Options
Home Search Assistant - refuses to leave - James42
Hi there,
I’ve got a problem with ‘home search assistant’. I’ve been looking around the forum and I think I’ve followed the basic procedures. I’ve scanned my computer with ‘adware’, ‘spybot’ and ‘Norton anti-virus’. I’ve even downloaded HJT and put it in a separate folder on my c-drive.
Now I might be getting ahead of myself, but I think the problem originates around some files that have ‘ksan’ in their titles and I’ve tried to remove these and momentarily this solves the problem, until I use my browser again and the problem reappears (I then repeat HJT and the files have returned). So that is really where I’m at right now and a bit confused about what to do. So once again, trying to follow procedures I’m including my HJT log file and hope that someone will help.
On another note, I also have a problem with ‘cisvc.exe’. When I run my task manager my CPU usage sits at 100% and only drops to 1% when I close the ‘cisvc.exe’ process manually (although having said that, about 1 in 10 times CPU usage settles down by itself).
So if anyone out there has any suggestions, then I’d be glad of the assistance and I promise to reply with what effect the suggestions have had.
Cheers
James42
Logfile of HijackThis v1.97.7
Scan saved at 16:08:40, on 02/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sony\vaio media music server\SSSvr.exe
C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\addpc32.exe
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ipmj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksnan.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ksnan.dll/index.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ksnan.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksnan.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ksnan.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ksnan.dll/sp.html#37680
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {29094C8C-2B29-460F-F696-483BB24C0D75} - C:\WINDOWS\addsl32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ipmj.exe] C:\WINDOWS\ipmj.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [addpc32.exe] C:\WINDOWS\addpc32.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Client Manager.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23520fc7e325e9d95804/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.6168981481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
I’ve got a problem with ‘home search assistant’. I’ve been looking around the forum and I think I’ve followed the basic procedures. I’ve scanned my computer with ‘adware’, ‘spybot’ and ‘Norton anti-virus’. I’ve even downloaded HJT and put it in a separate folder on my c-drive.
Now I might be getting ahead of myself, but I think the problem originates around some files that have ‘ksan’ in their titles and I’ve tried to remove these and momentarily this solves the problem, until I use my browser again and the problem reappears (I then repeat HJT and the files have returned). So that is really where I’m at right now and a bit confused about what to do. So once again, trying to follow procedures I’m including my HJT log file and hope that someone will help.
On another note, I also have a problem with ‘cisvc.exe’. When I run my task manager my CPU usage sits at 100% and only drops to 1% when I close the ‘cisvc.exe’ process manually (although having said that, about 1 in 10 times CPU usage settles down by itself).
So if anyone out there has any suggestions, then I’d be glad of the assistance and I promise to reply with what effect the suggestions have had.
Cheers
James42
Logfile of HijackThis v1.97.7
Scan saved at 16:08:40, on 02/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sony\vaio media music server\SSSvr.exe
C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\addpc32.exe
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ipmj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksnan.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ksnan.dll/index.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ksnan.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksnan.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ksnan.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ksnan.dll/sp.html#37680
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {29094C8C-2B29-460F-F696-483BB24C0D75} - C:\WINDOWS\addsl32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ipmj.exe] C:\WINDOWS\ipmj.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [addpc32.exe] C:\WINDOWS\addpc32.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Client Manager.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23520fc7e325e9d95804/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.6168981481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0
Comments
try the following:
boot into safe mode.
stop the following processes if they are running
C:\WINDOWS\ipmj.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ksnan.dll/index.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ksnan.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksnan.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ksnan.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ksnan.dll/sp.html#37680
O2 - BHO: (no name) - {29094C8C-2B29-460F-F696-483BB24C0D75} - C:\WINDOWS\addsl32.dll
O4 - HKLM\..\Run: [ipmj.exe] C:\WINDOWS\ipmj.exe
O4 - HKLM\..\RunOnce: [addpc32.exe] C:\WINDOWS\addpc32.exe
now, delete the following files:
c:\windows\ipmj.exe
c:\windows\addpc32.exe
c:\windows\system32\ksnan.dll
C:\WINDOWS\addsl32.dll
reboot
That help was great, but as with all good advice, I’m still left with a few questions. So in no particular order:
Neither of the two applications were running
I couldn’t find either c:\windows\system32\ksnan.dll or C:\WINDOWS\addsl32.dll (they weren’t on the HJT log either)
c:\windows\ipmj.exe and c:\windows\addpc32.exe were not in a the windows sub directory directly and instead were in a sub folder called ‘prefetch’, is this important?
So in conculsion I still have the problem, any further suggestions?
Cheers
James42
What IE can do is to be set to fetch things quietly, in background, while displaying other things. The prefetch folder is used for this, tio store those things that are fetched before the page uses them-- but pages should not feed .exe files into prefetch unless you DOWNLOAD them, then archives can be there temporarily until the download thing saves them. I have my prefetch option off in IE here, some things do not get fed as fast here as a result of this, and other things take longer to load as no fetching in advance is done. In theory, other browsers can do this too. Get rid of them whereever they are found also, please-- possible those will reload things you got rid of if not deleted, and they are NOT needed by Windows. But thanks for letting us know this is happening. One more place to look for hidden junk.
I would leave prefetch off in IE if I had that kind of problem recurring, to be honest. That is one way things can sneak onto a box. BUT, pages that can feed ahead and are legit will not do so to your browser that way.... So, there is a good and bad side to this choice. But here, things do not slow down much by turning prefetch off.
Can anyone tell me why two of the files I was told to delete were not on the HJT log file and perhaps more importantly, not apparently on my hard drive. I used the windows search tool and not a peep. My inability to find these files is probably why I've still got a problem.
The really interesting thing is that the problem is solved until I use the internet. Would it also be an idea to reset my home page before going back on-line?
If anyone has any suggestions I'd love to hear them.
James42
CD C:/WINDOWS/SYSTEM32
DIR /A:H KS*.*
or
DIR /A:S KS*.*
will show you the ksnan.dll file, if it's marked invisible (system or hidden file)
You can type ATTRIB -H -S KSNAN.DLL to make it visible and then you can type REN KSNAN.DLL KSNAN.DLL.OLD to be able to delete it on next reboot if it's being used.