Home Search Assistant Removal [Archive]

View Full Version : Home Search Assistant Removal

Williams201083

30 Aug 2004, 3:21am

:ukflag:

Hi everyone! I have had the HSA for about a month now and it is doin my head in! I have used adware, spybot and pestpatrol to try and shift it with no effect and have briefly followed the removal guide without much luck. I am desperate to clean my computer from this annoying hacker so PLEASE would someone help me!! Thankyou

Here is my HJT logfile:

Logfile of HijackThis v1.98.2
Scan saved at 03:05:01, on 30/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\msyy32.exe
C:\WINDOWS\syswh32.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qeett.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qeett.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qeett.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qeett.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qeett.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qeett.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {12869A5D-0FF9-B9AA-8BD8-9337FB04C5C6} - C:\WINDOWS\crpv32.dll
O2 - BHO: (no name) - {97B6F228-EA88-011B-1F32-75EB8601B853} - C:\WINDOWS\d3of.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [syswh32.exe] C:\WINDOWS\syswh32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\uqya.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB0854E5-9B33-42CC-A739-4A02510EB512}: NameServer = 195.92.195.95 195.92.195.94
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)

SpywareShooter

30 Aug 2004, 11:05pm

Please see HSA Removal Guide (http://www.short-media.com/forum/showthread.php?t=18846)

Williams201083

31 Aug 2004, 1:39am

Hi Spyware shooter, thanks for your advice but Ive just followed the HSA Removal Guide for over 2 hours and it hasnt solved the problem. I still have the HSA on my computer.

Here is my logfile after rebooting my system after following the guide. Do you have any suggestions? Thanks

Logfile of HijackThis v1.98.2
Scan saved at 01:26:08, on 31/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\msyy32.exe
C:\WINDOWS\apihy32.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AceGain\LiveUpdate\aceagent.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qoiyh.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qoiyh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qoiyh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qoiyh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qoiyh.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qoiyh.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {70C06EC5-199D-FEF2-7785-6D008B0AC3BA} - C:\WINDOWS\javace.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [apihy32.exe] C:\WINDOWS\apihy32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\uqya.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB0854E5-9B33-42CC-A739-4A02510EB512}: NameServer = 195.92.195.95 195.92.195.94

SpywareShooter

31 Aug 2004, 2:00pm

It seems that following the removal guide got rid of quite a bit of it.

Before doing the following, please Set your computer to show hidden files and folders (http://www.short-media.com/forum/showpost.php?p=172588&postcount=3), Disable System Restore (http://www.short-media.com/forum/showpost.php?p=172591&postcount=4), and Reboot in Safe Mode (http://www.short-media.com/forum/showpost.php?p=175908&postcount=6).

Once you have done that, Run HijackThis and have it fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qoiyh.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qoiyh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about_:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qoiyh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qoiyh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qoiyh.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qoiyh.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {70C06EC5-199D-FEF2-7785-6D008B0AC3BA} - C:\WINDOWS\javace.dll
O4 - HKLM\..\Run: [apihy32.exe] C:\WINDOWS\apihy32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\uqya.exe

Then find and locate the files listed above and Quarentine Them (http://www.short-media.com/forum/showpost.php?p=173532&postcount=5).

Once you have done that, reboot, scan with HijackThis again, and post a new log.

Williams201083

2 Sep 2004, 1:34am

Hi, thanks for your advice. I did as you said but it did not make any difference, so i tried again and after renaming the files in the quarantine folder, i deleted them.This made a difference when i rebooted but i cannot remove the r3 and 02-BHO lines.Also, when i am searching for the folders in my computer for the 02-BHO line, i can never find the file to remove. After rebooting, i use internet explorer to see if there is any difference and then run HJT, this only seems to bring back the R1 and R0 lines!

This HJT log is after i followed your advice and also deleted the files, not after i have used internet explorer.

Do you have any more suggestions? Thanks again

Logfile of HijackThis v1.98.2
Scan saved at 01:12:10, on 02/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\msyy32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\system32\winwl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AceGain\LiveUpdate\aceagent.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {405B5428-1D1B-5623-5C0C-90277B01474A} - C:\WINDOWS\system32\atliu.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [winwl.exe] C:\WINDOWS\system32\winwl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

primesuspect

2 Sep 2004, 1:37am

You cannot delete HSA with hijack this alone. We can tell you all day what to delete, but HSA will still come back.

You must have missed something in the guide - did you follow it very closely, step by step? Did you find the bogus service? Did you do the HARD shutdown after deleting the files and stopping the service?

If you follow it exactly, it works.

Williams201083

2 Sep 2004, 1:47am

Hi, I followed the guide closely but I'll try again. Im desparate to ged rid of this thing! Can i ask you what is the bogus service?
Thanks!

primesuspect

2 Sep 2004, 3:30am

Okay, the potentially bogus services are listed right on step 4 of the guide...

Also, dexter expanded (http://www.short-media.com/forum/showpost.php?p=174924&postcount=2) on the list of bogus services.

As long as you have the service running, you will never get rid of this. YOU MUST FIND AND DISABLE THE THING THAT RELOADS HSA, which is what the guide explains how to do.

Dexter

4 Sep 2004, 8:57am

Please use the program Get Active Services available in the link primesuspect gave you above. Get a text log of your active services, and post it here.

Dexter...