"Only the best" / Home search assistent Variants and Page hijack list

You would have to print out the list that shows the variants in the above posts.

Did you do this in safe mode? In safe mode you should be able to delete almost anything. Make sure every step, until I said to restart in normal mode, is done in safe mode.

Let me know
Jnick

 

Continuing my search for a fix, I still have found nothing. Though my method "took most of it out", I still have the annoying Xp Office reinstall, which is telling me it's still in my system.

So far these programs find NOTHING:

Trojan Hunter (though it does say:

Warning: Unable to unpack UPX-packed file C:\RECYCLER\S-1-5-21-1715567821-362288127-725345543-1004\Dc8.exe (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\system32\javawr.exe (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\system32\sysym.exe (Add to ignore list))
Think I need to get rid of those files, or try and quarantine them?

Aluria SpyWare
Adaware
Spy Bot Search and Destroy

Does anyone know if any corporations (Lavasoft, Symantec) is working on a fix.

Jnick

 

Re: "Only the best" / Home search assistant Variants and Page hijack list

Hey TOMMYD1973...Thanks for your post. Before I read what you wrote...I tried for countless hours to fix this damn res://npsfi.dll crap. (or something similar to that) I did what you said..and it worked. You have to be weary of the .dll files when you right click and hit properties, it doesn't give you a "version" tab. I deleted all of those. Also, I did the same for .exe files. If the properties didn't have a "version" tab....out they went. Same goes for .dat files that didn't have the "versions" tab. Some couldn't be deleted, so I wrote those names down to erase later in the steps. Now, you can find all of these in your Windows/System32 folder. To help, I sorted the list by "date" because my computer just recently got infected...so it wouldn't make sense to look for something 1 year old.

If you can't delete some files, do as Tommy says...restart, hit F8 and boot in "Safe Mode." Repeat the steps I mentioned above with the "version" tab under properties. Or, if you wrote the ones down that wouldn't delete... look for them and erase.

For the next step, I ran "HiJackThis" and compared notes with what others had erased. If I found anything that matched. Than, I finally ran Ad-Aware to find a few more in my registry I had missed.

You see, it may take some time...but it is well worth it. My internet isn't messed up anymore and I feel relieved. Goodluck.

 

My computer just got this thing today.

I have a process called mfcck.exe running in my processes list. And another one: SYSTRA~1.EXE.

Also, a file that appeared just today: sysms32.exe

I am 100% sure those weren't in my processes list before I got this "One of the Best" thing.

 

jnick, your solution worked! I had to delete mfcck.exe and sysms32.exe along with a bunch of .dll files, ran HijackThis, fixed the stuff in there (all this in Safe Mode), and deleted the registry entries for HSA, SA (mine was SE), and SW, then went to normal mode, opened IE, and it did the same thing, except that the file wasn't there so it opened an error page, then I ran HijackThis again and fixed that one entry. Then changed the starting page for IE, and when I re-opened it, it was fine!

*crossing fingers* Let's see how long this will last..

I hope everyone would be able to fix this. It's really annoying. It kept me up till 6 am...

 

Hi hopefully we can find a solution for this problem
I have the vzhrc.dll variant, it had mutated from xnsif.dll after I tried removing it.
I also wonder if these two processes have anything to do with this problem
-addtx.exe
-appxo.exe

This popped up in Windows Task Manager after I tried to go to the liutilities.com site.
-crdh32.dll
Then it shut off all Internet Explorers.

 

Re: Solution

Jnick, your method has worked for me thus far. For all those looking to get rid of this thing, I recommend using Major's method in conjunction with Jnick's registry thing.

Just a quick note: when in the registry, be on the lookout for names in the uninstall list that are only letters (HSA, SW, SE, etc...) and delete them if they only have 3 keys within them.

 

Re: Solution

You should delete the ones that have looking-cc or something along those lines in them.

 

I'm glad it helped guys. The question is, do you think it is FIXED or quarantined? I'm still having the microsoft XP office proffessional problem. I might just reinstall it, and cross my fingers.

Jnick

 

Well the system seems clean now. I uninstalled, reinstalled office XP and it's fixed. So far everything is working smoothly.

Major Attitude: Maybe you should make a sticky thread of the fixes that we know work so far? Just a suggestion.

Great work guys.

Jnick

 

Hey, what do you mean by the Office XP problem? What's it doing? I'm not sure if I'm getting that problem... Or maybe I just didn't notice...?

 

This spyware we had would keep askin, upon opening Windows explorer browsers, or Internet Explorer, to install Office XP Professional. It would get REALLY annoying. This only affected you if you had Office Xp Professional 2003. Trust me, you'd know if you had it ;-). That's how annoying it was.

Jnick

 

Ahhh.. I have Office 2000, so that explains it.

Also, does anyone happen to know what SYSTRA~1.exe is? It's still in my processes list, and it's also in my Windows prefetch directory... Any thoughts? It might not be related to this at all, but I think it IS, because I've never seen it in the processes list before.

 

I re-installed Office AND Publisher (they were installed separately) and that took care of the Office problem. I'm thinking you might only have to uninstall Publisher to fix the office problem and not the entire office suite. Anyone try that?

But the symptoms of the problem are gone on my system now. Hopefully someone will figure out how to be sure this thing is rid of and gone. But at least all the annoying symptoms are gone now. Thanks to everyone on here with their suggestions and help with this.

 

can someone please make a complete step-by-step list of what i need to do to get rid of this thing?

thanks

 

My method to stop "Only the Best" browser hijacker:

1) Use the Microsoft Management Console to stop and disable the local service, "Network Security Service". This service is the method the spyware uses to restore itself when deleted.

2) Use Hijack This to stop and remove the Browser Helper Object, addhr.dll

3) Use Hijack This to stop the executable, addhr.exe, from running at startup.

4) Reboot.

5) You can now delete addhr.dll, addhr.exe and any other suspect files from system32 folder. You can also use regedit to remove the service noted in 1 above.

After doing this I have remained clean for several hours. I also installed the 1.3 version of Spybot - S & D with the download blocker for IE feature turned on, hopefully preventing any new infections.

If more detailed instructions are needed I will be glad to supply them

 

Thanks for the re-cap.
Could you also tell us the location of the above files you deleted, since they seem to be random filenames once they mutate/replicate? I'm especially concerned with finding the .exe files.

On a side note, I have now found three different infected entries in my add/remove programs:
1) Home_Search_Assistent (yes, the spelling of assistant is wrong)
2) Shopping_Wizard
3) Search_Extender

All of these will direct your browser to the "looking-for.cc" webpage when you attempt to uninstall them using add/remove program.

I spent four hours with McAfee techs trying to get rid of this and they couldn't figure it out.
Thanks for all of your help!

 

The exe and dll files should have the same name and be located in the system32 folder under the Windows/WinNT folder. They should be fairly easy to spot in the Hijack This listing.

 

Yes so far nothings wrong with my computer, the only thing that is a little messed up is the fact that whenever I close Word, an error comes up telling me to install a newer version of Internet Explorer, even though I don't think its because of this little jerk face thing that needs to be shot 10 times and then ran over... anyways the point is if anyone else is expeirencing that same problem as me, let me know, but I think It's because I tried to uninstall Internet Explorer, and failed, so yeah.. if it is happening for someone else that had this problem and "fixed" it then please let me know, thank you and good luck to anyone who still loses sleep because of this. You can try my way thats posted on the thread, but It was pure luck that i deleted the right files. G'luck everyone. Thank you

 

Hmm, I found that too, chaslang, when I did a search on google... but - I think I know what it is now... I have a program called Systran (translation thing), and I think that is it. Because whenever I terminate that process, the tray icon for the Systran utility disappears. I guess I never noticed it, that's all.

 

Sorry for the length of time it took to reply. I could not log in until I got admin to reset my password for some reason.

Sorry I wasn't clear, I did not mean that your exe and dll files would have the same name as mine. I mean that the dll (BHO) and exe (that runs at startup) will have a the same name as each other and will therefore be easy to spot in a Hijack This listing.

By the way I am still infection free, going on 26 hours.

 

Hmm, I don't know if you have a variant of the one I had or I was just lucky. Not only did mine have the same names, but every time I deleted them, the recreated files had the same names as before.

Do you have the same local service mentioned in my first post?

 

Ok. Sorry to bother you. You don't seem to be reading my posts very well either.

 

I had success in completely removing the problem using the following process:
(Note that Ad-Aware does NOT remove this by itself.)

1. Download "Ad-Aware", install it, and update to the latest spyware definition file.
2. Download "HijackThis" and install it.
3. Boot the system in SAFE MODE and use "Ad-Aware" to remove everything it finds.
4. Run the "HijackThis" scan, and carefully go through the list checking off any "random-character" 5-letter files (like "agppa") which are loading from the Windows, System, or System32 folders; also check anything resembling "[Default]" as a standalone entry. Have the program remove all the checked files.
5. Reboot the machine normally and re-run Ad-Aware and HijackThis. (They shouldn't find anything else, but it never hurts to be sure ;-D)

Hope this helps!

 

My last attempt to be civil with you:

1. I never claimed yours or any one else's experience would be the same as mine, as you implied.

2. I was merely trying to summarize and relate my sucessful attempt to stop the reinfection from the hijacker on my system.

3. Your wrong about my not reading your earlier posts, I read every single post preceding mine, I just did not memorize the names of every person working from third party knowledge instead of first hand knowledge. I was merely replying to your replies to my post.

 

guys.. i think i have some info that might help!

ok.. when i was in the process of removing this trojan (yes.. it's a trojan) i realized that it's called downloader.agent and/or downloader.winshow (my dat files were downloader.agent.BO and the .dll files were called downloader.winshow.AN). I used a program that i got from my significant other (=D) called AVG Anti-Virus 7.0 (free for 7 days), Ad-aware, and Hijack This!

i put my pc in safe mode.. and with hijackthis! i cleaned the obvious stuff first (like homepage, search stuff, etc...). after that i went through the windows and system 32 folder and deleted my dll file (each one has a different one res://_____.dll) and things that were modified the day i got it around the time i got it. then i used the AVG Anti-Virus thing and searched the entire windows folder (all of it.. even the folders in it) and got all the other things that i missed. i deleted everything... checked hijackthis! again... then i went back to normal mode. and now im trojan free!!

i hope this helps.. cuz i really know how much it sux having that thing and i wish u can all fight it and get it off ur pc.

 

Does anyone know how to get rid of the "Home Shopping Assistent", "Shopping Wizard", etc. that continue to show up in add/remove programs?

I've squashed the Trojans I believe, and have no more re-directs in IE or pop-ups. I just would like to get rid of those pesky listings under add/remove programs.

 

SPREGSTOF, thanks!! Your method worked to remove the redirects in IE and the pop-ups. The only problem now is the problem STALGF pointed out... the add/remove programs still lists Home Shopping Assistent, Extended Search, and Shopping Wizard. I even deleted the HSA, ES, and SW folders in the registery...and they still regernerated themselves. Any Ideas?

 

Stalg, I think I figured out how to remove Home Shopping Assistent, Extended Search, and Shopping Wizard from the add/remove programs list!! Here is what i did...

1) Run services.msc, and stop and disable the local service, Network Security Service

2) Run regedit.exe, and delete folders HSA, ES, and SW under HKEY-LOCAL-MACHINE\SOFTWARE\microsoft\windows\CurrentVersion/Uninstall

3) Reboot

Let me know if that took care of it?

 

Greetings folks, I have the same damn problem! LOL I have the DLL jxmdo.dll on my system. I ran Hijack This, Ad-aware, Spybot Search and Destroy, and even my AVG 6.0 antivirus programs, and have been to several different sites about this problem. I follow their instructions to the T, but no matter what I do it STILL comes back.

I have even modified my registry and changed files manually on "Defaut Search Page", "Home Page", etc all back to my preferred ones...That works, but I have to use Browser Hijack Blaster and Spyware Blaster to prevent the dll from changing my home and search pages constantly.

Who knows a way to safely and completely remove this problem for good?

P.S. As I'm reading more into this topic, I'm finding out more interesting things. Still, lemme know about a solution.

Thanks

 

OK I had this same problem and it took me about 2 hrs to fix it once I followed what chaslang told svengali to do. Read this thread and follow it to the letter (all three pages).

http://www.majorgeeks.com/vb/showthread.php?t=35165

Also check my last entry on

http://www.majorgeeks.com/vb/showthread.php?p=375305

for a very quick summary of how I fixed the problem.

It definately works. I am problem free!!!

 

Thanks sooo much "sprengstof"(post# 82) & "Aggie04"(post#87)! Followed both strategies-- now my I.E. is mine again & there's no HSA, SW or ES in my "Add or Remove Programs" list. I owe you both drinks.

 

Try this:

http://hsremove.bravehost.com

Download and run hsremove.exe.

It worked for me.

 

By the way, I suspect that my system had some edge of protection once hijacked by HSA, due to a tiny(90kb) FREE program called StartupMonitor. It promts you each time an exe. "registers itself" to run at system startup. The window/prompt asks if you want to "allow this change" & gives you the option to decline---I was asked MANY MANY times if I wanted to allow many of those various four & five letter .exe's(that HSA loads into sys.32) to "run" on start up. So if you're looking for another little helper to manage one aspect of future infestations see: http://www.mlin.net/StartupMonitor.shtml I was suprised no one else mentioned this piece of freeware in this thread- I'm almost never the first one to discover anything. Also, if there's a reason others don't care for it- please let me know why.

 

I gotta get this off my machine....., help please

Logfile of HijackThis v1.97.7
Scan saved at 6:42:17 PM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Altnet\Points Manager\Points Manager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\InterVideo\WinDVD4PR\WinScheduler.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\hjtlog.exe
c:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\3.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {56371CD5-2A6A-4F96-9538-D0B756DF39B2} - C:\WINDOWS\System32\idic.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\3.bin\MYBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVD4PR\WinScheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37779.3616666667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab

 

What am I doing wrong here?? I downloaded the www.majorgeeks.com /download4284html and installed it it found like 200+ problems but it doesnt seem to repair them even though it saysit is if i rescan everything shows up again, I could almost cry with this dam problem please advise!!


Thanks

 

I downloaded HSRemove and ran it. For some reason the program crashed whenever it would reach the the "Scanning for Leftovers" stage with Memory Dump as the thing being scanned.

I then opened up IE and the page that opened up was a page telling me that the problem had been removed (I assume everyone else saw this page). So I changed my homepage in the options menu, and then closed IE. When I restarted IE, the problem was back with the "res://..." page.

I am guessing that the crash may be the problem? But it seems there are other people who HSRemove is not working for? Any help would be appreciated.

 

Yes, i downloaded this too and it quits responding in the middle of it too, does this problem have an countermeasure built in??????????

 

Man, I love you geeks. You rock. HSA can kiss my A$$.

I know where i'm coming for help in the future.

 

I spoke to GOD D?$@! soon. I rebooted, defragged and it came back when I went into IE. I am currently dangling my PC out the window and I don't know how long I can hold onto it. If you want to see it live you better fix this thing.