Home Search Assistant...

BTwonderZ

If I tell people to follow instructions EXACTLY, then that's what they SHOULD do.
You would have found the O10 - Unknown file in Winsock LSP: error message, including instructions on how to FIX them.
Having 2 of those, means you have to do it twice, once for each file. You are the first one to have 2, sorry if I overlooked that.
See if you can get those deleted (why?) files back from your CD, the dll-cache on your HD or from someone else with (non-infected) XP.

Anyway, based on hjt20.txt, boot in safe mode, let HJT "fix" this:
C:\WINNT\system32\userinit.exe

Run the LSPFIX for both
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
and
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
DO NOT DELETE ANY OTHER FILES.

Based on hjt21.txt, boot in safe mode and only "run" HJT:

If this is still around, let LSPFIX this:
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll

Don't try to confuse the issue, only report 1 log at the time. Fix that, then report back with another, if you still have problems.

Following instructions

realdarkstuff,

Thanks for your patience. I do believe the search assistent problem is solved, however as you now know the is this LSP dillema.

Your instructions were clear and well appreciated, the LSPfix seemed the logical route to take based on the HJT discovery.
Missing a step and acting on impulse taught a lesson of restraint.

Ran HJT and neither C:\WINNT\system32\userinit.exe nor 010-Unknown file in Winsock LSP:C\winnt\system32\calsp.dll were listed to "fix" \userinit.exe -only shows in log21a.

Now, I did find a copies of msafd.dll and rsvpsp.dll in the cache, however now what/where do I go?

Not to confuse the issue but, is the application "winsockfix,exe" of any help?

I'll await your reponse regarding this new issue and hope it isn't too much trouble.

Thanks!

BT

BTwonderz

rnr20, msafd and rsvpsp.dll can be found in c:\winnt\servicpackfiles\i386
winrnr.dll in c:\winnt\system32\dllcache
Copy them into c:\winnt\system32 while in Safe Mode, then REBOOT.

Calsp.dll does NOT belong on your PC.

Your HJT-log is almost clean.
Have HJT fix: C:\WINNT\system32\userinit.exe but DON't delete that file.

You could try that winsockfix program, but AFAIK is only needed if you have lost your internet-connection. And success with it is not always guaranteed. It won't do any damage, so try it.

Re: "almost clean"

RealDarkStuff,
winnt\servicepackfiles [does not exist-as named] nor can mr20 be found
however there is a:
winnt\drivercache\j386
msafd & rsvpsp & winrnr.dll ARE in \system32...manually deleted calsp.dll

see enclosed
HJT 25
-log before scanning and "fix" with nothing checked
HJTb
-log after "fix" with nothing checked.
could not find...userinit.exe

BTW, I DO NOT have internet connection since LSPfix of msafd.dll & rsvpsp.dll

BT

It's RNR20.DLL find it attached in a ZIP-file (rightclick/save as to get it)

Try that winsockfix program after you have copied rnr20.dll into \system32

Your logs are clean.

If all else fails you may need to do a repair through the console.
See Readme at top of Windows OS forum

Help!

okay i really don't know much about computers at all but i know i have this three virus-things (Home Search Assistant and SearchExtender and Shopping Wizard). i've been trying to remove them by the add/remove programs thing on windows, but the same thing happened that did with mhopeck. someone i know who knows computers told me to download hijackthis. i did and it told me to put my log on a forum for help so here i am. could someone please help me out with this?

(i cannot paste the log apparently though, because it says there are URLs and i need to remove them)












-Graye

Re: ""Pasting"" HJT Log

Graye,
You don't actually "paste" the log.
You must first convert the .log file to a .txt file.
Then, when you post a message there is an area called "additional options"
within that you will see a form button called "manage attachments"
after clicking that you are taken to a screen that will ask you to "browse"
for that file.
Once you've found the converted .txt file, select it; then you press the button
"upload". This will attach it to your message and the tech can then read it and get back to you on what to do next.
It is strongly suggested to only upload one (1) HJT file at a time to properly diagnos your problem.
Hope this helps,

BT

Re: RNR20

realblackstuff,

The rnr.dll is in system\32. Is this the only place it should be?

Tried the winsockfix--didn't work [just hit "Fix"]
I believe I'll look for threads regarding that; re: protocols, tcip, etc.
and the win OS forum to investigate my next task.

Thanks for the assistance in cleaning that horrible mess.

BT

aah i see. thanx, BTwonderz.

so can anyone help?

Hello and welcome to Techspot.

Before you do anything take a look at the following thread by RBS and follow the instructions.

How to remove begin2search / coolwebsearch

It Might be a good idea to print it out.

Regards Howard :wave: :wave:

Graye

Post a new HJT.txt after you have done your "homework" in my "How to .." thread.
See how well you follow instructions....

Help w/Home search assiatant

I have the hijackthis log file.
Would some one care to help me with it?

Thanks for your help.
Mark

I will post log file after I read how to do it, I've tried and cant seem to figure it out so as much as I hate to admit it I am going to have to read the instructions..

Home search assistant

undefinedI've downloaded Spybot, adaware, window washer, and spycleaner gold and none of them have gotten rid of the HSA. It keeps replacing my home page. Very annoying. I have got an alarm set up that trips each time it tries to reset now and gives me the opportunity to accept or reject but that is still a pain since it tries to reset almost every time I go to a new site. I've called in the big dogs in our IT dept to come in tomorrow to clean up this mess, I hear one of them got rid of this very thing last week on someone else's computor so here's hoping. I got a lot of great info from you guys so just wanted to say thanks!

Lauraundefined

llyndon
Why don't you go here and follow the instructions? Works for HSA as well
How to remove Begin2Search / Coolwebsearch
After you have done your "homework", post an HJT.TXT as attachment. We can then help you further (it's quite painless, actually)

Home Search Assistant

Hello everyone, I'm new to this board. Anyway, I've had this "Home Search Assistant" spyware/malware (or whatever you call it) for days now... I've been looking at these tutorials on how to take them out but I seem to get lost in these tutorials. Anyway, maybe you could help me, I've attached my HiJackThis log. PLEASE CAN SOMEONE HELP ME!! Home Search Assistant is really getting annoying!!

lil_ramen

Go to this post here first, and follow the instructions EXACTLY.
How to remove Begin2Search / Coolwebsearch

Then reboot in safe mode and UNinstall (if you can) anything to do with:

C:\Program Files\Comedy-Planet\comedy-planet.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe


Run HJT on its own and have HJT 'fix' (if still there):

C:\WINDOWS\system32\msupd4.exe
C:\WINDOWS\addiy32.exe
C:\Program Files\Comedy-Planet\comedy-planet.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\tibs3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xeiir.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xeiir.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xeiir.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xeiir.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xeiir.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xeiir.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xeiir.dll/sp.html#37049
O2 - BHO: (no name) - {602CDF71-C65F-C2D9-F3F1-A7464BF6D83A} - C:\WINDOWS\system32\atluz.dll
O2 - BHO: (no name) - {8D11EFE8-819C-888A-0177-D8BA49DC8827} - (no file)
O2 - BHO: (no name) - {92D8AB37-E025-682C-C00D-E1E4FCA5A399} - (no file)
O4 - HKLM\..\Run: [addiy32.exe] C:\WINDOWS\addiy32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6957F19A-9D10-43EA-84BB-334AC656A156}: NameServer = 210.5.68.147 203.172.11.21

When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

Hsa = Gone!

Hey realblackstuff, your guide really worked! Thanks a lot! Home Search Assistant was scrapped off and now I'm using Firefox with no annoying pop ups or Home Search! Thanks! :grinthumb

Home Search Nasty Little Critter

realblackstuff - just wanted to say some of us actually read your instructions for getting rid of home search. I had been searching around for either a fix or somone who seemed competent in dealing with it. Anyhow, I registered for this forum just to say thanks!

I followed your posts and it worked like a charm. Plus a bonus side effect was that I was having a CHKDSK problem on boot that caused the puter to keep booting over and over. Anyhow, I believe that the boot in safe mode allowed it to run all the way through fixing the bad sectors and taking another stress point out of my daily life. DOH!!!!! - I should have thought of that one.

Anyhow, thanks for your efforts.

Kudos!
Jeff

PS if you are ever in the Seattle area look me up and we'll head to the pub for a couple of pints of stout!

Jeff, thank you for the flowers.
Afraid Seattle is on the other side of the US from where I normally visit (Maryland and Michigan), but I'll drink to that anyway (hic...).

need help ridding system of Home Search Assistant

I ran Hijackthis but have no clue as to what to do next. Here is the log. I sure hope someone can help.