Search Assistant, Search Extender, Shopping Wizzard

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dr stre, Oct 11, 2004.

  1. dr stre

    dr stre Private E-2

    i want to get rid of home search assistant, search extender, and shopping wizzard (cause AIM to crash), but can't remove them with "change/remove programs". i have followed your "do this first" file, and now have my HackThis log. please help!
     
    dr stre, Oct 11, 2004
    #1
  2. Quinndrew5

    Quinndrew5 Corporal

    You have Home Search Assistant (search extender and shopping Wizzard are connected to it). I have had hte virus myself and i suggest you try this basic removal guide http://forums.majorgeeks.com/showthread.php?t=38772 , if that doesnt work you can come back and ask for more help
     
    Quinndrew5, Oct 11, 2004
    #2
  3. Quinndrew5

    Quinndrew5 Corporal

    Also, post your hijack this log as an ATTACHMENT, so that i can make sure it is Home Search Assistant that you have.
     
    Quinndrew5, Oct 11, 2004
    #3
  4. dr stre

    dr stre Private E-2

    here's the hijack this log.
     

    Attached Files:

    dr stre, Oct 11, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do have an HSA infection but you also have a ton of other problems. These other problems need to be addressed first or they will make removing the HSA prpblem more difficult. First, you need to work thru ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    You should make sure you pay attention to line discussing HSA and about:blank (and HSremove and About:Buster programs). You should also run the Alternate Scans given and the two below:

    http://www.memorywatcher.com/uninst.exe
    http://tools.zerosrealm.com/PeperFix.exe

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    After all the above has been completed post a new HJT log and we will determine what to do next (if still having problems).
     
    chaslang, Oct 12, 2004
    #5
  6. dr stre

    dr stre Private E-2

    ok, i followed those steps you guys gave me. apparently i didn't get everything, cuz i still can't get onto aim due to the three progams i listed earlier. here's my current hijackthis log. any pointers would be appreciated.
     

    Attached Files:

    dr stre, Oct 12, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I would goto Add/Remove Programs and uninstall Viewpoint Manager and all WildTangent stuff but the decision to do that is up to you. They are considered mild forms of spyware and are problematic in some cases. If you don't use or need them it would be best to uninstall this baggage that came from AOL when you install AIM.

    Make sure you have system restore disabled and viewing of hidden files enabled.
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below
    processes and End them:
    iepr.exe
    Equate.ico:tvnzq


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser
    sessions including the one you are reading in right now:
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {8D02DCC5-CA50-28BE-8B1E-0DA145A1D540} - C:\WINDOWS\ietz32.dll
    O4 - HKLM\..\Run: [iepr.exe] C:\WINDOWS\iepr.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O9 - Extra button: (no name) - {1DA234FE-4E21-45C8-A785-1F762CCFD42A} - (no file) (HKCU)
    O9 - Extra button: (no name) - {422677E0-CFD8-4C0A-B98F-417A1B7DE8B5} - (no file) (HKCU)
    O9 - Extra button: (no name) - {6C90D2EA-225D-4727-80DF-BD2BE61FAD47} - (no file) (HKCU)
    O9 - Extra button: (no name) - {EC3581EB-EB60-495F-85CA-B3BB97F5AAF0} - (no file) (HKCU)
    O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Strelow\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Necgnqnj.dll (file missing)


    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\iepr.exe
    C:\WINDOWS\ietz32.dll
    C:\WINDOWS\Equate.ico:tvnzq
    C:\WINDOWS\System32\dp-him.exe
    C:\Program Files\AutoUpdate <--- the whole directory

    Run About:Buster here in safe mode and save its log.
    Now reboot in normal mode and post the About:Buster log and a new HJT log. Make sure you provide some feedback on the results of these steps. Especially if problems occurred (like you could not find or could not delete a file etc). And tell us how things are working.
     
    chaslang, Oct 13, 2004
    #7
  8. dr stre

    dr stre Private E-2

    ok, i appreciate the help. got rid of wiltangent and viewpoint manager as you suggested. the symptoms of my problem have disappeared. my instant messanger works. i have noticed that the programs i mentioned in my first post are still there, but not affecting anything anymore. could not find the files (or the entire autoupdate diretory) that you suggested deleting when i was in safe mode, and they're still not there, so i suppose that's good. i've attached my about:buster log and hackthis log. if you see anything that looks like a time bomb waiting to happen, i'll get rid of it, but so far everything is working well. i appreciate all the help you guys gave me, and thanks for the apps to help keep things clean in the future.
     

    Attached Files:

    dr stre, Oct 13, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have part of an HSA infection present and a line from WildTangent remains.

    Run About:Buster again (but in normal boot mode) and save the log.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser
    sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {D23E3488-9904-AE6F-430F-ADD86960EFBD} - C:\WINDOWS\system32\msmf32.dll
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\msmf32.dll Let me know if you have a problem finding this file.
    C:\Program Files\WildTangent <--- the whole directory

    Now reboot in normal mode and post the about:Buster log and a new HJT log.
     
    chaslang, Oct 14, 2004
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds