Home Search Assistant Removal Guide

DexterDexter Vancouver, BC Canada
edited April 2005 in Spyware & Virus Removal
Home Search Assistant Removal Guide

The Home Search Assistant (HSA) browser hijack is a very persistent hijack. It is characterized by multiple redundant Hijack This entries and re-infection files, all with random names. However, the names follow some recognizable patterns, so they can be determined by checking using Hijack This.exe (HJT) with some patience and determination.

This hijack is also known as:

- Only The Best
- Home Search Extender
- Shopping Wizard
- res://****.dll/index.html#***** (or simply res .dll)


For purposes of this Guide, I will refer to it as Home Search Assistant (HSA.)

This hijack is widely believed to be a new version of the infamous CoolWebSearch (CWS) hijack, but cannot be repaired using the popular CWShredder program.

The biggest obstacle to solving this hijack is that the file names and HJT entries rename themselves when the computer is rebooted. We believe there are 2 different ways the files/entries rename themselves: either when you shut down the computer, thus ending the active processes; or, when the computer is booted up and the processes first launch. We have had reports from users that this can happen even at startup in Safe Mode.

THIS GUIDE WILL ONLY WORK FOR USERS RUNNING WINDOWS 2000 OR XP. USERS RUNNING WINDOWS 95, 98 OR ME WILL HAVE TO SIGN UP TO OUR FORUM AND POST AN HJT LOG IN OUR SECURITY SVT THREAD. THE WIN 95/98/ME METHOD WILL BE POSTED HERE AS A GUIDE WHEN TIME PERMITS.



A good first step to try to remove this is to download and run a program called HSRemove.exe:

http://www.hsremove.com

This program is reported to work in several instances. However, there are also many reports of it not working. If HSRemove does not work for you, then you will have to manually remove the files and entries from your system. At the present time, we are using a fix that involves breaking the renaming cycle by hard-booting the computer. A hard reboot is shutting down the computer and restarting it by killing the power to the system. In other words, DO NOT REBOOT THE COMPUTER USING THE START MENU BUTTONS FOR LOG OFF OR REBOOT. Manually shut the computer down, by either:

- yanking the power plug out of the back of the computer or out of the wall outlet, waiting a few seconds, then plugging it back in;

- shutting it off with the power switch on the back of your computer case, waiting a few seconds, then switching it back on;

- pressing the power reset button on the front of your case.

Any of those methods will work fine. (Note that on some retail systems like Dell or Compaq, the front power button will do a soft reboot, which is not what we want here. In that case, use the rear power switch or just yank the plug.)


*** Before removing HSA, download and run Ad Aware and Spybot Search and Destroy.***

These programs will not remove HSA, but they will clean up many other known types adware / spwyare entries in your system, which will make your HJT log file easier to read. Instructions and links to download these programs are at:

http://www.short-media.com/forum/showpost.php?p=146151&postcount=1

(NOTE - The latest version of Ad Aware (Ad-Aware SE Personal v1.05) is reported by our users to be very effective in helping cripple the HSA infection, but does not completely remove it in all cases. If Ad Aware indicates that it has fixed the HSA problem for you, we recommend you still follow this guide to ensure that it is effectively removed.)


***Also, we recommend first running a full virus scan with your anti-virus software, to remove any known viruses from your system.***

Again, the anti-virus program will likely not fix your HSA problem, but can help remove other entries from your HJT log and make it easier to deal with. If you do not have an anti-virus program...you should not be on the internet. Seriously, I'm not kidding. If you really do not have an anti-virus program, you can check out our user’s recommendations for what program to buy, including some free alternatives, at:

http://www.short-media.com/forum/showthread.php?t=12261

That thread includes links to the most recommended applications.

Finally, after doing all that, you can proceed to remove Home Search Assistant. I will use some example HJT log entries for this explanation. YOUR HJT ENTRIES AND FILENAMES WILL PROBABLY BE DIFFERENT THAN THESE! Use the explanations I will provide shortly to determine your problem entries / files.

Removal Guide:
(PRINT THESE INSTRUCTIONS OUT FOR YOUR REFERENCE)



Step 1 - Download and install the program Hijack This.exe. Instructions and download link:

http://www.short-media.com/forum/showpost.php?p=172584&postcount=2

Please make sure that HijackThis.exe is in its own folder (eg: c:\hijackthis or C:\HJT).

Also, download the program About:Buster and unzip it's contents to the same folder you put Hijack this into.


Please test About:buster right away. Make sure to check for and download the latest update to the program, then start a scan to see if it works. You don't need to let it scan all the way, just see if it works or not. If you get an error message about a file: "MSCOMCTL.OCX" you need to download the following fix:

http://www.javacoolsoftware.net/downloads/missingfilesetup.exe

Run that fix, re-run About:buster to see if it works. If it still does not, do not worry, you can proceed with the guide without this program.

When you have these programs installed properly in their own directory, run Hijack This and perform a scan as per the instructions. Press the Save Log button. Save the log, but also PRINT IT OUT. You will use that print out to determine the problem entries, and you will be comparing this against a second scan in Safe Mode, so you will need this printed out. Once that is done, exit HJT.

What you are looking for are the following:

- multiple R0 and R1 entries with the same dll name in them, followed by /sp.html#xxxxx where x is a random number
- R3 entry - Default URLSearchHook is missing
- an 02 BHO entry with a random seeming dll name, usually 5 characters followed by a 32
- an 04 HKLM run entry with a random seeming exe name of either 4 or 5 chars, often with 32 in the name.
- multiple 04 RunOnce entries with random seeming exe name of either 4 or 5 chars, often with 32 in the name.


An example taken from our forum:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\zxzgr.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\zxzgr.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxzgr.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
res://zxzgr.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINNT\zxzgr.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\zxzgr.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\zxzgr.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxzgr.dll/index.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINNT\zxzgr.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINNT\zxzgr.dll/sp.html#12802

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5EA09FEA-707B-FB28-AF23-9B7F1EA97C20} - C:\WINNT\mfcwz32.dll

O4 - HKLM\..\Run: [sdkql.exe] C:\WINNT\sdkql.exe

In that case, the files that are causing the problem are:

C:\WINNT\SDKQL.EXE
C:\WINNT\zxzgr.dll
C:\WINNT\mfcwz32.dll



Here is an example of the 04 Runonce entries:

O4 - HKLM\..\RunOnce: [apisn.exe] C:\WINDOWS\apisn.exe
O4 - HKLM\..\RunOnce: [sysdl.exe] C:\WINDOWS\system32\sysdl.exe
O4 - HKLM\..\RunOnce: [iehe.exe] C:\WINDOWS\system32\iehe.exe
O4 - HKLM\..\RunOnce: [javaiz32.exe] C:\WINDOWS\javaiz32.exe
O4 - HKLM\..\RunOnce: [winqe.exe] C:\WINDOWS\winqe.exe
O4 - HKLM\..\RunOnce: [appxv32.exe] C:\WINDOWS\appxv32.exe
O4 - HKLM\..\RunOnce: [addji32.exe] C:\WINDOWS\addji32.exe
O4 - HKLM\..\RunOnce: [iefj32.exe] C:\WINDOWS\iefj32.exe
O4 - HKLM\..\RunOnce: [ieif.exe] C:\WINDOWS\ieif.exe
O4 - HKLM\..\RunOnce: [mswl.exe] C:\WINDOWS\system32\mswl.exe
O4 - HKLM\..\RunOnce: [apioi32.exe] C:\WINDOWS\system32\apioi32.exe
O4 - HKLM\..\RunOnce: [netgi.exe] C:\WINDOWS\system32\netgi.exe
O4 - HKLM\..\RunOnce: [apiey32.exe] C:\WINDOWS\apiey32.exe
O4 - HKLM\..\RunOnce: [appxa.exe] C:\WINDOWS\appxa.exe
O4 - HKLM\..\RunOnce: [winvr.exe] C:\WINDOWS\system32\winvr.exe
O4 - HKLM\..\RunOnce: [mfcib32.exe] C:\WINDOWS\mfcib32.exe
O4 - HKLM\..\RunOnce: [atlvf.exe] C:\WINDOWS\atlvf.exe
O4 - HKLM\..\RunOnce: [winhj.exe] C:\WINDOWS\system32\winhj.exe


One giveaway of the 04 Run and RunOnce entries is that the process name and filename will be identical, for example:

O4 - HKLM\..\RunOnce: [winhj.exe] C:\WINDOWS\system32\winhj.exe

This gives you some idea of what to look for in your log.


Step 2 - Set your computer to show all hidden files and folders. Instructions:

http://www.short-media.com/forum/showpost.php?p=172588&postcount=3

Step 3 - If you are running Windows XP or ME, disable System Restore. Instructions:

http://www.short-media.com/forum/showpost.php?p=172591&postcount=4

Step 4 - Click Start, and then Run. Type "Services.msc" in the run box and hit enter. Look for any of the following services:

- Network Security Service
- Workstation NetLogon Service
- Remote Procedure Call (RPC) Helper


If any of those are there, right-click on it and STOP the service, then right-click again, go into properties, and set the service to "disabled." Exit the services control panel.

(Note 1 - if you do not see any of the services listed here, then click here. Do not "guess" and disable a service with a name that looks close to one of these. If it does not match one of those listed items exactly, leave it alone, or you could disable a legitimate service needed by Windows.)


Step 5- Hard Reboot your computer via one of the methods above.

Step 6 - When the computer starts to come to life, start tapping the F8 key on your keyboard. Eventually this will bring you to the Advanced Boot Options screen. Use the arrow up/down keys on your keyboard to select the option which says SAFE MODE (make sure it says only that, not any other options like with networking or with command prompt.) This screen will vary somewhat with different OS versions. Press Enter, and stand-by for the computer to boot in Safe Mode. Depending on the speed of your computer, this may take up to several minutes.

***Note - on some computers, tapping the F8 key will first bring up a mother-board based boot device selection menu. It will have options for what device to boot from, such as Floppy Drive, IDE Hard Drive, ATAPI CD-ROM, Removable Device, etc. Choose IDE HARD Drive. Then, once that menu disappears, begin tapping the F8 key again to get the Advanced Boot Options screen outlined above. ***

Step 7 - Once the computer is booted up in Safe Mode, locate and run HJT again. Scan and save a log. Compare this log against the one you printed earlier. If the files have renamed themselves, compare your current log with the one you printed out earlier, to see which R0, R1, 02 and 04 entries appear in the log now that are not on the printed log. If the file names are named the same as in the normal mode scan, then follow the explanations above to determine which files fit the pattern and are likely the cause of your problem. The R0 and R1 entries will be pretty obvious (and if you are not sure, you can fix all R0 and R1 entries, as you can easily reset these in your browser later.) The 03 and 04 entries will have to be selected using the naming criteria above. You may use a search engine like Google.com to search for the file name to see if it is a valid file. There are also many good resources for determining if HJT entries and file names are legitimate files or not. Short-Media has a listing of some of the best of these resources here:

http://www.short-media.com/forum/showthread.php?t=15488

If you absolutely cannot figure it out, join our forum membership (it's absolutely free), post your HJT log, and one of our members will help you determine which entries are your problem.

Fix the offending R1, R2, 02 BHO entries, and any 04 Run / RunOnce entries. Put a checkmark beside them in HJT, and press FIX.

Then, exit HJT, but stay in Safe Mode.

Step 8 - Locate and run About:Buster. Scan your computer by pressing the Start button in About:Buster, and clicking OK. It will attempt to identify and fix the R0 and R1 entries above, plus any other versions of this or certain other infection files that it finds on your computer.

Step 9 - After running About:Buster, you need to confirm that the files in your HJT log have been removed. Stay in Safe Mode, open My Computer, and then open your "C" hard drive. Right-click in there and create New Folder. Name this folder Quarantine. From the HJT entries above, determine the file names and directory paths of the infection files.

For instance:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\zxzgr.dll/sp.html#12802
O2 - BHO: (no name) - {5EA09FEA-707B-FB28-AF23-9B7F1EA97C20} - C:\WINNT\mfcwz32.dll
O4 - HKLM\..\Run: [sdkql.exe] C:\WINNT\sdkql.exe
O4 - HKLM\..\RunOnce: [addji32.exe] C:\WINDOWS\addji32.exe

Locate those files by navigating to their locations. If any of them still exist on your computer, proceed to Step 10. Otherwise, skip to Step 11.

Step 10 - Move these files to the Quarantine folder on your C drive. Rename all of the .dll extensions to .ddd, and all of the .exe's to .xxx. That way, if you accidentally quarantined a legitimate file, you can always replace it by renaming it and moving it back to where it came from (consult your printed HJT log to determine the correct folder it came from, or save the text file of your HJT log with the date on it for reference.)

Step 11 - (Warning - this step uses the Regedit tool. Be very cautious, making a mistake here can seriously foul up your computer!) Still in Safe Mode, click on Start-> Run. Type REGEDIT and press Enter .

Click the + signs next to the folders to navigate the registry folder:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Highlight Services on the left hand side of the window. In the right hand side pane, look for any entries named:

- Network Security Service
- Workstation NetLogon Service
- Remote Procedure Call (RPC) Helper
-__NS_Service
-__NS_Service_2
-__NS_Service_3



Obviously, you would expect to see the one that matches the service you identified in Step 4, but check for them all to be safe. If you see any of them, right click on them, and delete them.


Next, navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root on the left side. Look on the right side for any of these:

- LEGACY Network Security Service
- LEGACY Workstation NetLogon Service
- LEGACY Remote Procedure Call (RPC) Helper
- LEGACY___NS_Service
- LEGACY___NS_Service_2
- LEGACY___NS_Service_3



Again, you would expect to see the one that matches the service you identified in Step 4, but check for them all to be safe. If you see any of them, right click on them, and delete them.


If you cannot remove these entries, right click on it and choose Permissions. Check the Full Control box and click OK. Then try to delete it again. If you are using Windows 2000, close Regedit. Click on Start-> Run, and type in REGEDT32. Locate the same folder, and highlight it. Click on the Security menu at the top of the Regedt32 program, select permissions and change the permissions to Full Control. Then try to delete the key. Once the keys are deleted, close the Registry Editor.

(Note - you may not have these entries in your Registry. This list is being updated as new entries are located on various sources on the interenet. New registry variants may appear at any time. If you do not find one of the ones listed, do not worry, just proceed to Step 12. So long as you have stopped the service and quarantined the files, the stray registry entries will not cause the hijack to return. Your registry is likely full of stray entries like this from various software that has been installed and removed from your system. Of you are concerned about this, install a registry cleaning program to identify and clean stray entries. I recommend Easy Cleaner or Crap Cleaner.


Step 12 - Clean out all temporary and temporary Internet files. There are a couple of ways to do this:

a - Open My Computer, right click on your C drive, select Properties, and click Disk Cleanup. This will open the Disk Cleanup Manager. It will take a few moments to scan your hard drive, then present you with a window and several cleaning options. Make sure to chose the options to clean Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

b - Go to the Start Menu, choose "Run" and type in the box: "cleanmgr". (This will also open the Disk Cleanup Manager. Use the same options as above.)

c - Use a cleaning program like Easy Cleaner to clean out temporary files.

Either way, let the disk cleanup manager scan your system for files to remove. Set it to clean Temporary Files, Temporary Internet Files, and Recycle Bin. Click OK to begin.

Step 13 - Hard boot the computer again. Manually shut the computer down, by either yanking the plug out of it, or shutting it off with the rear power switch. Then, plug it back in or turn it back on. Let it boot up normally.

Step 14 - Launch Internet Explorer, and see if the problem is gone. You may need to reset your home page settings by clicking the Tools menu -> Internet Options -> Programs -> Reset Web Settings. Then click the General Tab in that same window, and manually set whatever home page you want. Surf a few websites to make sure the hijack is gone.

Step 15 - Exit Internet Explorer and run HJT again. Scan again and search once more for any entries that match the HSA criteria. If any are there, repeat the process. If none are there, Exit HJT and celebrate...you have slain the monster! :)

If you still have the problem, register for Short-Media's forums and post a HJT log in the Spyware/Virus/Trojan Discussion forum:

http://www.short-media.com/forum/forumdisplay.php?f=57

Let us know if you followed this guide, as well as whether or not you ran Ad Aware / Spybot SD. If your problem is not fixed, do not complete steps 13 or 14 yet.

Step 15 - Reset the "Hide Protected Operating System Files option that was changed in Step 2. Keep the "Show Hidden" turned on, and the "Hide Extensions" turned off. This gives you better control of seeing what is on your computer.

Step 15 - On XP and ME, re-enable System Restore as per the instructions here:

http://www.short-media.com/forum/showpost.php?p=172591&postcount=4

If you have removed this hijack successfully, you may notice that it left some entries in your Add/Remove Programs control panel, that cannot be removed from it. The program Easy Cleaner, linked above, will also take care of that problem, and many others. It is a very useful application.



Now that you have rid yourself of this pest, take some time to learn more about preventing adware / spyware problems on your computer. Read:

Spyware General Information

Defeating Spyware

And finally, if this helped you, and you found this guide useful, please bookmark our website, tell others about us, and leave us some positive feeback on our feedback forum (registration required) or by e-mail: dexter @ short-media.com (remove the spaces.)

Even better, you can join a fantastic charitable project and become a member of a team that is driven to help cure diseases using the power of our computers. Intrigued? Read down the page a bit :)

Now isn't that better than asking you to donate by Paypal? ;)

Dexter...

Last Update: 21 Sep 04

- added info re Ad-Aware SE Personal v1.05




Programs such as Hijack This, HSRemove and About:Buster are third-party applications. ShortMedia, LLC takes no responsibility or offers no warranty for the use of those programs on your computer.

Comments

  • DexterDexter Vancouver, BC Canada
    edited August 2004
    If you do not see one of the bogus services listed in Step 4 of this removal guide, please do the following:

    First, try hard-rebooting back to Safe Mode, and check the services control panel again (in other words, repeat Step 4 in Safe Mode.) If you find one of the listed services now, stop it and disable it. Then skip to Step 7.

    If you still do not see one of the listed bogus services, please stay in Normal Mode, and download the file attached to this post, "Get Active Services." Unzip that to the same folder you have Hijack This in. Run the program "get active services.vbs" This is a Visual Basic Script. Your antii-virus software may be set to warn you if VBS scripts run (Norton Anti-Virus will pop-up a warning.) Tell your anti-virus software to "authorize" or "allow" this script.

    The script will scan your services, and generate a text file called Active.txt.

    Scan the text file for any of the three services listed above. They will appear like this:


    Network Security Service: ½O.#ž‚„õØ´â
    "C:\WINDOWS\ipyt32.exe" /s

    or

    Workstation NetLogon Service: ½O.#ž‚„õØ´â
    "C:\WINDOWS\ipyt32.exe" /s

    or

    Remote Procedure Call (RPC) Helper: ½O.#ž‚„õØ´â
    "C:\WINDOWS\ipyt32.exe" /s

    The actual file name will be different, and will match one of the 04 RUN enties in your HJT Log. But the funny characters displayed after the service is name is (so far) the giveaway, they appear after each of the bogus services.

    Now you know for certain the service name on your computer. Go back to Step 4 of the removal guide, enter the services control panel, and look again for the service name you just found. Stop it and disable it as instructed.

    Note: Some users have reported having trouble using the Active Processes script. If you have trouble, you can check your services through Hijack This. Run HJT. Click on Config -> Misc Tools. Check off the 2 options under the button that says "Generate StartupList Log", then click the button itself. Generate that log, save it as a text file, and then examine that log. It is a very long and detailed log, but scroll down until you see the line "Enumerating Windows NT/2000/XP services"

    That section will show you all of the serivces on your computer, active or inactive. With a startuplist log from HJT, the bogus service will not have the strange characters behind the name. However, look for the names of the known bad services, and keep an eye out for the exe file attached to the service. If you see one that matches the HSA name pattern attached to one of the known bad service, it will be your problem entry. An example:

    Remote Procedure Call (RPC) Helper: C:\WINDOWS\system32\atlkb32.exe /s (autostart)


    If you still have trouble identifying the service, take the text file from Get Active Services (or HJT's startuplist log if you had to use it instead, register for our forums, and post the services log file in the Security - Spyware / Virus / Trojan forum, along with your HJT scan. Either attach the text as a file attachment to the post, or copy and paste the raw text data into the post. We will help you identify the service, and if it is a new one, we will add it to the guide.

    Dexter...
  • DexterDexter Vancouver, BC Canada
    edited August 2004
    If your Notepad.exe file has been damaged by Malware

    Some users have reported that their spyware/adware/virus problems have damaged their Notepad.exe file. This is a known tactic of some forms of malware. They think that by deleting your Notepad, you will not be able to use Hijack This, or other tools which generate a text file automatically.

    If your Notepad.exe file has been damaged, you can restore it from your Windows install CD. Search the CD for the filename, replacing the last character with an underscore; for example, Notepad.exe would be saved as Notepad.ex_ on the CD. When you find it, open a command prompt by clicking Start Menu -> Run. Type in CMD and press enter. (Windows versions 95 through 2000 also have a shortcut somewhere in the start menu called MS-DOS which will do the same thing.)

    Once the DOS command window is open, click in it and type the command EXPAND, followed by the full pathname of the filemon the cd and of the desired destination on your hard drive. For example:

    EXPAND D:\SETUP\NOTEPAD.EX_ C:\Windows\NOTEPAD.EXE

    If either pathname contains any spaces, surround it with double quotes, ie: "C:\My Windows Directory\NOTEPAD.EXE" .

    If the file isn’t found, search on the filename with the exe instead of ex_. It will probably be inside a CAB file, which Win XP treats as a folder. Simply right-drag and copy the file to the desired location. On Windows OS's older than XP, search for a file matching *.cab that contains the filename. When the search is done, open a command prompt and enter EXTRACT /L followed by the desired location, the full pathname of the CAB file, and the desired filename; for example:

    EXTRACT /L C:\Windows D:\I386\Driver.cab Notepad.exe

    Again, if the destination or CAB file pathname contains spaces, surround it with double quotes.

    If you have trouble extracting your Notepad exe file, please register in our forums for assistance.

    Note: Other websites are actually posting this file for download, which technically is a violation of Microsoft's copyright, so is not recommended here. If you search the web and come across a copy of this file, and you choose to install it, you do so AT YOUR OWN RISK, and doing so is not recommended by our security team. The safest thing to do is to extract it from your OS disk, where the file is known to be good.


    Dexter...


    .
  • DexterDexter Vancouver, BC Canada
    edited August 2004
    Additional Information on Possible Missing Files

    Some variants of HSA may follow some of the old CWS tricks of deleting certain system files to make it easier to re-infect you. Files which may be affeted are:

    - Control.exe
    - HOSTS (with no extension)
    - SDHelper.dll (if you are using Spybot Search & Destroy)

    Do a search on your system to see if you have those files. If they are missing, read on to restore them.

    To restore your control.exe, follow the directions in Post #3 above to extract it from your Operating System Install CD to the correct directory:

    - For Windows 95/98/98SE/ME, extract to C:\WINDOWS.
    - For Windows 2000 extract to c:\winnt\system32\
    - For Windows XP extract to c:\windows\system32\


    Other websites are actually posting this file for download, which technically is a violation of Microsoft's copyright, so is not recommended here. If you search the web and come across a copy of this file, and you choose to install it, you do so AT YOUR OWN RISK, and doing so is not recommended by our security team. The safest thing to do is to extract it from your OS disk, where the file is known to be good.

    To restore your HOSTS file, open My Computer, and navigate to C:\WINDOWS\system32\drivers\etc (may be C:\WINDOWS NT\system32\drivers\etc depending on your OS version.) Look for a file called HOSTS. It will have no 3 letter file extension on it. Right click on the file, and choose OPEN WITH. If you do noy have that as an option, choose, OPEN, and you will be presented with a list of programs to try and open the file with. Choose to open it with the Notepad program.

    You should see a text file that starts by saying:
    # Copyright (c) 1993-1999 Microsoft Corp.
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    # For example:
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host
    127.0.0.1 localhost
    ########

    Any line that starts with a # sign is called a "comment" and is ignored by the system, it is information for the user only.

    After that, you may see a list of etnries that look like this:

    123.4.5.6 bad_website_name.com

    Any bad website entry that points to a numbered domain that does not start with 127.x.x.x. needs to be removed. This setting is basically like an address book, it is telling your computer where to always find the bad website listed above.

    You may also see

    127.0.0.1 good_website_name.com

    Anything that starts with a 127.x.x.x address is called a "loopback." It is effectively pointing your browser to a non-existent internal address for that website, which precents that website from ever loading on your computer. Many virus / spyware / adware infections do this to known anti-virus and anti-spyware websites. Any good websites that start with 127.x.x.x need to be deleted from your HOSTS list.

    If you are not sure what is good and what is bad, you can simply start with a clean HOSTS file: highlight all of the listings, and press delete to erase them, then re-save the HOSTS file.

    If you had custom hosts installed, you will need to reinstall them. Spybot Search and Destroy can also some known bad domains to your HOSTS file. You may also wish to run the program OmegakillerSM from Short-Media.com to add protection against the Omegasearch browser hijacks. OmegakillerSM is available on our Security Downloads Page. In both of those programs, you will see some comment lines which tell you that the entries were added by these goood programs:
    # Start of entries inserted by Spybot - Search & Destroy
    # End of entries inserted by Spybot - Search & Destroy

    # added by OmegaKiller
    # added by OmegaKiller

    Those mark the start and end of the good entries added by those programs.


    To replace SDHelper.dll, simply reinstall Spybot S&D. Again, other websites may be hosting this file in violation of copyright. If you choose to download it from another site, you do so AT YOUR OWN RISK, and doing so is not recommended by our security team.

    If you have any questions about missing files, please register for our forums and post it in the Security SVT forum.

    Dexter...


    .
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited September 2004
    An alternative HSA removal method:

    First, we need to identify the problem files.

    Take a look at your log. You will see that the R1 and R0 entries all have a pattern. They start with res:// and then there is a path to C:\WINDOWS or C:\WINDOWS\SYSTEM32 with a randomly named DLL in there. The DLL naming is five letters dot DLL (for example: txtzv.dll or jrhjt.dll or dxpzg.dll).
    The other thing common with HSA infections is the reloader app. This is an O2 - BHO entry, such as C:\WINDOWS\apigp.dll - same pattern.

    Now you'll have to find the executable part of the infection. It is usually an O4 - HKLM entry, and looks something like this:

    O4 - HKLM\..\Run: [addzu32.exe] C:\WINDOWS\system32\addzu32.exe

    You'll see that it also looks randomly named.

    Sometimes there is a second executable, also an O4 entry. It may look something like the following:

    O4 - HKLM\..\RunOnce: [crpy32.exe] C:\WINDOWS\crpy32.exe

    So, in essence, you must identify four files.

    Now, once you are armed with the infected files, you'll need to do the following:


    First open a window with C:\WINDOWS in it. If the files you found reside in C:\WINDOWS\SYSTEM32, then open another window with that folder visible. Basically, you'll want to have a window open for each file. If they all reside in C:\WINDOWS, then open a couple of windows with C:\WINDOWS visible in them.

    You should have both windows on screen, and everything else closed (internet explorer especially).

    Make sure hidden files and folders are viewable.


    Scroll down to the part in each window where you can see the problem files. It may help to sort by "type" when you do this, because it will group all DLLs and all EXEs together, which can make it easy to see the problem files. To sort by type, just click the column header that says "Type" in it.

    Now, open up the task manager (CTRL-ALT-DEL) and go to the processes tab.

    One at a time:

    Right click on the first executable process, the one that matches one of the .EXE files you found in your log. If you use our example names, the process will be C:\WINDOWS\crpy32.exe. Find the first, and select "END PROCESS TREE". It will give you a warning. Say yes. As soon as you do that, go into the window where you can see that file and DELETE IT


    Next, the next executable. For example, C:\WINDOWS\system32\addzu32.exe. Same thing, right click --> END PROCESS TREE. Go to C:\WINDOWS\SYSTEM32\ and delete it.

    Now, delete the other two files (C:\WINDOWS\txtzv.dll and C:\WINDOWS\apigp.dll in our examples).

    Now, end all IEXPLORE.EXE processes as well.

    Once all the bad processes are stopped and all those files are deleted, then remove ALL the R0 and R1 entries in your HJT log. Then remove the O2 entry that you identified, as well as the bad O4 entries.

    Now, after you have delete all those entries, close HJT and then run it again. If you see anything similar to these entries, delete them as well. You'll have to use judgment here, because if you open a browser to paste your log here, you'll probably get reinfected and have to start all over again.

    THIS PART IS IMPORTANT:

    After you have cleaned the HJT log, UNPLUG the computer (no proper shutdown - just yank the cord).

    Restart it, and the infection should be gone, if you got them all. If not, it will get totally reinfected and you are back to square one.

    If you have any trouble identifying the offending files, your helper in the SVT forum will probably point out the bad files for you.
  • LincLinc Owner Detroit Icrontian
    edited March 2005
    Did those solutions help? Don't just run away into cyberspace again! :D

    Short-Media is also fueling the search for cures for diseases like Alzheimer's, Parkinson's, cancers, and many others. We're doing it by participating in the Folding@Home program, which uses our computers' spare power to understand proteins and how they can cause these problems.

    Check out this video about the project and why you should join!

    It's a great opportunity to meet new people on these forums, make some great friends, and have a lot of fun! It's a great thing to be a part of :)

    Everything About Folding@Home

    Join team 93! :rockon:
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited April 2005
    If you are confused about how to register on the forums and post, TheSMJ has written a simple guide to doing so:

    http://www.short-media.com/forum/showthread.php?t=30401

    :)
This discussion has been closed.