Home Search Assistent

Posted on 2005-04-15
Last Modified: 2010-04-11
Hello.  After reading previous posts, I downloaded Silent Runners and attached the log file.  Please help.  


"Silent Runners.vbs", revision 35,
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"Synchronization Manager" = "C:\WINDOWS\system32\mobsync.exe /logon" [MS]
"MMTray" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."]
"SMART Mirror Driver Monitor Service" = ""C:\Documents and Settings\dmurph88\Application Data\Bridgit\monitorservice.exe"" ["SMART Technologies"]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"Acrobat Assistant 7.0" = ""C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"Default" = (no data)
"AdaptecDirectCD" = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" ["Roxio"]
"Share-to-Web Namespace Daemon" = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"syssp32.exe" = "C:\WINDOWS\system32\syssp32.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{A7965648-2D3D-951F-7592-B85CE722DB02}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\iemm32.dll" [null data]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = "AcroIEToolbarHelper Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
  -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

DisplayName = "Drive Mappings and Shortcuts"
\0 -> launches: "\\\SysVol\\Policies\{54B3E135-FEBB-44E0-B80F-F8DDD09AAB86}\User\Scripts\Logon\MapDrives.vbs" [** WMI GetObject error **]
\1 -> launches: "\\\SysVol\\Policies\{54B3E135-FEBB-44E0-B80F-F8DDD09AAB86}\User\Scripts\Logon\CreateShortcuts.vbs" [** WMI GetObject error **]

DisplayName = "Printer Policy"
\0 -> launches: "\\\SysVol\\Policies\{2D50C877-2226-41DE-8B97-C3E39A3EA9AA}\User\Scripts\Logon\SSPJPrinters.vbs" [** WMI GetObject error **]

DisplayName = "Faculty Redirected Folders"
\0 -> launches: "\\\SysVol\\Policies\{63FD7E4F-20EF-4ECF-8B5B-7DA5DD465958}\User\Scripts\Logon\redirectfavorites.vbs" [** WMI GetObject error **]

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

Enabled Screen Saver:

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "dmurph88" & "All Users" startup folders:

C:\Documents and Settings\dmurph88\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\Palm\HOTSYNC.EXE" ["Palm, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Acrobat Speed Launcher" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe" [null data]
"DataViz Messenger" -> shortcut to: "C:\WINDOWS\DvzCommon\DvzMsgr.exe" [null data]
"SMART Board Tools" -> shortcut to: "C:\Program Files\SMART Board software\SMARTBoardTools.exe" ["SMART Technologies Inc."]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 03, 15
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08

Toolbars, Explorer Bars, Extensions:


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
  -> {CLSID}\(Default) = "&Google"
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

  -> {CLSID}\(Default) = "Adobe PDF"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
  -> {CLSID}\(Default) = "&Google"
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

  -> {CLSID}\(Default) = "Adobe PDF"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
  -> {CLSID}\(Default) = "&Google"
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

  -> {CLSID}\(Default) = "Adobe PDF"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
  -> {CLSID}\(Default) = "Adobe PDF"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Dormant Explorer Bars in "View, Explorer Bar" menu

(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
"ButtonText" = "Research"

"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

"ButtonText" = "Share in Hello"
"MenuText" = "Share in H&ello"
"CLSIDExtension" = "{B13B4423-2647-4cfc-A4B3-C7D56CB83487}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hello\PicasaCapture.dll" ["Picasa, Inc."]

"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

INFECTION WARNING! The running services cannot be counted.
Presence of a spyware service is suspected.
The script has been forced to exit.

This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
Question by:dmurph88
    LVL 12

    Expert Comment


    Download HijackThis (ver. 1.99.1) from:
    Place it into a folder of it's own - something like:
    C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
    Do not run it directly from the "Zip" file, a "temp" folder, or the Desktop.
    HijackThis makes "backups" and it's good to have them in a centralized location.

    With all browser windows closed - run HijackThis and
    copy and paste the log file into the Analysis site here:

    Click on the "Analyze" button; and when the analysis is done -
    Click on the "Save Analysis" button -
    A page will be generated with your saved analysis -
    Post a LINK to that page back here.

    Please, do not post your HijackThis log file here!

    We'll take a look at it!  :)

    Good luck!

    Author Comment

    Hey rossfingal, thanks for your help.  I have attached the link.

    Author Comment

    A couple of other notes.  I am a teacher, and I think I got this from downloading a SuperFriends .wav file of Apache Chief for a colleague (don't ask).  Is Home Search Assistent the cause of the following problems?

    1) IE opens to about:blank instead of standard homepage
    2) when I get on Internet it bounces me right off
    3) outlook not functioning properly
    LVL 12

    Expert Comment


    I'm looking at your log right now.
    Yes, those do sound like symptoms of HSA.  :(
    Back in a while.
    LVL 12

    Expert Comment

    Here's a page with complete removal instructions:

    Take your time and go through them without skipping any steps.
    It may seem like it's "involved" - however; short of the "dreaded", "format/reinstall" -
    it's about the only way to remove this.  :)

    After you've gone through the removal procedure -
    run HijackThis again and post a LINK to your new log file here.
    Sometimes, when you get this on your computer -
    you get other things, which show up when it is removed.

    The bad "Service" is this one:
    O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner -

    Post back here if you have any problems/questions.

    Good luck!

    Author Comment

    I have the ability to put a new clean ghost image on this machine.  Will that rid the machine of this problem?  I am thinking that may be easier...
    LVL 12

    Accepted Solution


    Yes, I'm sure it would be easier - "pretty" sure that it would solve it.
    As long as you're sure it's clean.
    I don't think this "stuff" does things like write or hide in the MBR, etc.

    One other thing to consider:  when trying to remove this using the method above -
    quite often, you have to run through it more than once.
    Time consuming!
    Let me know how it goes.

    Good luck!
    LVL 27

    Expert Comment

    You might start using a different web browser




    Both will support you in avoiding to download and install malware by accident.

    LVL 4

    Expert Comment

    I would also  recommend downloading and regularly running
    Ad Adware  and Spy bot search and destroy

    This doesnt remove every peice of spyware but should certainly reduce the risk and help keep your machine clean.

    LVL 8

    Expert Comment


    the ghost image is the same thing as formatting the computer and reinstalling, it does it all for you real quick.

    i would reccomend a peice of software that has yet to dissapoint me in removing spyware/adware.

    this has been successful at removing spyware that adaware, sybot, and the MS tool could not! i hope this company keeps up the good work! just make sure to run the update after you download and install it.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now