Home Search Assistant...

[RealBlackStuff]

Graye

Post a new HJT.txt after you have done your "homework" in my "How to .." thread.
See how well you follow instructions....

 

[First1N]

Help w/Home search assiatant

I have the hijackthis log file.
Would some one care to help me with it?

Thanks for your help.
Mark

I will post log file after I read how to do it, I've tried and cant seem to figure it out so as much as I hate to admit it I am going to have to read the instructions..

 

[llyndon]

Home search assistant

undefinedI've downloaded Spybot, adaware, window washer, and spycleaner gold and none of them have gotten rid of the HSA. It keeps replacing my home page. Very annoying. I have got an alarm set up that trips each time it tries to reset now and gives me the opportunity to accept or reject but that is still a pain since it tries to reset almost every time I go to a new site. I've called in the big dogs in our IT dept to come in tomorrow to clean up this mess, I hear one of them got rid of this very thing last week on someone else's computor so here's hoping. I got a lot of great info from you guys so just wanted to say thanks!

Lauraundefined

 

[RealBlackStuff]

llyndon
Why don't you go here and follow the instructions? Works for HSA as well
How to remove Begin2Search / Coolwebsearch
After you have done your "homework", post an HJT.TXT as attachment. We can then help you further (it's quite painless, actually)

 

[lil_ramen]

Home Search Assistant

Hello everyone, I'm new to this board. Anyway, I've had this "Home Search Assistant" spyware/malware (or whatever you call it) for days now... I've been looking at these tutorials on how to take them out but I seem to get lost in these tutorials. Anyway, maybe you could help me, I've attached my HiJackThis log. PLEASE CAN SOMEONE HELP ME!! Home Search Assistant is really getting annoying!!

 

[RealBlackStuff]

lil_ramen

Go to this post here first, and follow the instructions EXACTLY.
How to remove Begin2Search / Coolwebsearch

Then reboot in safe mode and UNinstall (if you can) anything to do with:

C:\Program Files\Comedy-Planet\comedy-planet.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe


Run HJT on its own and have HJT 'fix' (if still there):

C:\WINDOWS\system32\msupd4.exe
C:\WINDOWS\addiy32.exe
C:\Program Files\Comedy-Planet\comedy-planet.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\tibs3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xeiir.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xeiir.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xeiir.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xeiir.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xeiir.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xeiir.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xeiir.dll/sp.html#37049
O2 - BHO: (no name) - {602CDF71-C65F-C2D9-F3F1-A7464BF6D83A} - C:\WINDOWS\system32\atluz.dll
O2 - BHO: (no name) - {8D11EFE8-819C-888A-0177-D8BA49DC8827} - (no file)
O2 - BHO: (no name) - {92D8AB37-E025-682C-C00D-E1E4FCA5A399} - (no file)
O4 - HKLM\..\Run: [addiy32.exe] C:\WINDOWS\addiy32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6957F19A-9D10-43EA-84BB-334AC656A156}: NameServer = 210.5.68.147 203.172.11.21

When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

 

[lil_ramen]

Hsa = Gone!

Hey realblackstuff, your guide really worked! Thanks a lot! Home Search Assistant was scrapped off and now I'm using Firefox with no annoying pop ups or Home Search! Thanks! :grinthumb

 

[DuckFan]

Home Search Nasty Little Critter

realblackstuff - just wanted to say some of us actually read your instructions for getting rid of home search. I had been searching around for either a fix or somone who seemed competent in dealing with it. Anyhow, I registered for this forum just to say thanks!

I followed your posts and it worked like a charm. Plus a bonus side effect was that I was having a CHKDSK problem on boot that caused the puter to keep booting over and over. Anyhow, I believe that the boot in safe mode allowed it to run all the way through fixing the bad sectors and taking another stress point out of my daily life. DOH!!!!! - I should have thought of that one.

Anyhow, thanks for your efforts.

Kudos!
Jeff

PS if you are ever in the Seattle area look me up and we'll head to the pub for a couple of pints of stout!

 

[RealBlackStuff]

Jeff, thank you for the flowers.
Afraid Seattle is on the other side of the US from where I normally visit (Maryland and Michigan), but I'll drink to that anyway (hic...).

 

[tiredofthiscrap]

need help ridding system of Home Search Assistant

I ran Hijackthis but have no clue as to what to do next. Here is the log. I sure hope someone can help.

 

[RealBlackStuff]

tiredofthiscrap (so are we)

Do your homework first.
Go to this post here and follow the instructions EXACTLY.
How to remove Begin2Search / Coolwebsearch
Then see How to post your Hijackthis log-files.

The file you posted is useless, what did you do to it?

 

[tiredofthiscrap]

Hsa

I am not a computer geek, and digging in to remove files is kind of scary to me. I read threads concerning this parasite. I did find the hijack this program and read how to just run a scan and save a log. but it would not upload. I then tried to turn it into a .txt file so it would upload. I guess it was not the correct way to do it. I suppose I should just format I was so hoping I would not have to do that and lose all my files. If you do have the patience to explain how to turn the hijackthis file into a uploadable file I can try again. Another question I have is do I check the box of the file I want to get rid of or are the checked boxes the ones I dont want to delete? Thank you for taking the time to respond to my post, I can see you must be extremely busy with this particular parasist.

Thank you

I am going to just have someone format my computer, this stuff is way over my head, thank you for your time and I think it is great that there are sites such as this out here. GL all

 

[RealBlackStuff]

If you read the instructions, it tells you to 'fix' certain things. This means clicking on the little square in front of the 'offender' and do that will all the ones that need to be 'fixed'. They will get a tick-mark when you click on them. Clicking them again will remove the tick-mark, if you made a mistake.

When done, you click on the button "fix checked". HJT makes a backup off all its fixes, so it can 'undo' a wrong fix.
Quite simple really.

Don't format yet, we'll do yours in "stages".
Make a new directory (AS INSTRUCTED!), e.g. \Program Files\HJT and copy the program there, DON'T run it from your desktop.

Switch off the Restore Points (Hope you know how to, I don't, have Win2000)

Boot in Safe Mode,

UNinstall anything to do with these programs:
C:\Program Files\XoftSpy\XoftSpy.exe
C:\freescan\freescan.exe -FastScan [=Spyware Begone]
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe

Then (still in Safe Mode) run Hijackthis on its own and put 'tick-marks' in (if still there):

Tick these running processes:
C:\WINDOWS\system32\syscw32.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\system32\crge.exe

ALL lines starting with R0
ALL lines starting with R1
ALL lines starting with R3

O2 - BHO: (no name) - {C3C7FD25-8011-C8E8-25B7-34DF607095C5} - C:\WINDOWS\system32\sdkvk.dll

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [crge.exe] C:\WINDOWS\system32\crge.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm11795US
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

ALL lines starting with O15 - Trusted Zone: --->>> You do NOT trust ANYbody EVER <<<---
ALL lines starting with O16 - DPF:

O23 - Service: BrSplService - Unknown - C:\WINDOWS\System32\brsvc01a.exe (file missing)
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\syscw32.exe

Now hit the button 'Fix Checked'.

When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

 

[tiredofthiscrap]

RBS, as your tag says, you are a genius

I cannot say thank you enough. I think I got through the instructions well. You were so precise and made it very easy to follow instructions. I am now using foxfire for a browser. I hope I got it all. Here is another HJT log just to make sure. Again, thank you so very much, you are the best :grinthumb

ToTC

 

[RealBlackStuff]

Where do you get this crap:
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)

FIX IT!!!!!!!!!!

 

[tiredofthiscrap]

HJT can't seem to get rid of these files

I ran HJT and checked off the trusted zone files, but HJT can't seem to delete them. I restarted the computer to make sure that was not the issue but they are still there. I ran HJT again, checked them off again and tried to fix but they are still there /sigh.

ToTC

I did a search on my computer and could not find those files, so I searched the registry and found them in there so I deleted from the registry. here is a new HJT file and they are no longer listed

Thank you again,
ToTC

 

[RealBlackStuff]

tiredofthiscrap:
The second log looks OK.
I just hope you are not using Internet Explorer anymore (except for Windoze updates), but Firefox instead.
Much less chance of getting infected.

 

[Gurpz_Da_G]

Help!!!!

i hav had home search assistant on my PC for 6 months or sumfin like dat!!!
at first all dat happens was minor fings da net didnt work properly...
dats all.
now my pc is soooo slow
its like eatin my pc away
i cant seem 2 get rid of it
i tried 2 get rid of it like all the other people usin hijackthis but i dnt no what file it is?????

i was tryin 2 paste the Hijackthis log but its says i hav one or 2 many URLs???
i dnt no wat 2 do plz help me...

 

[RealBlackStuff]

Gurpz_Da-G (how did you come up with a name like that?)

Go to this post here first, and follow the instructions EXACTLY.
How to remove Begin2Search / Coolwebsearch
Do NOT SKIP any steps in that Post!!!

When done, Boot in Safe Mode
Switch off System Restore
Try to UNinstall anything to do with these:
C:\Program Files\Security Administrator\newadmin.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\XoftSpy\XoftSpy.exe

Next, press ctrl/alt/del and try to STOP these processes (if still there):
newadmin.exe
MsgPlus.exe
XoftSpy.exe
systf32.exe
atlwf32.exe
iplo32.exe

Next, run HJT on its own and let it 'fix' (if still there):
C:\WINDOWS\system32\systf32.exe
C:\Program Files\Security Administrator\newadmin.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\atlwf32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nlulk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D063C2EF-C5DC-955F-1F55-F0A8F80FE9FC} - C:\WINDOWS\iewi.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [00saskda] "C:\Program Files\Security Administrator\newadmin.exe" saskda
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [atlwf32.exe] C:\WINDOWS\atlwf32.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\RunOnce: [systf32.exe] C:\WINDOWS\system32\systf32.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://008i.com/pic//28129.chm::/open.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\iplo32.exe (file missing)

When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

Reboot in normal mode and see how it goes.
If all is well, switch System Restore back on.

Now you should install at least XP-SP1. If you want XP-SP2, you don't need to install SP1 first.
But you MUST install one of them!

 

[tiredofthiscrap]

RBS, I am no longer using IE, I am using Firefox. Thanks again for all your help, you are indeed a genius.

ToTC

 

[Gurpz_Da_G]

I did it!!!!!!!

yoooohooooo!!!!!!!!!!!!!!!!!!!!!!
its gone!!!!!!
yeaaa!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

well thanx 4 da help i neva wud
of gotten rid of the bug
wow, im so happy

fanx
jus hav a look at dis nice clean
HTJ txt, but the real question is
how long will my pc last????
there wud be an even stronger problem
it always happens
Shud get XP-SP2 soon

Gurpz
P.s--->da name easy Gurpz 4 shot eh????

 

[Gurpz_Da_G]

Noooo!!!!!!!!!!!!!!!!!!!!!!

NOOOOOOO!!!!!!!
HSA is 2 powerful!!!!!
jus wen i got rid of it
it ask me 2 install it again
i rememba it sayin update msn messener
den my pc got messed
nooo
i cant even get rid of it
wen eva i open msn messedger
dis message appears

heres a pic of da installin HSA fing

 

[RealBlackStuff]

Gurpz
If you switched System Restore back on after the cleanup, you should be able to rollback to that clean state! Then UNinstall anything to do with ANY messenger programs if you can.
I've never used any messenger service at all and removed it completely from my PC. That probably explains why I have no virus/spyware/adware problems at all.

 

[susmariosep]

hi can you help me too, im having trouble uninstalling homesearchassistant. heres my hijackthis.txt thanks in advance.

 

[RealBlackStuff]

susmariosep
Go to this post here first, and follow the instructions EXACTLY.
How to remove Begin2Search/Coolwebsearch and Other Nasties
Then post a new Hijackthis log please.