Options
Home Search Assistent removal
I just fought a long battle with Home Search Assistent, so I thought I'd share. Please forward this on to other place so that more people can get this crap off of their systems.
I am running Windows XP service pack 2 (but this should work for all versions of windows, notes in step 2 and )
1. I downloaded HSRemove
2. Here I would have downloaded Windows XP Service pack 2, if I didn't already have it burned to a CD. Whatever Windows OS you are running, either download the latest service pack or the latest internet explorer. Later in this process you will re-install IE (included in windows xp sp 2) to remove some of the spyware's entries.
3. I downloaded aboutbuster and also hijackthis
4. In the services manager, I found the spyware service. At this point, I only selected it, but did not stop it.
5. In the registry, under HKLM\SYSTEM\CurrentControlSet\Services, I searched for the matching display name of the service. As it turns out, the real name of this service was random characters: O?’ŽrtñåȲ$Ó
6. I then stopped and disabled the service, and then immediately open the permissions information for this specific key in the registry. I unchecked the inherit permissions from parent, and then removed all users from the ACL. Doing this prevents any account from reading/writing the key, and only allows the owner to change permissions. This will prevent the service from being restarted or "fixed" while the .exe's are still running.
7. I then ran HSRemove to terminate the services and remove the random files.
8. At this point, running HSRemove again should detect no more files, as the service that relaunches the .exe's can no longer be run. However, running Internet Explorer will cause it to load into memory and run again. Running HSRemove again if you accidently opened IE will restore you the state you were at in step 7.
9. At this point, I ran aboutbuster and let it proceed as normal (scan, fix, scan again).
10. Now I ran hijackthis and removed every entry that I did not recognize. Hopefully you are familiar enough with windows to know what needs to be there and what is added by the spyware. Generally, things that are c:\windows\xxxx.exe are the bad guys.
11. Open c:\windows\system and delete any applications or .dll's that match the naming convention of this spyware. Most often, they have five characters and then .exe or .dll. These files are always marked as hidden (you will need to have shown all files from the windows explorer setup under tools\options). Looking at the file information for these suspect files will either return simply the name of the .exe or sometimes it is called unknown application. Also, these files will have no versions or other identifying information. Microsoft supplied .exe's and .dll's will always say that they are from Microsoft.
12. At this point, you should reboot the computer and run HSRemove again as well as hijack this to ensure that everything is truly as it was in step 7. I found that steps 7-11 caused the process to cease from autolaunching at boot time.
13. Make sure that you haven't run IE since step 7, and then install windows XP sp 2 (or the SP or IE for your OS obtained in step 2)
14. When asked to reboot, please do so.
15. Now right click on the IE icon on the desktop and reset your homepage. Also, it would probably be a good idea to reset all web settings at this time.
16. Voila! At this point I found myself virus free! A simple way to test if it worked or not is to re-create your hosts file (either in c:\winnt\system32\drivers\etc\hosts or c:\windows\system32\drivers\etc\hosts) as the spyware will immediately delete the hosts file if it is run. Open the containing folder of the hosts file, and then launch IE. If hosts remains after IE is run, then the spyware is gone.
Let me know how this goes for you at spywarehtr@yahoo.com
Regards,
SpywareHtr
I am running Windows XP service pack 2 (but this should work for all versions of windows, notes in step 2 and )
1. I downloaded HSRemove
2. Here I would have downloaded Windows XP Service pack 2, if I didn't already have it burned to a CD. Whatever Windows OS you are running, either download the latest service pack or the latest internet explorer. Later in this process you will re-install IE (included in windows xp sp 2) to remove some of the spyware's entries.
3. I downloaded aboutbuster and also hijackthis
4. In the services manager, I found the spyware service. At this point, I only selected it, but did not stop it.
5. In the registry, under HKLM\SYSTEM\CurrentControlSet\Services, I searched for the matching display name of the service. As it turns out, the real name of this service was random characters: O?’ŽrtñåȲ$Ó
6. I then stopped and disabled the service, and then immediately open the permissions information for this specific key in the registry. I unchecked the inherit permissions from parent, and then removed all users from the ACL. Doing this prevents any account from reading/writing the key, and only allows the owner to change permissions. This will prevent the service from being restarted or "fixed" while the .exe's are still running.
7. I then ran HSRemove to terminate the services and remove the random files.
8. At this point, running HSRemove again should detect no more files, as the service that relaunches the .exe's can no longer be run. However, running Internet Explorer will cause it to load into memory and run again. Running HSRemove again if you accidently opened IE will restore you the state you were at in step 7.
9. At this point, I ran aboutbuster and let it proceed as normal (scan, fix, scan again).
10. Now I ran hijackthis and removed every entry that I did not recognize. Hopefully you are familiar enough with windows to know what needs to be there and what is added by the spyware. Generally, things that are c:\windows\xxxx.exe are the bad guys.
11. Open c:\windows\system and delete any applications or .dll's that match the naming convention of this spyware. Most often, they have five characters and then .exe or .dll. These files are always marked as hidden (you will need to have shown all files from the windows explorer setup under tools\options). Looking at the file information for these suspect files will either return simply the name of the .exe or sometimes it is called unknown application. Also, these files will have no versions or other identifying information. Microsoft supplied .exe's and .dll's will always say that they are from Microsoft.
12. At this point, you should reboot the computer and run HSRemove again as well as hijack this to ensure that everything is truly as it was in step 7. I found that steps 7-11 caused the process to cease from autolaunching at boot time.
13. Make sure that you haven't run IE since step 7, and then install windows XP sp 2 (or the SP or IE for your OS obtained in step 2)
14. When asked to reboot, please do so.
15. Now right click on the IE icon on the desktop and reset your homepage. Also, it would probably be a good idea to reset all web settings at this time.
16. Voila! At this point I found myself virus free! A simple way to test if it worked or not is to re-create your hosts file (either in c:\winnt\system32\drivers\etc\hosts or c:\windows\system32\drivers\etc\hosts) as the spyware will immediately delete the hosts file if it is run. Open the containing folder of the hosts file, and then launch IE. If hosts remains after IE is run, then the spyware is gone.
Let me know how this goes for you at spywarehtr@yahoo.com
Regards,
SpywareHtr
0