Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

searchasssitant?


  • Please log in to reply
3 replies to this topic

#1 kleinr

kleinr

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 31 October 2004 - 04:18 PM

ive attached a screenshot of it
i dont have the search bar anymore but if i remove this with hyijack this it keeps comming back :thumbsup:
and here is the log

Logfile of HijackThis v1.98.2
Scan saved at 22:22:20, on 31-10-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\roel klein\Bureaublad\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Attached Files


Edited by kleinr, 31 October 2004 - 04:21 PM.


BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 01 November 2004 - 11:15 AM

Hi kleinr. Welcome to BC.

That's got to be the strangest log I've ever seen. In order to help you I need to know how the log and screenshot came to look like that. In other words, what have you done with HijackThis prior to posting this log? I'm guessing that you have done one of two things if this has not been caused by whatever malware you may have on your system.

1. You have tried fixing everything in HijackThis. If so that is a big mistake. Most of what appears in HJT is perfectly harmless and some of it is essential for your PC to run normally. Search Assistant itself is a standard area of the registry that controls the Search funtionality of your system. When you go to Start>Search, you are using Search Assistant. SA is commonly hijacked but we can't tell what is happening with a log like that and without seeing what you may have already fixed.

2. You have used the ignore function of HijackThis so that only those two lines appear.

Please give me some history of how you got to this log, including a description of what the problem was that caused you to want to use HJT in the first place and we'll go from there and make what corrections we can.

The thing about people

is they change

when they walk away.--Mipso


#3 kleinr

kleinr
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 07 November 2004 - 08:07 AM

i used hyjack this to remove search assistant.
there where only 4 things this 2 and 2 of search assistant.
and i never used the ignore function

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 07 November 2004 - 12:28 PM

OK, I'm going to have to assume from what you've told me that the problem you were dealing with was the Home Search Assistant malware. But I still don't have enough information to know that for sure. I found another log that seems to be similar but that person also was trying to fix everything whether it was supposed to be there or not.

Again, the following is just a registry key that is supposed to be there:

HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant

Getting rid of that key will not rid you of any malware. It's the value after the "=" sign that is either good or bad. For Home Search Assistant that value might look like this:

res://C:\WINDOWS\system32\pmyqy.dll/sp.html#96676

However you should have some value after the = so those entries in your log are still not right. Here's what I want you to do:

1. Open HijackThis. Click on "Config", then the "main" button, make a screenshot and post it back in this thread.

2. While you have the Configuration screen open, click on "Backups", select all entries and click the Restore button. Close HJT and reboot.

3. In normal mode, scan with HijackThis and post that log.

4. Boot into Safe Mode, scan with HijackThis and post that log.

DO NOT FIX ANYTHING WITH HIJACKTHIS. I just need to see the logs.

5. Your log shows that you are seriously behind on windows updates. It is essential that you update your windows before we continue as otherwise the infections could reoccur. Open this link to the Windows XP Service Pack 1a page, select Express Installation and follow the instructions to download/install Service Pack 1a (SP1a). Reboot when requested then return to Windows Update and install any remaining Critical Updates. Make sure to install all updates to Internet Explorer. Do not update to SP2 just now.

6. Confirm that you have updated windows, post the requested logs and please give a description of the problem you were experiencing. Did you have any of the symptoms described here:
http://www.bleepingcomputer.com/forums/t/3341/how-to-remove-home-search-assistant-cws-ns3-backdoor-bdd/

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users