Fricken' Home Search!!!

Re: Fricken' Home Search Shit!!!

Hi,
We have a couple tutorials on line, heres the HSA one:
http://forums.majorgeeks.com/showthread.php?t=38772

And a generic spyware, virus check:
http://forums.majorgeeks.com/showthread.php?t=35407

If those do not work, please get back to us with specific symptoms, we MAY need a Hijack This logfile at that point to find out what you have, but do the above steps first!

 

Re: Fricken' Home Search Shit!!!

The second option is geared to the Home Search Assistant. Its time consuming, but complete and should cover you. Im out for a bit, myself or Chaslang will be back to see how you made out, but please do every step in order or we will know and tell you to go back and do it

 

Re: Fricken' Home Search Shit!!!

Major meant to say the first option (link) he gave you is geared to HSA. The second link is geared towards more general clean up that almost always has to be performed anyway.

Yes, the procedure is complicated and long. But this hijacker itself is very complex and has many ways to respawn itself and to spread its infestation on your PC. It can get to the point that your system gets so bogged down with HSA related process that you cannot do anything else. It constantly redirects you to other websites and search pages and causes porn popups too.

If you want to try a simple approach first, there are two of them (depending on your OS, you did not tell us what you have):
- if you have WinMe or WInXP, you could try going back to a system restore point that predates when the hijacker problem began.
- you can download and run About:Buster. Follow the steps on the download page. It must be run at least twice. I would recommend doing what the download page provides and then also running it at least once after booting in safe mode. Note, using only About:Buster by itself has not worked as of late. There are many strains of these hijackers making it difficult for an application like About:Buster to always work for every case.

Thus, the reason for my Generic Solution. It has worked (thus far) for all cases. It is not always perfect either and may require multiple runs. Especially if the steps are not followed correctly or you run into difficulty along the way and a step does not work like we need it to. For example, when a particular file name needs to be deleted, if you don't get it deleted and then continue with the rest of the solution. It most like will not work and the hijacker will mutate and change names and add more processes. Usually if will look okay upon the first run of Internet Explorer, but if you run it a second time, you will see the hijacker has come back.

 

This is not very helpful, we need to work on our communication. It is important to know where you are at to assist you. What have you tried since the last post? You are loaded with viruses and the HSA.

After following Chaslang's thread to remove HSA, you need to try removing lines that appear like this from your Hijack This log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vbrdi.dll/sp.html#96676

Hijack This tutorial explains it better:
http://forums.majorgeeks.com/showthread.php?t=38752

But try Mcaffee Stinger from safe mode to try cleaning some of the viruses.

 

Ok, what is sketchy, if you will, is you not telling us if you did all the steps. We can not be of any help if you do not tell us you completely ran the steps given to you. It has to go like this: you ask, we answer, you respond what you did. Otherwise, were just as frustrated as you are. And we WANT to help you!

Those files can not be deleted because they are in use. Try using About:Buster in safe mode and if they are running use ctrl alt delete to go to processes and stop them from running.

While some disagree, I am a huge fan of an occasional format. I think if you have your machine running frequently, and have backups or no important data that can be lost, a yearly format is a beautiful thing. I keep an image and recover on average every 3 months. In my case it is because we install everything here before posting making my machine subject to spyware, trojans or viruses and a format for me takes about 30 minutes total, so its a quicker way to get back to business.

If you do format, please read this thread:
http://forums.majorgeeks.com/showthread.php?t=25834

 

Yes, follow Chaslangs tutorial, which can be difficult for a novice, or take it to a shop. Its hard to do from here. Should you format, you wipe everything. Anything on your hard drive will be gone. Insert your XP CD-Rom and choose install and yes when it tells you Windows is already installed. From there, be sure to read this thread:
http://forums.majorgeeks.com/showthread.php?t=25834 to prevent re-occurance.

As a reminder, here are the 2 steps you can do:

Follow this thread: http://forums.majorgeeks.com/showthread.php?t=38772

Easier, but possibly not as effective; Download About:Buster and boot into safe mode (reboot your computer and tap the f8 key before Windows Splash screen and choose Safe Mode Without Networking Support) and run this tool. Twice. From safe mode.


I hope it works out, wish I was there so I could fix it and you would not be so frustrated I have to leave for a while to go fix my wifes frineds computer, so my next reply will be hours out unless Chaslang shows up.

 

Heck,

I'm not sure what you have decided to do about re-formatting or just attempting to fix the hijack. But as Major has pointed out you need to do the steps we ask (and nothing else on your own or from anywhere else or you can confuse us as to what is going on) and then you MUST provide feedback and or logs from the steps so that we know exactly what is being found, fixed, not fixed, etc.

Yes, it can be frustrating, but if you take a slow step by step methodical approach, we can fix this like we have with many other users.

For now do not run the Generic Solution to HSA. If you still want to fix this, just do the below.

Follow the steps below (these are not HSA related but they are complicating matters):
- from Control Panel, Add/Remove Programs look for WeatherBug and uninstall it. Tell us whether you were able to do this.
- from Control Panel, Add/Remove Programs look for AccuWeatherDesktop and uninstall it. Tell us whether you were able to do this.
- you must not run HijackThis from your Desktop. You have it here:
C:\Documents and Settings\wisdom\Desktop\virus folders\HijackThis.exe
You should have it run from its own directory like c:\Program Files\HJT where it can save its backup files. Do not run it from a temp folder either.
- along with the above step, you need to get HijackThis 1.98.2 and delete the old version. Here is the new one: http://www.majorgeeks.com/download3155.html
- IMPORTANT: You must not have any un-necessary programs running when scanning and MORE importantly when Fixing items with HijackThis. If you look at the HJT log you posted, notice these lines:
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\AccuWeatherDesktop\AccuWeatherDesktop.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\REGEDIT.exe

There are more but at a minimum the above items should not have been running. It is extremely important to not have Internet Explorer (iexplore.exe) running when using HijackThis to fix items. Why was regedit running at all? End the other process using Task Manager (press CTRL-ALT-DEL to bring up task manager and click processes) find the process and end it.

- Did you also know that you are not running the proper versions of Windows XP or of Internet Explorer? I wonder how many other Critical Updates you are missing???? In the midst of the HSA hijack though let's not work on these updates (at least not yet).
- Do you have a dial-up connection or high-speed direct connect?
- Now run these online scans and tell us if and what they find:
http://housecall.trendmicro.com/housecall/start_corp.asp <--- select Auto Clean
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.ravantivirus.com/scan/

That's enough for now. The get a new HijackThis log and post it (as an attachment) to your next message along with ALL the results from above.

 

I suspect a trojan, please do a scan from safe mode with a program like A2 or Trojan Remover that you can get here. I assume you scanned with both Chaslang and my tutorials, sticky at the top of this forum.

I spotted a few lines, most I believe are trojans, a scanner should confirm.

Not sure:
C:\WINDOWS\iplx.exe
C:\WINDOWS\system32\ipwq.exe
C:\WINDOWS\System32\MsBAfd.EXE
C:\WINDOWS\System32\MSStrtUp.exe

Likewise:
O4 - HKLM\..\Run: [MSStrtUp.exe] C:\WINDOWS\System32\MSStrtUp.exe
O4 - HKLM\..\Run: [ipwq.exe] C:\WINDOWS\system32\ipwq.exe

These worry me as well:
10 - Unknown file in Winsock LSP: c:\windows\system32\smfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\smfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\smfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\smfilter.dll

Do the Home Search tutorial if you have not already, scan for trojans and I will wait for Chaslang to come by and offer his opinions from there.

 

Agreed Major! That's part of what I was getting at in my last post where a indicate a bunch of other stuff to clean up. I saw those apparent trojan lines and was hoping the online scans may resolve fix some of them. And I also indicated the Weather stuff has to go.

Note also the below line is part of the HSA hijacker. If it is still there, so is the hijacker.
O4 - HKLM\..\Run: [ipwq.exe] C:\WINDOWS\system32\ipwq.exe

If Internet Explorer is used, the hijacker will be observed. Thus it is still on the system.
There was also another process from the hijacker shown running:
C:\WINDOWS\iplx.exe

 

Heck,

If still have hijack problems when using Internet Explorer, try the new About:Buster 3.0: http://majorgeeks.com/download4289.html

Just released. Follow the directions on that link.

 

But that is what I meant and why I suggested trying About:Buster 3.0. Try it to see if it fixes the IE problems. It would be valueable feedback to us. And it may remove many files from your system that you really do not want on it anyway. Sooner or later something may come up where you need IE and it would be good if it were clean. You don't have to switch back to using it full time as your browser.

 

Okay! It's been real stormy here today too. Didn't loose power though!