HOME SEARCH ASSISTANT...Please help!!

[jonntabbie]

Hello,

The PC I am working with has the home search assistant on it. I have tried numerous things to remove it with no luck. Please someone help.

PC - HP Celeron
OS - XP Pro
Anti-virus - Norton CE

I have run Adaware, spybot, cw shredder, webroot, microsoft antispy, HSR, and About buster. All have removed items but the hijacker keeps returning.

Here is the hijackthis log. Perhaps someone can help me with this info. Thanks a milllion.

Logfile of HijackThis v1.99.1
Scan saved at 7:35:18 AM, on 4/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\iply.exe
C:\WINDOWS\appul.exe
C:\WINDOWS\system32\userinit.exe
E:\SpyKillers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eiqak.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eiqak.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eiqak.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eiqak.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eiqak.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7F1A3AF4-B347-19CF-19D8-E0A8C516A78A} - C:\WINDOWS\sdkar32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iply.exe] C:\WINDOWS\iply.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{A15CC486-92A5-47D7-9642-90A62F1CBCD3}: NameServer = 208.14.192.55,64.94.219.66
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apirb32.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

 

[RealBlackStuff]

You seem to have done your homework already.
Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
iply.exe
appul.exe

Next, run HJT on its own and place a tick-mark in the square before it (if still there):
C:\WINDOWS\iply.exe
C:\WINDOWS\appul.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eiqak.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eiqak.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eiqak.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eiqak.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eiqak.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7F1A3AF4-B347-19CF-19D8-E0A8C516A78A} - C:\WINDOWS\sdkar32.dll
O4 - HKLM\..\Run: [iply.exe] C:\WINDOWS\iply.exe
Unless these O17 addies are from YOUR ISP, 'fix' it also:
O17 - HKLM\System\CCS\Services\Tcpip\..\{A15CC486-92A5-47D7-9642-90A62F1CBCD3}: NameServer = 208.14.192.55,64.94.219.66
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apirb32.exe (file missing)

When done, delete the highlighted bold files.
Boot normal. When all OK, switch System Restore back on.

 

[jonntabbie]

Thanks for the help. I was a little leary about using hjt to fix some of those entries. I needed a professional opinion. THANKS!! All is well now. No more :dead: home "stealer" assistant :dead: Appreciate your help.

Jon