the hijacking continues. The one step that I could not perform was step 6, viz., removing the file used by the service. The problem is that the service file, as discovered according to step 2 in the Remote Procedure Call (RPC) Helper, is Windows\netlc.exe /s. When I tried to delete this file in step 6, I could not FIND this file anywhere on my system, even though I followed all of the preparation steps needed to see the hidden files (Preparation steps, part 1). I am stuck. Is there any way to find this file (netlc.exe) so that it can be deleted? If not, perhaps I can remove Internet Explorer entirely, which seems to be the hijacker's browser of choice. (Normally I use Netscape 7.1, so the absence of IE6 may be of little consequence, unless of course Microsoft has devilishly tied IE6 into other parts of the operating system).

Thanks very much,
Chuck

Logfile of HijackThis v1.99.1
Scan saved at 5:18:28 AM, on 2/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Backup (Retrospect)\Launcher.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\veritas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\qplaqmeb.exe
C:\Spybot - Search & Destroy\TeaTimer.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Documents and Settings\The Rosenblatts\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6EF0F034-C0DA-6CB6-18F6-2B49B1B81D7A} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [InstantAccess] C:\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [1B.tmp] C:\DOCUME~1\THEROS~1\LOCALS~1\Temp\1B.tmp.exe 0 28129
O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\THEROS~1\LOCALS~1\Temp\8.tmp.exe 0 28129
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitedfd32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [A4Fpl] C:\WINDOWS\qplaqmeb.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKCU\..\Run: [MS System] cssrs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Klingon Klock.lnk = C:\Klingon Klock\kklock.exe
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Daniel\accessories\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm197
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\DANIEL\ICQLITE\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\DANIEL\ICQLITE\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Backup (Retrospect)\Launcher.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Backup (Retrospect)\retrohlpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:26 AM

Posted 28 February 2005 - 02:07 PM

Hello cxr and welcome to the BC forums. I am presently reviewing your log and will respond back to you as quickly as I can.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:26 AM

Posted 01 March 2005 - 11:34 AM

Hello again cxr. After reviewing your log I see a few items that require our attention. Please proceed with the following steps in order:

Step #1

Please download LSP-Fix and WinSockFix from the following links and save them to a location you can find later if necessary.LSP-Fix Download Link
WinsockFix
To remove New.net. please go to Start | Settings | Control Panel | Add/Remove Programs, look for and remove New.Net Appliction or New.net Domains. If you can't find it, then please go here and follow the removal instructions in Procedure 4 at the bottom of the page.

Step #2

Now we need to stop the TeaTimer app to prevent it from interfering with the fixes that follow:* Start Spybot Search & Destroy and click on the Mode menu item and then click Advanced Mode.
* Click on the Yes button in the Warning window.
* Click on the Tools in the bottom left hand corner.
* Click on the System Startup icon.
* Click in the checkbox in front of Teatimer to clear it and then click on the Allow Change button in the dialog that opens up.
* Reboot your computer.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {6EF0F034-C0DA-6CB6-18F6-2B49B1B81D7A} - (no file)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [1B.tmp] C:\DOCUME~1\THEROS~1\LOCALS~1\Temp\1B.tmp.exe 0 28129
O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\THEROS~1\LOCALS~1\Temp\8.tmp.exe 0 28129
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitedfd32.exe
O4 - HKLM\..\Run: [A4Fpl] C:\WINDOWS\qplaqmeb.exe
O4 - HKCU\..\Run: [MS System] cssrs.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm197
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149

These are fixes that I recommend you do:

The PowerReg Scheduler is installed by many companies as a registration reminder. It is not a required application and is believed to send information about your computer back to the company that installed it.
O4 - Global Startup: PowerReg Scheduler.exe
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

If you can not connect to the Internet after removing New.net, please run the LSP-Fix program I had you download earlier, and click on the finish button. If you still have a problem run the WinSockFix program and click the Fix button. Reboot if you run either tool and you should be able to get back on.

Step #4

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\cerbmod.dll
C:\WINDOWS\System32\tibs5.exe
C:\windows\system32\elitedfd32.exe
C:\WINDOWS\qplaqmeb.exe
C:\PROGRAM FILES\NEWDOTNET\ <--folder
cssrs.exe (do a search and delete all instances - see the note below about searching in XP)

Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Next, let's clean up the temporary folders:* Click Start
* Point to Programs
* Point to Accessories
* Point to System Tools
* Click Disk Cleanup
* Select all items shown and click the OK button.
OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back using the Add Reply button and I will review it when it comes in.

In regards to your question about the netcl.exe file, I do not see any reference to it in your current log. Does the service still show up in your services as being stopped? We can look at that after your next post.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users