Uninstall Shopping Wizard, Home Search Assistent, Search Extender

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

Also do the following:

Download: "StartDreck", from here: http://www.niksoft.at/download/startdreck.htm
Look to the bottom of that page and click the Download link. It should give your StartDreck217.zip

Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Please attach the log in this thread.

 

The sticky thread is used to remove the more simple forms of malware and to get your PC into a known state to make it easier to fix more complex problems like this. It was not supposed to fix an HSA hijacker. Complete the steps of my first message.

 

One log down and another to go!

You are way out of date with your MS updates.

 

It is very important to remember that ALL browsers ( C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE ) be shut down before you run HijackThis.

Also we must disable Spybot's Teatimer as it will more than likely get in our way.

To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
Now quit Spybot!


You must only run one AV application. Pick the one you want to keep and uninstall the other.

 

You should also uninstall SpyBlocs. It has long been on a rogue/suspect spyware removal tool list. See this link: http://www.spywarewarrior.com/rogue_anti-spyware.htm

 

Your Microsoft Updates to your OS and IE versions (and other tools too). Do not do any yet! We will get to that later.

Do not reboot your PC now! Wait for my instructions on what to do next. If you need to log off, that is fine. Just no reboots or power downs, otherwise my fixes will probably no longer apply as this hijacker likes to mutate at power down.

 

Look under Control Panel--> Add/Remove programs for an uninstall. If it is not there, we will do it manually. Let me know.

Did you disable Teatimer yet?

 

Hmmm! You are not to familar with PCs are you? Don't take that the wrong way? Many users are not! It's just good for me to understand your experience level so I can write fixes accordingly.

AV = Antivirus

You have both Norton and AVG installed.

 

It's okay! Some teenagers are also more PC savy then others. (And some don't know when to admit that they do not know it all. ). We prefer AVG or Avast over Norton and it has a free version to make things nicer.

 

Make sure you have about:Buster downloaded from the READ ME FIRST and install it into its own folder. And make sure you have UPDATED the database for about:buster. You will see when you run it. Just run it and check for updates. Do not run a scan right now.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested. Make sure you read thru ALL of these steps and understand them before starting. If you have to stop midway, you will be starting ALL over again from posting new logs to me working a totally new fix up.

Okay, unplug your internet connection and exit browsers now!!!!

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\ATLZT.EXE
C:\WINDOWS\MSGK.EXE <--- this could be running multiple times as seen below
C:\WINDOWS\SYSTEM\MSVS32.EXE
C:\WINDOWS\MSGK.EXE
C:\WINDOWS\MSGK.EXE
C:\WINDOWS\MSGK.EXE
C:\WINDOWS\MSGK.EXE


After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you make sure you have exited all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL DIRECTED TO DO SO):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\swhhm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\swhhm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\swhhm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\swhhm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\swhhm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\swhhm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\swhhm.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6BC89B26-3F90-063E-A9AF-B2D80F8C44B2} - C:\WINDOWS\APPHR32.DLL
O4 - HKLM\..\Run: [OGAGENTL] C:\WINDOWS\SYSTEM\OGAGENTL.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [ATLZT.EXE] C:\WINDOWS\ATLZT.EXE
O4 - HKLM\..\RunServices: [MSGK.EXE] C:\WINDOWS\MSGK.EXE /s
O4 - HKLM\..\RunServices: [MSVS32.EXE] C:\WINDOWS\SYSTEM\MSVS32.EXE /s

- Then exit HJT after clicking FIX
- now run About:Buster and as soon as it finishes allow it to do the secondary scan. Then move onto the next steps.


- Now we are going to have to boot to an MS DOS prompt to working on fixing this problem. Please read thru all of the steps first and ask any questions you may have before beginning. Make sure you understand all steps before starting

- Click Start and select Shutdown and in the window that comes up choose the one that says Restart the computer in MD-DOS mode.

- When it boots you will be at the command prompt (full screen) enter the below commands each followed by the enter key. Let me know if you have any problems or get any error messages during these steps (tell me the exact error message).

Now in command prompt window do the following:
cd C:\WINDOWS\SYSTEM
attrib -s -h -r MSVS32.EXE
del MSVS32.EXE

cd C:\WINDOWS
attrib -s -h -r ATLZT.EXE
del ATLZT.EXE

attrib -s -h -r MSGK.EXE
del MSGK.EXE

attrib -s -h -r APPHR32.DLL
del APPHR32.DLL

win

After typing win and hitting enter your system will boot back to Windows.

- The first thing I want you to do is to run About:Buster one more time.

- Then immediately reboot one more time
- Now reconnect your cable to the internet and open one browser session and then close it.
- Now get a new HJT log to post
- Now connect back here and post the new HJT log and tell me how all the steps went.

If the hijacker is still present, do not reboot or power down after posting your log.

 

NO!NO!NO!NO! and NO!

If you do that or already did, my procedure may be useless. Read message # 14 again.

 

See if the log has changed and whether the items I identified are all still the same. If so, run the steps of the fix. If not, post new logs and you'll have to leave your PC running until I can get back to you.

It's 2:15am here and I need some sleep.

 

Okay! So what happened? Did it mutate?

 

Then you did not boot to an MSDOS prompt as requested. You opened an MSDOS prompt window while Windows was running which is not what I asked you to do.

 

Message # 23 told you how to do this.

 

Sorry about that! I forgot the WinMe does not have that same option like Win9x systems had.

You will need a WinMe Startup Disk (a boot floppy).
Do you have a floppy drive?
Do you have a WinMe Startup floppy disk?
If not, do you have floppies to make one?
Do you know how to make one?

 

Bring up Control Panel and Select Add/Remove Programs.
Then click on the Tab that says Startup Disk
Put a blank floppy (or one you do not mind erasing) into the floppy drive.
Click Create Disk

After doing this, verify that you can actually boot your system from the floppy. It will boot to an MSDOS prompt. No Windows! After verify this, come back here and post a new HJT log since the reboot may cause things to mutate (that means change).

 

You leave the Startup disk floppy that I had you make in your floppy drive and reboot your PC.

As long as your PC is configured to look at the floppy first, it should boot from the floppy.
If it does not boot from the floppy, you will need to enter your system BIOS (a key usually needs to be hit at boot up. Like the Delete key or F2 or Esc ). And then in your system BIOS you will need to change the Boot sequence to make sure it looks at the floppy drive before the harddisk.

 

-s -h -r is not the whole command I gave you. But you are not even supposed to be doing anything yet. You were suppose to tell me when you finally got your system to boot up with the floppy to the MSDOS command prompt. And then I wanted a new HJT log to see what is on your system now. Then I was going to work up a new procedure for you to use since things have changed (malware wise) and also since we are booting from a floppy.

The attrib command is more than likely not on your floppy so we will need to change the command so the one on your hard disk is found.