TechSpot

Home Search Assistant...

By mhopeck
Aug 3, 2004
  1. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Graye

    Post a new HJT.txt after you have done your "homework" in my "How to .." thread.
    See how well you follow instructions....
     
  2. First1N

    First1N TS Rookie

    Help w/Home search assiatant

    I have the hijackthis log file.
    Would some one care to help me with it?

    Thanks for your help.
    Mark

    I will post log file after I read how to do it, I've tried and cant seem to figure it out so as much as I hate to admit it I am going to have to read the instructions.. :D
     
  3. llyndon

    llyndon TS Rookie

    Home search assistant

    undefinedI've downloaded Spybot, adaware, window washer, and spycleaner gold and none of them have gotten rid of the HSA. It keeps replacing my home page. Very annoying. I have got an alarm set up that trips each time it tries to reset now and gives me the opportunity to accept or reject but that is still a pain since it tries to reset almost every time I go to a new site. I've called in the big dogs in our IT dept to come in tomorrow to clean up this mess, I hear one of them got rid of this very thing last week on someone else's computor so here's hoping. I got a lot of great info from you guys so just wanted to say thanks!

    Lauraundefined
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    llyndon
    Why don't you go here and follow the instructions? Works for HSA as well
    How to remove Begin2Search / Coolwebsearch
    After you have done your "homework", post an HJT.TXT as attachment. We can then help you further (it's quite painless, actually)
     
  5. lil_ramen

    lil_ramen TS Rookie

    Home Search Assistant

    Hello everyone, I'm new to this board. Anyway, I've had this "Home Search Assistant" spyware/malware (or whatever you call it) for days now... I've been looking at these tutorials on how to take them out but I seem to get lost in these tutorials. Anyway, maybe you could help me, I've attached my HiJackThis log. PLEASE CAN SOMEONE HELP ME!! Home Search Assistant is really getting annoying!!
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    lil_ramen

    Go to this post here first, and follow the instructions EXACTLY.
    How to remove Begin2Search / Coolwebsearch

    Then reboot in safe mode and UNinstall (if you can) anything to do with:

    C:\Program Files\Comedy-Planet\comedy-planet.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe


    Run HJT on its own and have HJT 'fix' (if still there):

    C:\WINDOWS\system32\msupd4.exe
    C:\WINDOWS\addiy32.exe
    C:\Program Files\Comedy-Planet\comedy-planet.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\tibs3.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xeiir.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xeiir.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xeiir.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xeiir.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xeiir.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xeiir.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xeiir.dll/sp.html#37049
    O2 - BHO: (no name) - {602CDF71-C65F-C2D9-F3F1-A7464BF6D83A} - C:\WINDOWS\system32\atluz.dll
    O2 - BHO: (no name) - {8D11EFE8-819C-888A-0177-D8BA49DC8827} - (no file)
    O2 - BHO: (no name) - {92D8AB37-E025-682C-C00D-E1E4FCA5A399} - (no file)
    O4 - HKLM\..\Run: [addiy32.exe] C:\WINDOWS\addiy32.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6957F19A-9D10-43EA-84BB-334AC656A156}: NameServer = 210.5.68.147 203.172.11.21

    When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.
     
  7. lil_ramen

    lil_ramen TS Rookie

    Hsa = Gone!

    Hey realblackstuff, your guide really worked! Thanks a lot! Home Search Assistant was scrapped off and now I'm using Firefox with no annoying pop ups or Home Search! Thanks! :grinthumb
     
  8. DuckFan

    DuckFan TS Rookie

    Home Search Nasty Little Critter

    realblackstuff - just wanted to say some of us actually read your instructions for getting rid of home search. I had been searching around for either a fix or somone who seemed competent in dealing with it. Anyhow, I registered for this forum just to say thanks!

    I followed your posts and it worked like a charm. Plus a bonus side effect was that I was having a CHKDSK problem on boot that caused the puter to keep booting over and over. Anyhow, I believe that the boot in safe mode allowed it to run all the way through fixing the bad sectors and taking another stress point out of my daily life. DOH!!!!! - I should have thought of that one.

    Anyhow, thanks for your efforts.

    Kudos!
    Jeff

    PS if you are ever in the Seattle area look me up and we'll head to the pub for a couple of pints of stout!
     
  9. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Jeff, thank you for the flowers.
    Afraid Seattle is on the other side of the US from where I normally visit (Maryland and Michigan), but I'll drink to that anyway (hic...).
     
  10. tiredofthiscrap

    tiredofthiscrap TS Rookie

    need help ridding system of Home Search Assistant

    I ran Hijackthis but have no clue as to what to do next. Here is the log. I sure hope someone can help.
     
  11. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

     
  12. tiredofthiscrap

    tiredofthiscrap TS Rookie

    Hsa

    I am not a computer geek, and digging in to remove files is kind of scary to me. I read threads concerning this parasite. I did find the hijack this program and read how to just run a scan and save a log. but it would not upload. I then tried to turn it into a .txt file so it would upload. I guess it was not the correct way to do it. I suppose I should just format I was so hoping I would not have to do that and lose all my files. If you do have the patience to explain how to turn the hijackthis file into a uploadable file I can try again. Another question I have is do I check the box of the file I want to get rid of or are the checked boxes the ones I dont want to delete? Thank you for taking the time to respond to my post, I can see you must be extremely busy with this particular parasist.

    Thank you

    I am going to just have someone format my computer, this stuff is way over my head, thank you for your time and I think it is great that there are sites such as this out here. GL all
     
  13. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    If you read the instructions, it tells you to 'fix' certain things. This means clicking on the little square in front of the 'offender' and do that will all the ones that need to be 'fixed'. They will get a tick-mark when you click on them. Clicking them again will remove the tick-mark, if you made a mistake.

    When done, you click on the button "fix checked". HJT makes a backup off all its fixes, so it can 'undo' a wrong fix.
    Quite simple really.

    Don't format yet, we'll do yours in "stages".
    Make a new directory (AS INSTRUCTED!), e.g. \Program Files\HJT and copy the program there, DON'T run it from your desktop.

    Switch off the Restore Points (Hope you know how to, I don't, have Win2000)

    Boot in Safe Mode,

    UNinstall anything to do with these programs:
    C:\Program Files\XoftSpy\XoftSpy.exe
    C:\freescan\freescan.exe -FastScan [=Spyware Begone]
    C:\Program Files\Gator.com\Gator\Gator.exe
    C:\Program Files\Common Files\GMT\GMT.exe

    Then (still in Safe Mode) run Hijackthis on its own and put 'tick-marks' in (if still there):

    Tick these running processes:
    C:\WINDOWS\system32\syscw32.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\WINDOWS\system32\crge.exe

    ALL lines starting with R0
    ALL lines starting with R1
    ALL lines starting with R3

    O2 - BHO: (no name) - {C3C7FD25-8011-C8E8-25B7-34DF607095C5} - C:\WINDOWS\system32\sdkvk.dll

    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
    O4 - HKLM\..\Run: [crge.exe] C:\WINDOWS\system32\crge.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm11795US
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    ALL lines starting with O15 - Trusted Zone: --->>> You do NOT trust ANYbody EVER <<<---
    ALL lines starting with O16 - DPF:

    O23 - Service: BrSplService - Unknown - C:\WINDOWS\System32\brsvc01a.exe (file missing)
    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\syscw32.exe

    Now hit the button 'Fix Checked'.

    When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.
     
  14. tiredofthiscrap

    tiredofthiscrap TS Rookie

    RBS, as your tag says, you are a genius

    I cannot say thank you enough. I think I got through the instructions well. You were so precise and made it very easy to follow instructions. I am now using foxfire for a browser. I hope I got it all. Here is another HJT log just to make sure. Again, thank you so very much, you are the best :grinthumb

    ToTC
     
  15. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Where do you get this crap:
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)

    FIX IT!!!!!!!!!!
     
  16. tiredofthiscrap

    tiredofthiscrap TS Rookie

    HJT can't seem to get rid of these files

    I ran HJT and checked off the trusted zone files, but HJT can't seem to delete them. I restarted the computer to make sure that was not the issue but they are still there. I ran HJT again, checked them off again and tried to fix but they are still there /sigh.

    ToTC

    I did a search on my computer and could not find those files, so I searched the registry and found them in there so I deleted from the registry. here is a new HJT file and they are no longer listed :)

    Thank you again,
    ToTC
     
  17. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    tiredofthiscrap:
    The second log looks OK.
    I just hope you are not using Internet Explorer anymore (except for Windoze updates), but Firefox instead.
    Much less chance of getting infected.
     
  18. Gurpz_Da_G

    Gurpz_Da_G TS Rookie

    Help!!!!

    i hav had home search assistant on my PC for 6 months or sumfin like dat!!!
    at first all dat happens was minor fings da net didnt work properly...
    dats all.
    now my pc is soooo slow
    its like eatin my pc away
    i cant seem 2 get rid of it
    i tried 2 get rid of it like all the other people usin hijackthis but i dnt no what file it is?????

    i was tryin 2 paste the Hijackthis log but its says i hav one or 2 many URLs???
    i dnt no wat 2 do plz help me...
     
  19. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Gurpz_Da-G (how did you come up with a name like that?)

    Go to this post here first, and follow the instructions EXACTLY.
    How to remove Begin2Search / Coolwebsearch
    Do NOT SKIP any steps in that Post!!!

    When done, Boot in Safe Mode
    Switch off System Restore
    Try to UNinstall anything to do with these:

    C:\Program Files\Security Administrator\newadmin.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\XoftSpy\XoftSpy.exe

    Next, press ctrl/alt/del and try to STOP these processes (if still there):
    newadmin.exe
    MsgPlus.exe
    XoftSpy.exe
    systf32.exe
    atlwf32.exe
    iplo32.exe

    Next, run HJT on its own and let it 'fix' (if still there):
    C:\WINDOWS\system32\systf32.exe
    C:\Program Files\Security Administrator\newadmin.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\WINDOWS\atlwf32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nlulk.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nlulk.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nlulk.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nlulk.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nlulk.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nlulk.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nlulk.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {D063C2EF-C5DC-955F-1F55-F0A8F80FE9FC} - C:\WINDOWS\iewi.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [00saskda] "C:\Program Files\Security Administrator\newadmin.exe" saskda
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [atlwf32.exe] C:\WINDOWS\atlwf32.exe
    O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
    O4 - HKLM\..\RunOnce: [systf32.exe] C:\WINDOWS\system32\systf32.exe
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://008i.com/pic//28129.chm::/open.exe
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
    O23 - Service: Network Security Service - Unknown - C:\WINDOWS\iplo32.exe (file missing)

    When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

    Reboot in normal mode and see how it goes.
    If all is well, switch System Restore back on.


    Now you should install at least XP-SP1. If you want XP-SP2, you don't need to install SP1 first.
    But you MUST install one of them!
     
  20. tiredofthiscrap

    tiredofthiscrap TS Rookie

    RBS, I am no longer using IE, I am using Firefox. Thanks again for all your help, you are indeed a genius. :)

    ToTC
     
  21. Gurpz_Da_G

    Gurpz_Da_G TS Rookie

    I did it!!!!!!!

    yoooohooooo!!!!!!!!!!!!!!!!!!!!!!
    its gone!!!!!!
    yeaaa!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    well thanx 4 da help i neva wud
    of gotten rid of the bug
    wow, im so happy :)

    fanx
    jus hav a look at dis nice clean
    HTJ txt, but the real question is
    how long will my pc last????
    there wud be an even stronger problem
    it always happens :(
    Shud get XP-SP2 soon

    Gurpz
    P.s--->da name easy Gurpz 4 shot eh????
     
  22. Gurpz_Da_G

    Gurpz_Da_G TS Rookie

    Noooo!!!!!!!!!!!!!!!!!!!!!!

    NOOOOOOO!!!!!!!
    HSA is 2 powerful!!!!! :eek:
    jus wen i got rid of it
    it ask me 2 install it again
    i rememba it sayin update msn messener
    den my pc got messed
    nooo
    i cant even get rid of it
    wen eva i open msn messedger
    dis message appears

    heres a pic of da installin HSA fing
     
  23. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Gurpz
    If you switched System Restore back on after the cleanup, you should be able to rollback to that clean state! Then UNinstall anything to do with ANY messenger programs if you can.
    I've never used any messenger service at all and removed it completely from my PC. That probably explains why I have no virus/spyware/adware problems at all.
     
  24. susmariosep

    susmariosep TS Rookie

    hi can you help me too, im having trouble uninstalling homesearchassistant. heres my hijackthis.txt thanks in advance.
     
  25. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.