Remove Home Search Assistant- Stuck!!!

Unknown

heya everyone. this is my first post here so i hope its all in the right area... see how i go. so basically i work as a techy and network engineer, and ive had a laptop come in with HSA on it. i've done the hijackthis.log and now im stuck on the next part, searching for Network Security Service, Workstation NetLogon Service and Remote Procedure Call (RPC) Helper in the services. i found network security service but the other two are no where to be found. what im wondering is if this is right, if u only find one. also ive done the second and third options of this (hard-reboot, check again. and getactiveservices) with still no results. so far the whole remove home search assistance has been helpful, and this is the first snag so any help would be hot. im not sure if you need the lists incase its simple so ill leave those out for now. we are considering reinstalling because of this problem and others, even though i dont like reinstalling, feels like the computer has beaten you!
but honestly i've never seen a computer this screwed over from spyware.

will be waiting for a reply. thx guys!!!

Buckeye_Sam

You won't find all three services running, just one of the three. But if you are having trouble getting rid of it there may be something there in addition to the HSA.

Please post a hijackthis log.

incontrol

yea thats awsome man, thx for the reply heres the log.this is spyware is a monster piece of work. oh well, its all good money.
just finished getting rid of the thing... ill post the log anyway just incase theres something new in there for ya's. btw having trouble getting the desktop up. befor removing the spyware an active desktop appeared. afterwards instead of getting the system properties when clicking the desktop i get desktop.html....going thru the control panel i can change the desktop picture but the blank background remains the same, as if its running over my desktop. never seen anything like this. not sure if this is from the same program soo ill keep searching.

Logfile of HijackThis v1.99.0
Scan saved at 11:45:36 AM, on 17/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ipfl32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\apppz32.exe
C:\WINDOWS\System32\846875.exe
C:\WINDOWS\System32\864421.exe
C:\WINDOWS\system32\logonui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Greg Danis\My Documents\killingHPA\hijackthis11\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qwoyj.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwoyj.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qwoyj.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qwoyj.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwoyj.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qwoyj.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qwoyj.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3034D978-CC63-2D13-94C2-8091CAB7CEC1} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {F6ED913D-FAB1-F1A5-C359-4E2B2AC7B284} - C:\WINDOWS\system32\mfckt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitetiv32.exe
O4 - HKLM\..\Run: [ipfl32.exe] C:\WINDOWS\ipfl32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKLM\..\RunOnce: [apppz32.exe] C:\WINDOWS\system32\apppz32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\ysjyotvu.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/au/games4.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MSSQLServerADHelper - Unknown - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\msge.exe (file missing)



this is the first list i made.
thx for the help short-media.... big ups

Buckeye_Sam

You are still heavily infected. In fact your problems with the desktop are indicative of a new virus that infects the explorer.exe file on your computer. Be aware that you may lose your desktop completely with this virus. You may also find that you can only boot up into Safe Mode. If this happens you should still be able to access the internet by booting into Safe Mode with Networking. These are some of the problems I have seen with other people infected with this virus. There is only one program that has been successful at repairing the explorer.exe file and removing the virus. That is Kapersky antivirus.

But before we get to that we need to make sure that you don't lose your connection.

Download LSPFix from http://www.cexx.org/lspfix.zip and run it.

Check the I know what I'm doing box.

In the Keep box you should see one or more instances of the following files.

aklsp.dll

Select every instance of this file, but no others, and move each one to the Remove box by clicking the >> button.

When you are done click Finish>>.



Now for the not so fun part. Download and run Kapersky until it comes back clean. If it crashes or freezes up, try it in Safe Mode. It may take several times and you may experience some of the symptoms I described before. Follow the guidelines and settings at this link for downloading and setting up Kapersky.

http://www.bleepingcomputer.com/forums/topict11662.html



When you are done report back here on how the virus scan with Kapersky went, how your computer is running(and looking) now, and please post a new hijackthis log.

incontrol

ahhh dammit. thx again for the help. i did end up getting the HSA off. the desktop.html we thought might have just been left over, and because it was only tied to the one account, we backed-up some of his documents and recreated the account. then nortons 2005 anti-virus picked up over 30 different virus's on his computer. after this the computer appeared to be working fine. so we've just sent it home about 30 mins ago. i rang the guy dropping it off.... one of the guys i work with. he's just gonna check it out quickly befor he takes it in. if it looks fine, hopefully it is, otherwise ill probably get it back in the next hour. sorry man i dont have the latest hijackthis log its still on that laptop, so im not going to be able to get a copy atm. i guess now i just play the waiting game and hopefully it all works out. but thx for the reply and ive made a copy just incase it comes up again.