Why you should consider it: Home Search takes over your browser. It’s annoying. It’s hard to remove. It’s frustrating. Not anymore. Learn how to get it gone and keep it gone.
Editors foreword: There are the talents of many of our staff that have spent countless hours getting this guide and Short-Media’s other guides and tools prepared to help you defeat spyware. They have put their own PC’s in peril to put spyware and browser hijackers back in their place…out of your PC.
If your PC is going places you don’t want it to then here’s your guide to remove Home Page Assistant hijacks with Short-Media’s Home Page Assistant Removal Guide!
Home Search Assistant. Only The Best. Shopping Wizard.
Those are some of the names it goes by but people
whose computers have been hijacked by this home page can think of a lot of other
names they would like to call it!
Does this home page look familiar?
If it does, you, like many thousands of internet surfers,
have been hijacked by the Home Page Assistant (HSA) hijack. This hijack is
widely believed to be a new version of the infamous CoolWebSearch (CWS) hijack,
one of the most wide spread and well known hijacks to date. CWS had its’
nemesis though: the highly popular CWShredder program, which was updated
regularly to fight new variations of the infection. However, CWS is being
replaced by HSA at an amazingly rapid rate, and the maker of CWShredder has said
he has no plans to try and create a removal tool for HSA at this time.
There are a couple of programs on the web that claim to remove HSA, but they do
not work in every case, as this hijack has a few nasty tricks that make
automated removal harder to accomplish.
The Home Search Assistant (HSA) browser hijack is a very
persistent hijack. It is characterized by multiple redundant dll and exe
infection files, all with random names. These are reinforced with a
bogus background service that makes sure the infection stays alive. Users
who thought they were pretty good at using the Hijack This program to remove
malware got a sudden surprise. They would delete some randomly named
entries and the associated files, and assume they were all cleaned up. But
when they next opened their browser window, there it was again! Another
check of the Hijack This log showed similar entries…with completely new random
names! It was like swatting at mosquitoes…while you are busy smacking
one on your arm, another one is landing on your leg.
“Bogus services? Redundant dll’s?
Random names? I’ll never get this thing off my computer! Time to
re-install Windows…right?”
Wrong!
The Home Search Assistant file names follow some
recognizable patterns, so with some patience and determination, it is easy to
figure out what they are. The key is to identify the hidden service running on
your computer, and disable it, so that new files are not spawned every time you
delete the current one. “How do I do that?” you may wonder. Easy:
malware fighting websites have quickly identified the phony names the services
currently hides as, and are eagerly on the watch for new variations.
“What do I do to get rid of this thing?”
Read the free, easy to follow step-by-step
Home Search Assistant Removal Guide by Short-Media.com!
Since being published in mid-August, our removal guide has
been viewed by tens of thousands of computer users, and leads numerous search
engine hits for this problem. Of those thousands of viewers, only a very
small fraction have needed to register for
Short-Media.com’s Support Forums for additional help. What does that
tell us? That it works!
“But I am not very good with computers, I
don’t know if I can do this!”
Don’t worry, it’s easier than you think! And if you
do have trouble working through the guide on your own, help is only a click
away! Register for our forums and post your Hijack This log in our
Security –
Spyware / Virus / Trojan forum. One of our experienced users will
point you in the right direction to solve the problem.
Home Search Assistant Removal Guide
The Home Search Assistant (HSA) browser hijack is a very persistent hijack. It is characterized by multiple redundant Hijack This entries and re-infection files, all with random names. However, the names follow some recognizable patterns, so they can be determined by checking using Hijack This.exe (HJT) with some patience and determination.
This hijack is also known as:
- Only The Best
- Home Search Extender
- Shopping Wizard
– res://****.dll/index.html#***** (or simply res .dll)
For purposes of this Guide, I will refer to it as Home Search Assistant (HSA.)
This hijack is widely believed to be a new version of the infamous CoolWebSearch (CWS) hijack, but cannot be repaired using the popular CWShredder program.
The biggest obstacle to solving this hijack is that the file names and HJT entries rename themselves when the computer is rebooted. We believe there are 2 different ways the files/entries rename themselves: either when you shut down the computer, thus ending the active processes; or, when the computer is booted up and the processes first launch. We have had reports from users that this can happen even at startup in Safe Mode.
A good first step to try to remove this is to download and run a program called HSRemove.exe:
This program is reported to work in several instances. However, there are also many reports of it not working. If HSRemove does not work for you, then you will have to manually remove the files and entries from your system. At the present time, we are using a fix that involves breaking the renaming cycle by hard-booting the computer. A hard reboot is shutting down the computer and restarting it by killing the power to the system. In other words, DO NOT REBOOT THE COMPUTER USING THE START MENU BUTTONS FOR LOG OFF OR REBOOT. Manually shut the computer down, by either:
- yanking the power plug out of the back of the computer or out of the wall outlet, waiting a few seconds, then plugging it back in;
- shutting it off with the power switch on the back of your computer case, waiting a few seconds, then switching it back on;
- pressing the power reset button on the front of your case.
Any of those methods will work fine. (Note that on some retail systems like Dell or Compaq, the front power button will do a soft reboot, which is not what we want here. In that case, use the rear power switch or just yank the plug.)
*** Before removing HSA, download and run Ad Aware and Spybot Search and Destroy.***
These programs will not remove HSA, but they will clean up many other known types adware / spyware entries in your system, which will make your HJT log file easier to read. Instructions and links to download these programs are at:
http://www.short-media.com/forum/sh…151&postcount=1
***Also, we recommend first running a full virus scan with your anti-virus software, to remove any known viruses from your system.***
Again, the anti-virus program will likely not fix your HSA problem, but can help remove other entries from your HJT log and make it easier to deal with. If you do not have an anti-virus program…you should not be on the internet. Seriously, I’m not kidding. If you really do not have an anti-virus program, you can check out our user’s recommendations for what program to buy, including some free alternatives, at:
http://www.short-media.com/forum/showthread.php?t=12261
That thread includes links to the most recommended applications.
Finally, after doing all that, you can proceed to remove Home Search Assistant. I will use some example HJT log entries for this explanation. YOUR HJT ENTIRES AND FILENAMES WILL PROBABLY BE DIFFERENT THAN THESE! Use the explanations I will provide shortly to determine your problem entries / files.
Removal Guide: (PRINT THESE INSTRUCTIONS OUT FOR YOUR REFERENCE)
Step 1 – Download and install the program Hijack This.exe. Instructions and download link:
http://www.short-media.com/forum/sh…584&postcount=2
Also, download the program about_:Buster and unzip it’s contents to the same folder you put Hijack this into.
Please test about_:buster right away. You don’t need to let it scan all the way, just see if it works or not. If you get an error message about a file: “MSCOMCTL.OCX” you need to download the following fix:
http://www.javacoolsoftware.net/dow…ngfilesetup.exe
Run that fix, re-run about_:buster to see if it works. If it still does not, do not worry, you can proceed with the guide without this program.
When you have these programs installed properly in their own directory, run Hijack This and perform a scan as per the instructions. Press the Save Log button. Save the log, but also PRINT IT OUT. You will use that print out to determine the problem entries, and you will be comparing this against a second scan in Safe Mode, so you will need this printed out. Once that is done, exit HJT.
What you are looking for are the following:
- multiple R0 and R1 entries with the same dll name in them, followed by /sp.html#xxxxx where x is a random number
- R3 entry – Default URLSearchHook is missing
- an 02 BHO entry with a random seeming dll name, usually 5 characters followed by a 32
- an 04 HKLM run entry with a random seeming exe name of either 4 or 5 chars, often with 32 in the name.
- multiple 04 RunOnce entries with random seeming exe name of either 4 or 5 chars, often with 32 in the name.
An example taken from our forum:
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar =
res://C:WINNTzxzgr.dll/sp.html#12802
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page =
res://C:WINNTzxzgr.dll/sp.html#12802
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = res://zxzgr.dll/index.html#12802
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL =
res://zxzgr.dll/index.html#12802
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL =
res://C:WINNTzxzgr.dll/sp.html#12802
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar =
res://C:WINNTzxzgr.dll/sp.html#12802
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page =
res://C:WINNTzxzgr.dll/sp.html#12802
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = res://zxzgr.dll/index.html#12802
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
res://C:WINNTzxzgr.dll/sp.html#12802
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
res://C:WINNTzxzgr.dll/sp.html#12802
R3 – Default URLSearchHook is missing
O2 – BHO: (no name) – {5EA09FEA-707B-FB28-AF23-9B7F1EA97C20} – C:WINNTmfcwz32.dll
O4 – HKLM..Run: [sdkql.exe] C:WINNTsdkql.exe
In that case, the files that are causing the problem are:
C:WINNTSDKQL.EXE
C:WINNTzxzgr.dll
C:WINNTmfcwz32.dll
Here is an example of the 04 Runonce entries:
O4 – HKLM..RunOnce: [apisn.exe] C:WINDOWSapisn.exe
O4 – HKLM..RunOnce: [sysdl.exe] C:WINDOWSsystem32sysdl.exe
O4 – HKLM..RunOnce: [iehe.exe] C:WINDOWSsystem32iehe.exe
O4 – HKLM..RunOnce: [javaiz32.exe] C:WINDOWSjavaiz32.exe
O4 – HKLM..RunOnce: [winqe.exe] C:WINDOWSwinqe.exe
O4 – HKLM..RunOnce: [appxv32.exe] C:WINDOWSappxv32.exe
O4 – HKLM..RunOnce: [addji32.exe] C:WINDOWSaddji32.exe
O4 – HKLM..RunOnce: [iefj32.exe] C:WINDOWSiefj32.exe
O4 – HKLM..RunOnce: [ieif.exe] C:WINDOWSieif.exe
O4 – HKLM..RunOnce: [mswl.exe] C:WINDOWSsystem32mswl.exe
O4 – HKLM..RunOnce: [apioi32.exe] C:WINDOWSsystem32apioi32.exe
O4 – HKLM..RunOnce: [netgi.exe] C:WINDOWSsystem32netgi.exe
O4 – HKLM..RunOnce: [apiey32.exe] C:WINDOWSapiey32.exe
O4 – HKLM..RunOnce: [appxa.exe] C:WINDOWSappxa.exe
O4 – HKLM..RunOnce: [winvr.exe] C:WINDOWSsystem32winvr.exe
O4 – HKLM..RunOnce: [mfcib32.exe] C:WINDOWSmfcib32.exe
O4 – HKLM..RunOnce: [atlvf.exe] C:WINDOWSatlvf.exe
O4 – HKLM..RunOnce: [winhj.exe] C:WINDOWSsystem32winhj.exe
One giveaway of the 04 Run and RunOnce entries is that the process name and filename will be identical, for example:
O4 – HKLM..RunOnce: [winhj.exe] C:WINDOWSsystem32 winhj.exe
This gives you some idea of what to look for in your log.
Step 2 – Set your computer to show all hidden files and folders. Instructions:
Step 3 – If you are running Windows XP or ME, disable System Restore. Instructions:
Step 4 – Click Start, and then Run. Type “Services.msc” in the run box and hit enter. Look for any of the following services:
- Network Security Service
Workstation NetLogon Service
Remote Procedure Call (RPC) Helper
If any of those are there, right-click on it and STOP the service, then right-click again, go into properties, and set the service to “disabled.” Exit the services control panel.
( Note 1 – if you do not see any of the services listed here, then click here. Do not “guess” and disable a service with a name that looks close to one of these. If it does not match one of those listed items exactly, leave it alone, or you could disable a legitimate service needed by Windows.)
Step 5 – Hard Reboot your computer via one of the methods above.
Step 6 – When the computer starts to come to life, start tapping the F8 key on your keyboard. Eventually this will bring you to the Advanced Boot Options screen. Use the arrow up/down keys on your keyboard to select the option which says SAFE MODE (make sure it says only that, not any other options like with networking or with command prompt.) This screen will vary somewhat with different OS versions. Press Enter, and stand-by for the computer to boot in Safe Mode. Depending on the speed of your computer, this may take up to several minutes.
***Note – on some computers, tapping the F8 key will first bring up a mother-board based boot device selection menu. It will have options for what device to boot from, such as Floppy Drive, IDE Hard Drive, ATAPI CD-ROM, Removable Device, etc. Choose IDE HARD Drive. Then, once that menu disappears, begin tapping the F8 key again to get the Advanced Boot Options screen outlined above. ***
Step 7 – Once the computer is booted up in Safe Mode, locate and run HJT again. Scan and save a log. Compare this log against the one you printed earlier. If the files have renamed themselves, compare your current log with the one you printed out earlier, to see which R0, R1, 02 and 04 entries appear in the log now that are not on the printed log. If the file names are named the same as in the normal mode scan, then follow the explanations above to determine which files fit the pattern and are likely the cause of your problem. The R0 and R1 entries will be pretty obvious (and if you are not sure, you can fix all R0 and R1 entries, as you can easily reset these in your browser later.) The 03 and 04 entries will have to be selected using the naming criteria above. You may use a search engine like Google.com to search for the file name to see if it is a valid file. There are also many good resources for determining if HJT entries and file names are legitimate files or not. Short-Media has a listing of some of the best of these resources here.
If you absolutely cannot figure it out, join our forum membership, post your HJT log, and one of our members will help you determine which entries are your problem.
Fix the offending R1, R2, 02 BHO entries, and any 04 Run / RunOnce entries. Put a checkmark beside them in HJT, and press FIX.
Then, exit HJT, but stay in Safe Mode.
Step 8 – Locate and run about_:Buster. Make sure to check for and download the latest update to the program. Then scan your computer by pressing the Start button in about_:Buster, and clicking OK. It will attempt to identify and fix the R0 and R1 entries above, plus any other versions of this or certain other infection files that it finds on your computer.
Step 9 – After running about_:Buster, you need to confirm that the files in your HJT log have been removed. Stay in Safe Mode, open My Computer, and then open your “C” hard drive. Right-click in there and create New Folder. Name this folder Quarantine. From the HJT entries above, determine the file names and directory paths of the infection files.
For instance:
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar =
res:// C:WINNTzxzgr.dll /sp.html#12802
O2 – BHO: (no name) – {5EA09FEA-707B-FB28-AF23-9B7F1EA97C20} – C:WINNTmfcwz32.dll
O4 – HKLM..Run: [sdkql.exe] C:WINNTsdkql.exe
O4 – HKLM..RunOnce: [addji32.exe] C:WINDOWSaddji32.exe
Locate those files by navigating to their locations. If any of them still exist on your computer, proceed to Step 10. Otherwise, skip to Step 11.
Step 10 – Move these files to the Quarantine folder on your C drive. Rename all of the .dll extensions to .ddd, and all of the .exe’s to .xxx. That way, if you accidentally quarantined a legitimate file, you can always replace it by renaming it and moving it back to where it came from (consult your printed HJT log to determine the correct folder it came from, or save the text file of your HJT log with the date on it for reference.)
Step 11 – (Warning – this step uses the Regedit tool. Be very cautious, making a mistake here can seriously foul up your computer!) Still in Safe Mode, click on Start-> Run. Type REGEDIT and press Enter .
Click the + signs next to the folders to navigate the registry folder:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
Highlight Services on the left hand side of the window. In the right hand side pane, look for any entries named:
– Network Security Service
– Workstation NetLogon Service
– Remote Procedure Call (RPC) Helper
-__NS_Service
-__NS_Service_2
-__NS_Service_3
Obviously, you would expect to see the one that matches the service you identified in Step 4, but check for them all to be safe. If you see any of them, right click on them, and delete them.
Next, navigate to:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot and highlight Root on the left side. Look on the right side for any of these:
– LEGACY Network Security Service
– LEGACY Workstation NetLogon Service
– LEGACY Remote Procedure Call (RPC) Helper
– LEGACY___NS_Service
– LEGACY___NS_Service_2
– LEGACY___NS_Service_3
Again, you would expect to see the one that matches the service you identified in Step 4, but check for them all to be safe. If you see any of them, right click on them, and delete them.
If you cannot remove these entries, right click on it and choose Permissions. Check the Full Control box and click OK. Then try to delete it again. If you are using Windows 2000, close Regedit. Click on Start-> Run, and type in REGEDT32. Locate the same folder, and highlight it. Click on the Security menu at the top of the Regedt32 program, select permissions and change the permissions to Full Control. Then try to delete the key. Once the keys are deleted, close the Registry Editor.
(Note – you may not have these entries in your Registry. This list is being updated as new entries are located on various sources on the Internet. New registry variants may appear at any time. If you do not find one of the ones listed, do not worry, just proceed to Step 12. So long as you have stopped the service and quarantined the files, the stray registry entries will not cause the hijack to return. Your registry is likely full of stray entries like this from various software that has been installed and removed from your system. Of you are concerned about this, install a registry cleaning program to identify and clean stray entries. I recommend Easy Cleaner.
Step 12 – Clean out temporary and temporary Internet files. There are a couple of ways to do this:
a – Open My Computer, right click on your C drive, select Properties, and click Disk Cleanup.
b – Go to “Start” => “Run” and type in the box: “cleanmgr”.
c – Use a cleaning program like Easy Cleaner to clean out temporary files.
Either way, let the disk cleanup manager scan your system for files to remove. Set it to clean Temporary Files, Temporary Internet Files, and Recycle Bin. Click OK to begin.
Step 13 – Hard boot the computer again. Manually shut the computer down, by either yanking the plug out of it, or shutting it off with the rear power switch. Then, plug it back in or turn it back on. Let it boot up normally.
Step 14 – Launch Internet Explorer, and see if the problem is gone. You may need to reset your home page settings by clicking the Tools menu -> Internet Options -> Programs -> Reset Web Settings. Then click the General Tab in that same window, and manually set whatever home page you want. Surf a few websites to make sure the hijack is gone.
Step 15 – Exit Internet Explorer and run HJT again. Scan again and search once more for any entries that match the HSA criteria. If any are there, repeat the process. If none are there, Exit HJT and celebrate…you have slain the monster!
If you still have the problem, register for Short-Media’s forums and post a HJT log in the Spyware/Virus/Trojan Discussion forum:
Let us know if you followed this guide, as well as whether or not you ran Ad Aware / Spybot SD. If your problem is not fixed, do not complete steps 13 or 14 yet.
Step 16 – Reset the “Hide Protected Operating System Files option that was changed in Step 2. Keep the “Show Hidden” turned on, and the “Hide Extensions” turned off. This gives you better control of seeing what is on your computer.
Step 17 – On XP and ME, re-enable System Restore as per the instructions here.
If you have removed this hijack successfully, you may notice that it left some entries in your Add/Remove Programs control panel, that cannot be removed from it. The program Easy Cleaner, linked above, will also take care of that problem, and many others. It is a very useful application.
Now that you have rid yourself of this pest, take some time to learn more about preventing adware / spyware problems on your computer. Read:
And finally, if this helped you, and you found this guide useful, please bookmark our website, tell others about us, and leave us some positive feeback on our feedback forum (registration required).
Still not sure?
Take a look at what some very happy users have
already said about Short-Media’s
HSA Removal Guide:
“A big, heartfelt thank you! to the people
involved in the “Home Search Assistant Removal Guide”. I have just used it
successfully to remove any and all trace of this deeply annoying adware, having
previously tried a number of combinations of anti-virus and adware removal
tools, with no success whatsoever.”
“A pleasure to follow such a coherent guide.
Thanks again!”
“After trying for the last week to get rid of
Home Search Assistant, I ran across your guide today. I tried several other
forum
suggestions, and yours is the only one that worked. Thanks!”
“I just had to say a big THANKS! Got the HSA
hijack last week and had no idea what to do. So I googled on it and came across
your HSA removal guide. It was straightforward and easy to follow, and I kicked
the little scumbag off my machine. I’m FREE!!!!!!
THANK YOU – THANK YOU – THANK YOU – THANK YOU”
“I wanted to let you know that I had the Home
search assistant, search extender, shopping wizard problem. I searched the web
for hours and I finally tried your step by step removal. The process was very
easy to follow and it worked perfectly. I just want to say thank you so much for
your detailed steps, You Guys are Great!!
Thanks Much!”
“Many many many thanks it solved my problems!!!!!!!!!!!!!!!!!!
Had difficulty with Home Search for abut a week, tired the removal guide,
and hey PRESTO ALL GONE! MAGIC! Will let others know about an
excellent site.”
“You guys are terrific. Thanks again for all
your help!”
Short-Media.com’s Security “SWAT Team” is constantly
updating the
HSA Removal Guide with the latest information, as well as adding
information based on the questions and new problems users have encountered along
the way. When new variations of this hijack surface, we’ll be ready to add
them to the guide. Plus, our guide contains links to other Short-Media.com
articles and useful programs to help you gain the knowledge and the tools to
help prevent these type of problems from happening on your computer again.
Articles RSS