[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 389
  • Last Modified:

Home Search Assistent

Hello.  After reading previous posts, I downloaded Silent Runners and attached the log file.  Please help.  

LOG FILE:

"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"Synchronization Manager" = "C:\WINDOWS\system32\mobsync.exe /logon" [MS]
"MMTray" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."]
"SMART Mirror Driver Monitor Service" = ""C:\Documents and Settings\dmurph88\Application Data\Bridgit\monitorservice.exe"" ["SMART Technologies"]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"Acrobat Assistant 7.0" = ""C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"Default" = (no data)
"AdaptecDirectCD" = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" ["Roxio"]
"Share-to-Web Namespace Daemon" = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"syssp32.exe" = "C:\WINDOWS\system32\syssp32.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{A7965648-2D3D-951F-7592-B85CE722DB02}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\iemm32.dll" [null data]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = "AcroIEToolbarHelper Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
  -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\0
DisplayName = "Drive Mappings and Shortcuts"
\0 -> launches: "\\sspj.com\SysVol\sspj.com\Policies\{54B3E135-FEBB-44E0-B80F-F8DDD09AAB86}\User\Scripts\Logon\MapDrives.vbs" [** WMI GetObject error **]
\1 -> launches: "\\sspj.com\SysVol\sspj.com\Policies\{54B3E135-FEBB-44E0-B80F-F8DDD09AAB86}\User\Scripts\Logon\CreateShortcuts.vbs" [** WMI GetObject error **]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\1
DisplayName = "Printer Policy"
\0 -> launches: "\\sspj.com\SysVol\sspj.com\Policies\{2D50C877-2226-41DE-8B97-C3E39A3EA9AA}\User\Scripts\Logon\SSPJPrinters.vbs" [** WMI GetObject error **]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\2
DisplayName = "Faculty Redirected Folders"
\0 -> launches: "\\sspj.com\SysVol\sspj.com\Policies\{63FD7E4F-20EF-4ECF-8B5B-7DA5DD465958}\User\Scripts\Logon\redirectfavorites.vbs" [** WMI GetObject error **]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "dmurph88" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\dmurph88\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\Palm\HOTSYNC.EXE" ["Palm, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Acrobat Speed Launcher" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe" [null data]
"DataViz Messenger" -> shortcut to: "C:\WINDOWS\DvzCommon\DvzMsgr.exe" [null data]
"SMART Board Tools" -> shortcut to: "C:\Program Files\SMART Board software\SMARTBoardTools.exe" ["SMART Technologies Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 03, 15
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
  -> {CLSID}\(Default) = "&Google"
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
  -> {CLSID}\(Default) = "Adobe PDF"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
  -> {CLSID}\(Default) = "&Google"
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
  -> {CLSID}\(Default) = "Adobe PDF"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
  -> {CLSID}\(Default) = "&Google"
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
  -> {CLSID}\(Default) = "Adobe PDF"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\
  -> {CLSID}\(Default) = "Adobe PDF"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\
(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{B13B4423-2647-4CFC-A4B3-C7D56CB83487}\
"ButtonText" = "Share in Hello"
"MenuText" = "Share in H&ello"
"CLSIDExtension" = "{B13B4423-2647-4cfc-A4B3-C7D56CB83487}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hello\PicasaCapture.dll" ["Picasa, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

INFECTION WARNING! The running services cannot be counted.
Presence of a spyware service is suspected.
The script has been forced to exit.


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
0
dmurph88
Asked:
dmurph88
1 Solution
 
rossfingalCommented:
Hi!

Download HijackThis (ver. 1.99.1) from:
http://www.gatesofdelirium.com/ee/tools/
Place it into a folder of it's own - something like:
C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
Do not run it directly from the "Zip" file, a "temp" folder, or the Desktop.
HijackThis makes "backups" and it's good to have them in a centralized location.

With all browser windows closed - run HijackThis and
copy and paste the log file into the Analysis site here:
http://www.hijackthis.de/en

Click on the "Analyze" button; and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis -
Post a LINK to that page back here.

Please, do not post your HijackThis log file here!

We'll take a look at it!  :)

Good luck!
RF
0
 
dmurph88Author Commented:
Hey rossfingal, thanks for your help.  I have attached the link.


http://www.hijackthis.de/logfiles/6630ca948a674b8eb7e99d281d2f0628.html
0
 
dmurph88Author Commented:
A couple of other notes.  I am a teacher, and I think I got this from downloading a SuperFriends .wav file of Apache Chief for a colleague (don't ask).  Is Home Search Assistent the cause of the following problems?

1) IE opens to about:blank instead of standard homepage
2) when I get on Internet it bounces me right off
3) outlook not functioning properly
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
rossfingalCommented:
Hi!

I'm looking at your log right now.
Yes, those do sound like symptoms of HSA.  :(
Back in a while.
RF
0
 
rossfingalCommented:
Here's a page with complete removal instructions:
http://www.pchell.com/support/onlythebest.shtml

Take your time and go through them without skipping any steps.
It may seem like it's "involved" - however; short of the "dreaded", "format/reinstall" -
it's about the only way to remove this.  :)

After you've gone through the removal procedure -
run HijackThis again and post a LINK to your new log file here.
Sometimes, when you get this on your computer -
you get other things, which show up when it is removed.

The bad "Service" is this one:
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner -
C:\WINDOWS\system32\crwz32.exe

Post back here if you have any problems/questions.

Good luck!
RF
0
 
dmurph88Author Commented:
I have the ability to put a new clean ghost image on this machine.  Will that rid the machine of this problem?  I am thinking that may be easier...
0
 
rossfingalCommented:
Hi!

Yes, I'm sure it would be easier - "pretty" sure that it would solve it.
As long as you're sure it's clean.
I don't think this "stuff" does things like write or hide in the MBR, etc.

One other thing to consider:  when trying to remove this using the method above -
quite often, you have to run through it more than once.
Time consuming!
Let me know how it goes.

Good luck!
RF
0
 
TolomirAdministratorCommented:
You might start using a different web browser

Firefox:
http://www.getfirefox.com/

or

Opera:
http://www.opera.com/

Both will support you in avoiding to download and install malware by accident.

Tolomir
0
 
graemeboroCommented:
I would also  recommend downloading and regularly running
Ad Adware www.lavasoft.com  and Spy bot search and destroy http://www.safer-networking.org/en/mirrors/

This doesnt remove every peice of spyware but should certainly reduce the risk and help keep your machine clean.

Graeme
0
 
ViRoyCommented:

the ghost image is the same thing as formatting the computer and reinstalling, it does it all for you real quick.

i would reccomend a peice of software that has yet to dissapoint me in removing spyware/adware.
http://www.download.com/1200-2018-5139934.html

this has been successful at removing spyware that adaware, sybot, and the MS tool could not! i hope this company keeps up the good work! just make sure to run the update after you download and install it.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now