Home Search Assistant didn't work

Mc-Dubs · August 2004

Home Search Assistant didn't work guys:( i followed that guide on the removal of it but either i can't read worth crap or it's just not working properly, but i followed the guide and everything was workin great and i got to work nicley with my home page being what it should be and everything and then it just came back out of no where :S. It was working all good and everything and then it came back to exactly how it was before, with the about:blank being the home page and it going to that stupid home search garbage, i was wonderin if you guys could help me out, thanks

- Dubby

Dexter · August 2004

Post your Hijack This log and we will have a look. Did you have either version of the fake Network services...?

Dexter...

Mc-Dubs · August 2004

Logfile of HijackThis v1.98.2
Scan saved at 10:13:36 PM, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\crsw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\appcv32.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yjcnc.dll/sp.html#37794
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yjcnc.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yjcnc.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yjcnc.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yjcnc.dll/sp.html#37794
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yjcnc.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yjcnc.dll/sp.html#37794
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {321EE6F6-38D2-4E50-0092-8423258A5117} - C:\WINDOWS\system32\netka.dll
O4 - HKLM\..\Run: [appcv32.exe] C:\WINDOWS\appcv32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C6327B2-64B5-44AC-BB76-5B8E8EC70CEC}: NameServer = 65.42.183.3 65.42.183.2

...by the way...if what you mean about the fake network services...do you mean those 2 services in the services window?...cuz if so neither of the services were there :S...

-Dubby

Dexter · August 2004

I would like you to send me a list of your active services. Here is a neat little Visual Basic tool that will generate a text report of your active services. Please download and unzip this, double click to run, save the text file, then upload the text file as an attachment for me to view..

Dexter...

Mc-Dubs · August 2004

Thanks for you constant help dexter, i used that program and this is what it came up with :

These are the Current Active Services:

IPv6 Helper Service: 6to4
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

Server: LanmanServer
C:\WINDOWS\System32\svchost.exe -k netsvcs

Workstation: LanmanWorkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

Messenger: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

Remote Access Auto Connection Manager: RasAuto
C:\WINDOWS\System32\svchost.exe -k netsvcs

Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): SharedAccess
C:\WINDOWS\System32\svchost.exe -k netsvcs

Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

Application Layer Gateway Service: ALG
C:\WINDOWS\System32\alg.exe

DefWatch: DefWatch
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

Event Log: Eventlog
C:\WINDOWS\system32\services.exe

Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe

TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

Universal Plug and Play Device Host: upnphost
C:\WINDOWS\System32\svchost.exe -k LocalService

WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

Machine Debug Manager: MDM
"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"

Symantec AntiVirus Client: Norton AntiVirus Server
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

NVIDIA Display Driver Service: NVSvc
C:\WINDOWS\System32\nvsvc32.exe

Network Security Service (NSS): O?’ŽrtñåÈ²$Ó
C:\WINDOWS\system32\crsw.exe /s

IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe

Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe

Reset 5: Reset 5
C:\WINDOWS\system32\srvany.exe

Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe

Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

- Dubya

Dexter · August 2004

OK, look at Step 6 of of the Removal Guide and look at this active service on your system:

Network Security Service (NSS): O?’ŽrtñåÈ²$Ó
C:\WINDOWS\system32\crsw.exe /s

You DO have the Network Security Service on your system. You need to follow step 6 to stop and disable that service:

Step 6 - Once the computer is booted up in Safe Mode, Click Start, and then Run. Type "Services.msc" in the run box and hit enter. Look for a service called "Network Security Service" or "Workstation NetLogon Service." If either one is there, right-click on it and STOP the service, then right-click again, go into properties, and set the service to "disabled." Exit the services control panel. (The services may already be stopped due to being in Safe Mode.)

Then you need to find and quarantine:

C:\WINDOWS\system32\crsw.exe

along with whatever your current R0, R1, and 02 entries are that match the criteria.

Dexter...

Dexter

Mc-Dubs · August 2004

Alright so this is what i did dexter, i did a hard boot, went into safe mode stopped and disabled the Network Security Service, i quarantined the files that appeared on hijack this, i did a hard boot, and when i got logged in it said it couldn't run one of the dll's...and i went to hijack this to see what was there and there was a good amount of things, and when i went to internet explorer that home search came up again

Mc-Dubs · August 2004

alright dexter...i tryed like that whole thing again(the list of the procedures done to get rid of the home search assistance) i just got completly finished with it and it came back :S..so i have no idea what to do

Dexter · August 2004

Post your latest Active Services list and HJT log please.

Dexter...

Mc-Dubs · August 2004

Logfile of HijackThis v1.98.2
Scan saved at 5:36:45 PM, on 8/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\crsw.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\appcv32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yrzxb.dll/sp.html#37794
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yrzxb.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yrzxb.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yrzxb.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yrzxb.dll/sp.html#37794
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yrzxb.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yrzxb.dll/sp.html#37794
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {213E8766-94A5-029E-C2EC-20035F037651} - C:\WINDOWS\appwt.dll
O4 - HKLM\..\Run: [appcv32.exe] C:\WINDOWS\appcv32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C6327B2-64B5-44AC-BB76-5B8E8EC70CEC}: NameServer = 65.42.183.3 65.42.183.2

These are the Current Active Services:

IPv6 Helper Service: 6to4
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

Server: LanmanServer
C:\WINDOWS\System32\svchost.exe -k netsvcs

Workstation: LanmanWorkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

Messenger: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

Remote Access Auto Connection Manager: RasAuto
C:\WINDOWS\System32\svchost.exe -k netsvcs

Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): SharedAccess
C:\WINDOWS\System32\svchost.exe -k netsvcs

Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

Application Layer Gateway Service: ALG
C:\WINDOWS\System32\alg.exe

DefWatch: DefWatch
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

Event Log: Eventlog
C:\WINDOWS\system32\services.exe

Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe

TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

Universal Plug and Play Device Host: upnphost
C:\WINDOWS\System32\svchost.exe -k LocalService

WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

Machine Debug Manager: MDM
"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"

Symantec AntiVirus Client: Norton AntiVirus Server
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Network Security Service (NSS): O?’ŽrtñåÈ²$Ó
C:\WINDOWS\system32\crsw.exe /s

IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe

Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe

Reset 5: Reset 5
C:\WINDOWS\system32\srvany.exe

Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe

Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

Dude...dexter...i just checked out the network security stuff and it all got put back on :S...i swear i stopped the service and disabled it and i just checked and it was back up :S...

Shorty · August 2004

C:\WINDOWS\system32\crsw.exe

Is still present. How did you quarantine? Did you right click and rename it??

Mc-Dubs · August 2004

nah what happend is i tryed to fix it and next time the comp was booted up it came back :S...and i'm not sure at all but maybe that service that was enabled somehow :S put all of those files back in..but i think dexter might tell me what to do hehe..thanks for all your help guys i know how hard it must be to work with a loser like me

:P

Dexter · August 2004

Try disabling: Network Security Service (NSS) while in Normal Mode. Then hard-boot into Safe Mode, run HJT and kill the entires, etc.

Dexter...

Home Search Assistant didn't work

Comments