[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 389
  • Last Modified:

Home Search Assistent

Hello.  After reading previous posts, I downloaded Silent Runners and attached the log file.  Please help.  


"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"Synchronization Manager" = "C:\WINDOWS\system32\mobsync.exe /logon" [MS]
"MMTray" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."]
"SMART Mirror Driver Monitor Service" = ""C:\Documents and Settings\dmurph88\Application Data\Bridgit\monitorservice.exe"" ["SMART Technologies"]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"Acrobat Assistant 7.0" = ""C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"Default" = (no data)
"AdaptecDirectCD" = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" ["Roxio"]
"Share-to-Web Namespace Daemon" = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"syssp32.exe" = "C:\WINDOWS\system32\syssp32.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{A7965648-2D3D-951F-7592-B85CE722DB02}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\iemm32.dll" [null data]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = "AcroIEToolbarHelper Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
  -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

DisplayName = "Drive Mappings and Shortcuts"
\0 -> launches: "\\sspj.com\SysVol\sspj.com\Policies\{54B3E135-FEBB-44E0-B80F-F8DDD09AAB86}\User\Scripts\Logon\MapDrives.vbs" [** WMI GetObject error **]
\1 -> launches: "\\sspj.com\SysVol\sspj.com\Policies\{54B3E135-FEBB-44E0-B80F-F8DDD09AAB86}\User\Scripts\Logon\CreateShortcuts.vbs" [** WMI GetObject error **]

DisplayName = "Printer Policy"
\0 -> launches: "\\sspj.com\SysVol\sspj.com\Policies\{2D50C877-2226-41DE-8B97-C3E39A3EA9AA}\User\Scripts\Logon\SSPJPrinters.vbs" [** WMI GetObject error **]

DisplayName = "Faculty Redirected Folders"
\0 -> launches: "\\sspj.com\SysVol\sspj.com\Policies\{63FD7E4F-20EF-4ECF-8B5B-7DA5DD465958}\User\Scripts\Logon\redirectfavorites.vbs" [** WMI GetObject error **]

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

Enabled Screen Saver:

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "dmurph88" & "All Users" startup folders:

C:\Documents and Settings\dmurph88\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\Palm\HOTSYNC.EXE" ["Palm, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Acrobat Speed Launcher" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe" [null data]
"DataViz Messenger" -> shortcut to: "C:\WINDOWS\DvzCommon\DvzMsgr.exe" [null data]
"SMART Board Tools" -> shortcut to: "C:\Program Files\SMART Board software\SMARTBoardTools.exe" ["SMART Technologies Inc."]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 03, 15
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08

Toolbars, Explorer Bars, Extensions:


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
  -> {CLSID}\(Default) = "&Google"
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

  -> {CLSID}\(Default) = "Adobe PDF"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
  -> {CLSID}\(Default) = "&Google"
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

  -> {CLSID}\(Default) = "Adobe PDF"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
  -> {CLSID}\(Default) = "&Google"
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

  -> {CLSID}\(Default) = "Adobe PDF"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
  -> {CLSID}\(Default) = "Adobe PDF"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Dormant Explorer Bars in "View, Explorer Bar" menu

(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
"ButtonText" = "Research"

"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

"ButtonText" = "Share in Hello"
"MenuText" = "Share in H&ello"
"CLSIDExtension" = "{B13B4423-2647-4cfc-A4B3-C7D56CB83487}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hello\PicasaCapture.dll" ["Picasa, Inc."]

"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

INFECTION WARNING! The running services cannot be counted.
Presence of a spyware service is suspected.
The script has been forced to exit.

This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
1 Solution

Download HijackThis (ver. 1.99.1) from:
Place it into a folder of it's own - something like:
C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
Do not run it directly from the "Zip" file, a "temp" folder, or the Desktop.
HijackThis makes "backups" and it's good to have them in a centralized location.

With all browser windows closed - run HijackThis and
copy and paste the log file into the Analysis site here:

Click on the "Analyze" button; and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis -
Post a LINK to that page back here.

Please, do not post your HijackThis log file here!

We'll take a look at it!  :)

Good luck!
dmurph88Author Commented:
Hey rossfingal, thanks for your help.  I have attached the link.

dmurph88Author Commented:
A couple of other notes.  I am a teacher, and I think I got this from downloading a SuperFriends .wav file of Apache Chief for a colleague (don't ask).  Is Home Search Assistent the cause of the following problems?

1) IE opens to about:blank instead of standard homepage
2) when I get on Internet it bounces me right off
3) outlook not functioning properly
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


I'm looking at your log right now.
Yes, those do sound like symptoms of HSA.  :(
Back in a while.
Here's a page with complete removal instructions:

Take your time and go through them without skipping any steps.
It may seem like it's "involved" - however; short of the "dreaded", "format/reinstall" -
it's about the only way to remove this.  :)

After you've gone through the removal procedure -
run HijackThis again and post a LINK to your new log file here.
Sometimes, when you get this on your computer -
you get other things, which show up when it is removed.

The bad "Service" is this one:
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner -

Post back here if you have any problems/questions.

Good luck!
dmurph88Author Commented:
I have the ability to put a new clean ghost image on this machine.  Will that rid the machine of this problem?  I am thinking that may be easier...

Yes, I'm sure it would be easier - "pretty" sure that it would solve it.
As long as you're sure it's clean.
I don't think this "stuff" does things like write or hide in the MBR, etc.

One other thing to consider:  when trying to remove this using the method above -
quite often, you have to run through it more than once.
Time consuming!
Let me know how it goes.

Good luck!
You might start using a different web browser




Both will support you in avoiding to download and install malware by accident.

I would also  recommend downloading and regularly running
Ad Adware www.lavasoft.com  and Spy bot search and destroy http://www.safer-networking.org/en/mirrors/

This doesnt remove every peice of spyware but should certainly reduce the risk and help keep your machine clean.


the ghost image is the same thing as formatting the computer and reinstalling, it does it all for you real quick.

i would reccomend a peice of software that has yet to dissapoint me in removing spyware/adware.

this has been successful at removing spyware that adaware, sybot, and the MS tool could not! i hope this company keeps up the good work! just make sure to run the update after you download and install it.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now