"Only the best" / Home search assistent Variants and Page hijack list

Best Removal instructions I used and work excellently

Complete removal instruction. This worked for me very well.

This is a link telling you how to manually remove a program from Add/remove programs in Control Panel.
http://support.microsoft.com/default.aspx?kbid=247501

​

Download Programs to use:

Ad-adaware 6 Build 181

HiJackThis

Uninstaller Pro (Free for 20 day use)

Security Task Manager (Free for 30 day use)

Cwshreder – Cool web Search removal tool

1) Turn Off System Restore

2) Delete the prefetch folder in C:\windows\

3) Delete files out of C:\documents and settings\(user)\local Settings\Temp & C:\documents and settings\(user)\local Settings\Temporary Internet files

4) Get updated Adware reference file

5) Run Adware and remove all spyware (run all 3 different types of scans)

6) Run Hijackthis- remove all objects related to home search

7) Run Uninstaller pro

8) Go to control panel feature then the add/remove feature

9) Click on 1 of the 3 programs (home search assistent, shopping wizard, search extender) and use the FORCE option, standard uninstall will not work

10) Repeat for the remaining two

11) Then check out IE Plugins & Toolbars and delete objects not recognized

12) Run Security Task Manager Delete/quarantine potentially dangerous/Dangerous objects except for programs you know are legit. (Ex: Google toolbar will come up seems to be harmless)

13) Run regedit and search for HSA, home, SW, shopping, home, SE, search assistant/assistant, SA and extender. Delete the appropriate folders

Check:

HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main Start Page

HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Toolbar\Webrowser

HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main Start Page

HKEY_LOCAL_MACHINE\software\Microsoft\InternetExplorer\Main Default Page

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\_NS_Service_3

14) Run Norton Antivirus live update or download updated Definition Files

15) Scan computer

16) Reboot

 

I have fixed my infection, these are two posts that I copied and pasted from a local BBS that I use.
***************************************
I had at least 20 different Trojan infected .exe's in my system folders, as well as a VBS Malware script in a desktop folder. The browser is hijacked, and takes me to res://jkfsng.dll ****** type places after which I find new infections. This happens when IE does ANYTHING. For whatever reason this virus seems to also attack Office XP and makes it so that anytime you do ANYTHING the computer begins attempting to install Office. . . even though I already have it and havent requested such an installation. I have spent the last three days trying to get rid of this, and every time I think I have, as soon as Internet explorer does ANYTHING I have a new, and novel infection. Neither Norton/Symantec, Microsoft or McAfee have anything to say about this. . . so I have been pretty much on my own. i have found a few people who have the same sort of thing going on, if anyone would like to read about it, see the linked thread at bottom.
I would suggest that ALL OF YOU have an alternate browser downloaded, and maybe even a program like browser hijack blaster installed (might have helped me???). It sucks once the virus is in there and wont let you on the internet where you want to go, and wont let you access norton or microsoft websites. I also lost complete internet access across my network at home, and just now managed to get online. these past few days have not been fun. I am using Mozilla Firefox, which seems to work well.

This is the EXACT thing that happened to me, but with Trojano-180. I think I am making some progress, but i'll get back to you guys. I have found different things with each type of virus scanner. Norton did find PWS.Hooker.Trojan, but that doesnt seem to be responsible for this, rather, that probably came in after the other one.

http://computercops.biz/postx52378-0-0.html


*******************************************************************
next post, after I killed it.
*******************************************************************

Well, I didnt want to say it before, as I wasn't certain, but I think I have won the battle, with no help from any anti-virus software I might add. I wish I had found the thread posted below (majorgeeks) sooner, as it might have saved me some time!! Anyway. . . much of what I did is what one guy there did that fixed his infection, though I went about it a little differently, mostly becasue I didnt know what I was looking for yet.
My Norton and ZoneAlarm became dissabled so to get them back in working order I had to reinstall them. press ctrl-alt.del and look in the process lists for anything strange (if you go to the task manager often they should stick out like sore thumbs, if not, well, then you have to google everything in the list) Go into the programs page of ZoneAlarm and look for any of the strange little .exe proggies that are trying to get to the internet. . stuff like apity.exe, apibj32.exe, ieoq.exe, sysxg.exe keep in mind this virus creates hundreds if not thousands of different reandom names for the infected files, so just look for anything strange, then search on the web for it, and use google and some common sense to figure out what they are and block them.

HijackThis was pretty handy, so I guess thats deserves some credit. The way I did it was to uninstal any updates to Internet Explorer, then go into my add remove programs (windows components button), and uncheck the box for Internet Explorer to disable/uninstall it. I also removed any updates to Office XP and then rebooted to safe mode and ran all the virus checkers.
nothing new here yet. . these are the first things I did which did nothing, but would still be a good idea anyway, as I found a LOT of different infections. . .VBS Malware script, LOADS of .dll and exe trojans and virus files etc.

Even though I stopped using IE I kept running Browser HijackBlaster to let me know any time anything was changed if it was, though it wasnt needed with firefox, but at least I could verifiy that.

Now for how I actually fixed it: I went into the registry. . this is the dangerous part, be EXTREMELY careful , go yo regedit, then Edit>Find and type in that "res://sdshdjs.dll****" string that your browser keeps resetting to, and delete any of those entries in the registy (thos ethat match the URL placed in your IE homepage box). I also noticed I had a odd program called "Home Search Assistent" in my add remove programs window and I discovered it had left many registy entries (many contained a search thread http://looking-for.cc/"unistal" or "search"****) under the tabs SA, SE, HSAetc.

**Make an export backup of these registry folders that contain the suspect entries (IMPORTANT IF YOU SCREW SOMETHING UP THESE LOOK LIKE, AND IF YOU GOOD UP, MAY VERY WELL BE ACTUAL WINDOWS COMPONENTS!!).*** To do this right click the folder branch, then click export and type in the name to save to desktop or somewhere.

To verify that these are part of this virus you can look to the window on the right to see if they have that string I jsut typed in parenthesis. Use caution not to be looking in the windows Search Assitant registy. . . when I first found that I though I was infected with like 50 more major trojans. . .as I say all the kk32.dll surf.dat etc entries. .. then I realized that this entry was just the registry entry for the windows search feature to autocomplete when I type search names into the window. . so when I was searching to see if I had anythign on my machine I was writing these names into the registry. . how silly. . .but boy was that a fright!!!!

Anyway, I deleted the HSA(HomeSearchAsistent), SA (search assistent), SE (search extender) that I found in there, (there are others that might be on your system, see that thread I posted before for some such entries). I looked for anythign else that seemed odd. . any strange .dlls or .exes, I ran HiJackThis many times and made sure to research anyhting before I deleted it, but then had a field day removing things. Once I had done this and rebooted a few times and ran Avast Virus boot and desktop scans (seemed to pick up things norton missed) a few times, norton a few times, I went back to add/remove programs and enable IE, then (keep running browser hijack blaster) using IE I went to microsoft and updated my IE5 software (microsoft has a hard time updating using anything other than IE) and then looked for Microsoft Office updates. . and found one. This update coupled with the reg changes will put a stop to the VERY annoying office XP reinstaller pop-up that is characterisitc of this virus.

I know these arent really step by step instructions. . . that would be ideal but hard to provide as I spent probably 60 hours working to eradicate this. If anyone has this I can give them my phone number and talk them through the registry work, or use TS if that still works for you.

by the way check out Avast as a virus scanner, it seemed the quickest way to find anything running in memory even though it still failed at fixing anything.

It doesnt like to run with norton of course. . . so I keep the installer on my computer, install it when I am using it, then uninstall it after.


********************************************************************


-Vision

 

jeez. . .I guess is took me too long (3 minutes??) to delete a few sentences so I cant edit out the phone number and TS comments. . .

anyway, for anyone with this infection the answers to cleaning your system are here, in this thread, so start reading it from the start, and the answers are there!

Good luck, just be careful what you delete!

-Vision

 

Hey I use this program "browser hijack blaster" its supposed to help prevent home pages from doing what this thing does. I used it and it said it fixed the problem and deleted its registry but its keeps trying to change it.... ugh...im not sure which variant I have. Ive tried the search program but i must have another string. Can anyone help me find it?

 

I too have had this nagging HSA problem (and the related pop-ups) for the last couple of days. I tried something simple that seems to have worked - I am a novice, so if any of you have better suggestions or can point out potential hazards with this procedure, please advise:

1. Start up your computer in Safe Mode by pressing the F8 key during start up.
2. Open Windows Explorer and search for all *.dll files (for Windows XP, there is a feature to limit your search to a time frame...for me, I utilized a search for these files for a creation date within the last week).
3. Rename the recent *.dll files (that do not have an apparent purpose) to another dummy name. In my case, I found one file called: C:\Windows\msopt.dll which I renamed to "msopt.xxx". There were also several dll files that were related to my virus scan software that I left alone.
4. Open the Control Panel to get to the Internet Options. Input your desired home page address (i.e. www.msnbc.com) and click on Apply/OK.
5. Close out all applications and reboot your computer in normal mode.

In my case the problem was immediately fixed with no further action, although I did download and ran some free software for Lavasoft Adware 6 and Spy-Bot Search & Destroy. I also bought Ghostsurf software prior to running the above procedures and it did not seem to help, but it still seems to be a good product for blocking pop-up ads.

When opening the Control Panel for Add/Remove programs, the "Home Search Assistant" as well as the "Shopping Wizard" are still on the list and I am unable to remove them, however, the problems they seem to have generated prior to the above procedure, no longer appear to pop up, so it is just a minor annoyance at the moment having the titles still out there. Any assistance in removing those would be appreciated.

 

Thank you Chasling for the additional help...I went thru all of the long steps you referred me to, and have now cleaned up my machine to where there is no trace.

regards,

zekel

 

good advice chase... *highfive*

 

Good news, but, I don't know what happened. I installed the fix(then scanned), the virus regenerated. then for some reason I couldn't play Battlefield Vietnam online, so I deleted the fix and thought I would live with the problem for a little while, still couldn't connect to a game, then I did a system restore to two days back(I've had the trojan for over a week). I defragged and went on IE, NOTHING!!!. Cool so then I went to uninstaller pro and forced HSA and SW out. They are gone, they have been gone for over 24 hours, WHAT TA F$@!? is up with that eh!

Nothing in Registry
Nothing in System32
Quiet on the Eastern front.

 

Just so you know, it's been 25 hours for me and I'm working fine. I posted a new thread yesterday about how I got rid of the "only the best" problem. See "Only the Best" - possible solution.


BTW - I can't believe the infromation here and how much you guys helped me without even knowing it!! Great site!

 

Hello,

I got rid off HSA from my machine 2 days ago. I had it for about 2 days, and I the following programs in safe mode:

RegEdit
MSCONFIG
Windows Explorer

You need to delete all the files simultaneously to get rid of this thing.

 

I found exe, dat and dll files belonging to this irritating program.

 

Using the windows search thingy I searched for all files on my computer.

I then sorted the search by modified date descending

Next I looked for suspicious files

I found lots and batches of dll, exe and dat files around the same modified date.

 

On analysis of the file properties I discovered that some of the files had [date modified] dates that occurred before the [date created] dates.

I think that some of the programs modify others, but the modified date cannot be modified, only the created date can be modified....?

 

This thing is no real threat, it is a minor irritation, it cannot operate outside the confines of the operating system. It still has to run within the rules, and so can be easily found, tracked and traced.


You don't need any special programs to get rid of HSA, all you need is to know the contents of your hard drive more, find the nasty bastard files and delete them all in safe mode along with the registry entries.

 

The files are normally not only hidden, but also system files.

deleting individual files or renaming them or terminating them etc causes new files to be spawned.

My opinion is that several programs are running at the same time, there are lots of diversions, all the running programs are 'aware' of each other, if one program is terminated the others respond possibly spawning others.

I also found a couple of files with the extension $$$

It seems that there are only 2 main dll files to this thing, the dat files are important.

 

Ok, this one has kicked my but for about a week or so and a couple cases of beer. I've searched and deleted all suspiscious dll files but it manages to replicate itself from a hidden dll or exe file in the windows\system folder. It has managed to corrupt the explorer.exe file in windows to the point that search in find files/folders won't work and you can't even perform an online antivirus scan because it crashes explorer when you try to. Explorer has even been corrupted to the point that you can't even go to the microsoft update site and get updates, you just get a blank page because of it.

Of course since explorer is such an integrated part of Windows, several errors occured in Norton Antivirus and won't load now and uninstall/reinstall won't work. I couldn't even install any antivirus program due to the corruption of the explorer files that this thing had caused.

I had tried everything. You can delete it with hijackthis but it will be right back as soon as you restart the computer. When tyring to uninstall the "Search Assistent" in the add/remove programs from the control panel, I would get an error message that it couldn't locate the http://www.looking-for.cc/uniinstal.htm file.

This was a Windows Xp system which made it even worse. One user account had the "Search Assistent" where other user accounts didn't and some had the "Shopping Wizard" where others didn't in the add/remove programs under their user accounts which made it even worse.

Here is what I had to do and so far it has worked.

Download and run the following utility program:

http://tools.zerosrealm.com/AboutBuster.zip

If you are running windows XP, you will have to run this program under each user account (unless you can afford to delete all user accounts). This program seeks and deletes the hidden dll/exe file that keeps loading.

After you have run that file and deleted each occurance, download Advance Uninstall Pro. This will allow you to uninstall the portion that keeps appearing in the add/remove programs section in the control panel. The portion that I found and uninstalled actually looked like a registry key that was pointing to a setup.exe file. I could only find this thru using the advanced unistaller pro program.

Once I utilized these two programs, I ran spybot search and destory to clean up any remaining remnants of files.

After completing all this, I was able to finally uinstall explorer and then re-download the service pack for ie6 and install it. After being able to update IE, I was then able to reinstall Norton Antivirus 2003

This is one nasty hijacker/trojan. These guys should be locked up and the key thrown away. Actually, I rescind that. Bill Gates and Microsoft should be locked up and the key thrown away. If they would put a quality product out, we wouldn't have these problems. I downloaded the Mozilla Firefox webrowser and had absolutely zero popups or hijacks.

Hmmmmmmm. Wonder what the problem is there.

I hope what worked for me will work for you.
The Don

 

Joe C,

That is all nice but unfortunately, on the system I was working on the search feature in windows was disabled because of the "Search Assistent" problem. I couldn't even use the find files/folders feature.

 

Hi, I am new here. I wanted to add my frustrations with this whole Home Search Assistant. I too have several of these in my add/remove programs and cannot remove them. I did install Adaware 6 and it worked but just briefly the first time signing on I would get MSN as my homepage but if I were to sign off then sign back on I was back to this horrible nightmare, res... line with all the pop ups. And does anybody have those green little bugs showing up do the uninmentionable???? I also have Spybot to no avail. I ran a security check with Norton and it found no virsus and that I needed a firewall so I added that and was given the all clear.
I have Norton AntiVirsus and Norton Firewall on plus I ran Adaware and spybot all day long.
Plus I tried to download this Hijackthis I am not able to. I believe it is because of this home search assistance.

 

Well I'm puzzled as to why I was able to search and delete the files in Windows ME so easily, my Windows Explorer does not seem to have been corrupted at all. No-one else seems to have mentioned the .dat files either.

 

yes i too have the green bugs doing the dirty on screen.
GRAND. i hate this.

i don't even know what i'm doing.
i got hijack this, ran it, got a log.
havent had anyone look at it yet.

my homepage is set at home search assistant.
in my add/remove programs list i have
'home search assistant'
'shopping wizard'
'search extender'

that search extender takes an icon from a current program i have installed and uses it in the add/remove programs list, [if that makes much sence]
and if i type in any web address without first typing 'http://' it takes me to a correction page which pisses me off. DIEEE.

so. this sucks. congratulations to me.
i've seen some links people say work to fix it,
but all of the ones i have seen have been dead

errghh...help someone??
i joined this website just because of this problem.
tell me if you want my hijack this log (i dont really know what any of it means)

-jordan

 

okay SCRATCH THAT. i followed spartan160's advice and it worked like a charm.
i am currently running hsremove JUST IN CASE. haha.
thanks everyone, this has been pissing me off for like a week.

-jordan

 

I have also been struggling with this. After review of 3 different forums. I seem to be rid of this thing. My intention is to input my 2 cents and tell you what seemed to have worked for me. The authors on this board are genius, and I don't know how to thank you.

My first attempt today was proposed by Atomicdog 420 Response #6. Like others I did this many times and couldn't seem to get it. I think the changed files were hidden even though I made sure "show hidden files" was turned on.

My second attempt today was proposed by Hoovid # 144. I chose to download and run Avast Antivirus. Even though I already have Norton Antivirus installed, I did it. Immediatley after installing Avast, it proceeded to scan and said that it found some stuff and that it had to run in boot mode. I don't know what this, but, I said ok. After it finshed scanning, it found 98 infected files.

Here is the link for that forum:

http://www.computing.net/security/wwwbo...12346.html


I did notice that most of the files it found were of this format:

4,6, or 7 letter .exe
6 letter .dat
5 letter .dll

Since running this, I have rebooted 3 times and each time it appears to be fixed.

Things that I have noticed are:
1. HSA is still in my add/remove programs. Who cares, it's not doing anything.
2. NAV prior to this fix would say "a .dat is requesting scan". Each time I wuold write it down and I could never find it or delete it. That's why I think it was hiding even though "show all files" was turned on. Something had to be there becuase Avast Antivirus found it.

So once again, thanks to all for knowledge, experience, and good will. It means a lot to a newbie like me.

Regards, Bob

 

The reason you can't find certain files even when show hidden files is set to TRUE may be because some of the files are also hidden SYSTEM files, I discovered this on my machine and found all the files associated with HSA by selecting to show all hidden system files as well.

Is anybody elses Windows Explorer corrupted to the point that you can't search for all the files on your computer?

Because that is the way I got rid of HSA, it's been over a week now and it hasn't come back and it only took me a few hours to sus it out and get rid of it!

 

In future, and HSA may be the start, the only way of getting rid of programs like HSA may well be to know your hard drive, search it (if you can't in windows then if you can access DOS use that and back up files you are unsure of to disk), sort by modified date and do some investigation.

Find the earliest modified suspect file (Do not delete it yet though) once you have found that have little look back in time and see if there are any new suspect files you hadn't spotted before, keep a track of them, make a list even if it's on a piece of paper. From your earliest modified suspect file you will see other suspect files shortly afterwards OR with exactly the same date and time modified as the others. Do not use "date created" to find HSA files, HSA modifies the date created but cannot modify "date modified"

Once you have found all the suspect files, in SAFE MODE delete all of them at the same time. If you don't delete them at the same time they will come back.

I appreciate that at least one person on this board couldn't search windows due to corruption in Explorer, that's why I'm suggesting using DOS in those instances. Although users of XP may be stuffed.

 

I am new to this forum but came here for the same reason as everyone, even though my symptoms were not exactly the same. I think mine are different because I do not use Norton; I use Computer Associates eTrust EZ AntiVirus.
My first symptoms were the constant appearance of the 'OTB' pop-ups and my AV kept finding infected files (usually had to ckick OK five times) but my program deletes any file it cannot clean so I could never find the files. The thing that started me looking was when my notepad started 'poofing' unecpectedly (sometimes right in mid-sentence).
I learned that if I started Taskmanager right after booting and stopped 'services.exe' my system became stable. (I would get a window warning that the computer was shutting down but it did not.) The BIG change came when I deleted c:\program files\lst services and stopped that program from running.
To get the boogus programs out of Windows Uninstall I use RegCleaner. I also used this to delete all the orphans and dangerous reg entries.
So far I seem to be back to normal.

 

I wanted to thank everyone who has contributed to this & other threads on the HSA variants. What a great resource.
I was fighting w/ this on a clients PC for a few days & finally found this forum via a few searches. One item to mention...Adaware DOES have updates to their freeware scanner, but the program download is not always too current ( not a complaint..). Make sure to download the updates when you first download the .exe . Failing to do this caused me to waste tons of time.

Thanks Again

 

New to this whole spyware thing but this has completely pissed me off. I've had the bastard for about three days. I've ran every spyware available, an online virus scan (Housecall) with no luck. This punk is on my home machine. I am currently at work and stumbles across this page at SWI forums suggesting someone had came up with a fix program called "hsremove" (http://www.hsremove.com). Anyone here try this yet? If so I would be interested in knowing how well it worked, if it works.

 

i was searching the net and i found the site that puts the homesearch on your startup page
uts www.o-uud.com/?id=dieter&c=6wo1n0d59un01mjy7mse6m0w2uzmp8b8

but it tends to change, it has you to click a gray box if you want to install a program to run something called the scotch bar

and if you click it it goes away but there is another bar that asks if you would like to set them as your web page its
search.1.net/age.php

i think all of the info is right but im not totally sure, if you just unplug your internet connection and then restart you will not get your home page hijacked but i cant help the ones who already have the problem i had to reformat and i had to do another restore a couple of days ago

later

 

okay holy shit now i'm scared

i have windows xp, and like 2 days ago i was running avg and it came up with this bullshit, ive been trying to fix it but i dont know anything about this stuff and i feel helpless....

its just, that nothing has happened.....


no problems no missing .dll no nothin i dunno what to do .... cant seem to get rid of this thing though

 

k literally minutes after that last post i finished scannin with avg and no virus..... but when i open ad-aware and u know that thing where u scan specific files it still shows up as recycler being there... along with that system volume information thing... i dunno

 

Step by Step instructions on what you need and how to kill this can be found

Here

 

Thanks for this process. It worked like a champ. Only I had to run the HiJackThis program twice to catch everything. I recommend running both the adaware and hijackthis until totally clean. Great tip. You saved me from the dreaded reload.

 

One thing I have noticed with this variant too, watch your DNS settings. I have a customer who is running static IP and DNS and whenever I went after this thing, it would set my DNS to 4.4.4.4. I'm not sure if anyone has seen this, but keep an eye out if you seuddenly can't get web access.