Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Home Search Assistant elimination problem


  • Please log in to reply
1 reply to this topic

#1 Avand18

Avand18

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 16 January 2005 - 07:40 PM

Hey all. I'm having trouble with my "bleeping" computer. I followed exactly the instructions posted by Grinler to remove the Home Search Assistant from my PC with XP Pro. Apparently I have a "heartier" version on my PC. Just got infected today (explained later). Behaviorally, seems I have the classic Home Search Assistant start page, the "Only the best" popups, and I get the "search extender" popups on Google.

My scenario is:
1. I have the classic R1/R0 entries with the problem 5-letter dlls being (currently) tshhn.dll (a bunch of entries for browser page loading) and javazu.dll which is the lone 02 entry. Their names change every time I delete the virus's files
2. The culprit XP service is "Network Security Service" with the source executable being c:\windows\ntiy.exe. The name of this virus file never changes.
3. My problem startup executable is called c:\windows\system32\msav.exe (oddly has the same name as former windows virus scanner). Its name never changes.

My problems are when the instructions say to manually delete the culprit files:
1. The HSA removal instructions say to locate the source virus programs (ntiy and msav.exe), but they are not shown in their directories, and do not show up in searches.
2. The .dlls mentioned above are nowhere to be found either.
3. HOWEVER, msav.exe and ntiy.exe DO show up in searches in the Windows Prefetch folder as files: MSAV.EXE-1874E695.pf and NTIY.EXE-062CE5BB.pf. Is this a different variation of HSA (since October)??
4. When I try to disable the Network Security Service (ntiy.exe), it always comes back Automatic and running when I restart. even if I disable/stop it.

-My XP Explorer has LONG been enabled to show all files and folders (nothing is hidden).

-None of the executables ever showed up in my Sygate Personal Firewall, except before I first restarted (it was called ED5.tmp, and XP deleted it after a restart)

-None of the executables ever showed up in Windows Task Manager as running programs, even though HJT indicated so.

CONCLUSION: I AM IN AN ENDLESS LOOP.

WHY CAN'T I SEE THE PROBLEM FILES??? WHY DO THEY KEEP COMING BACK? DO I NEED TO REINSTALL WINDOWS?

Right now, I'm in a position where, when I click on my Internet Explorer desktop shortcut, I just get the little window for Tools > Internet Options. I can run IE browser using Run > iexplore, but it just comes up with the Home Search Assistant Page, and all associated popups. If the HJT log is empty before that point, it just fills right back up with the same bad stuff (under different .dll names but same .exe names).

My exact HJT log after several uninstall attempts:

Logfile of HijackThis v1.97.7
Scan saved at 7:14:43 PM, on 1/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RevoTask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\msav.exe
C:\WINDOWS\System32\qtim32.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\COMMON~1\AOL\110286~1\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\110286~1\EE\AOLServiceHost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\ntiy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Documents and Settings\Andy.MAIN\My Documents\Applications\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tshhn.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tshhn.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tshhn.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tshhn.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tshhn.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tshhn.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tshhn.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {E063178A-F790-ECDA-88CB-D5A172D55899} - C:\WINDOWS\javazu.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RevoTaskbarApp] C:\WINDOWS\System32\RevoTask.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102860497\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [msav.exe] C:\WINDOWS\system32\msav.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [qtim32] C:\WINDOWS\System32\qtim32.exe
O4 - Global Startup: M-Audio Revolution Control Panel Launcher.lnk = C:\Program Files\M-Audio Revolution\RevoTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.attbi.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/...8007.4735185185

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:34 AM

Posted 17 January 2005 - 02:23 AM

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Download the attached zip file and unzip it to your desktop.

http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

Download cwshredder 2.12 from here:

http://cwshredder.net/bin/CWShredder.exe

Run the file after it is downloaded and click on the fix button. Let it do its thing and when its done, even if it crashes.

When its done run hijackthis again post a new log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users