Help removing Home Search Assistant

You never mentioned your OS! And have you done anything other than HSremove. Have you run Ad-aware, SpyBot S&D, CWShredder, etc?

I'll need to see your HijackThis log. But before doing that you need to read the new rules: http://forums.majorgeeks.com/showthread.php?t=35407

It's okay to post your log because I'm asking you to do so. But make sure you post it as a text attachment as explained in that thread.

When you save the log in HijackThis a save dialog window comes up. Change the Save as type to "all files" and change the Filename from hijackthis.log to hijackthis.txt. Then upload that file.
After doing this and to have the easiest time (even though it will still be difficult) removing the HSA problem, please do not shutdown, reboot, or change anything (i.e., try to fix anything). Otherwise the problem can mutate making what I tell you ineffective. It is okay if you need to disconnect from the internet to be safe (you can unplug your ethernet connection from an ADSL or Cable modem or physically drop an analog dial-up modem connections). You can even shut off your monitor to save power. Just leave your computer running until I give you a procedure to follow.

Sorry I did not answer sooner. I had a load of items in progress today and just saw your request now.

 

tcm,

Give the new About:Buster a try first. You get it here. Follow the instructions on the link.

If still having a problem after that, post the log I asked for in my previous post.

 

The directions for about:Buster have changed see the newest version: http://www.majorgeeks.com/download4289.html

And for HSremove the idea behind writing down the path to the Network Security Service executable is so that the file can be manually deleted if necessary. Sometimes the programs have a problem deleting certain files. If we write down the name, we can always go back and remove the file by hand later.

Please do not post your questions in multiple threads and if you have questions and or problems you should start your own thread.

 

I also want you to download ProcessExplorer from here: http://www.sysinternals.com/files/procexpnt.zip
Then run it and kill these processes:
mfcko32.exe
ieow.exe

Then enable viewing of hidden files and folders: http://forums.majorgeeks.com/showthread.php?t=37650
Find and delete those two files:
C:\WINDOWS\mfcko32.exe
C:\WINDOWS\system32\ieow.exe

Now quickly reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
Run HSremove. Save log.
Run About:Buster twice. Save each log.

Reboot normal mode and post HSremove log, both AboutBuster logs, and a new HJT log (put them in one attachment file).

 

What versions do you have for
- HSremove
- About:Buster
- Ad-aware
- Ad-Aware reference file

 

about:Buster is now on 1.5 (today)
Your Ad-aware is not even close to being the correct version. You need to download both the main program and then do the update. Get Ad-aware 6.181here.
Ad-aware referencefile 01R334 24.07.2004 here. Or you could just update it online after getting the proper version. Read how to do a full scan with Ad-aware here.
Also download and install the VX2 Cleaner Plugin for Ad-ware here. Read how to install it and run it on that link too.

After updating both of them boot to safe mode.
Run about:Buster twice (two full times - that will show a total of four scans). Save the logs by highlighting the text in the screen and copy and paste to a text file. Then run Ad-aware in fullscan mode (let me know if it finds any thing). Now run the VX2 Cleaner Plugin for Ad-aware.

Now boot normal mode. Send me that info from about:Buster scans and Ad-aware. Also give a new HijackThis log. (post as attachments please).

 

Guess what! about:Buster (let's call it AB for short) is now version 2.0. Get the new one here and follow the directions exactly as written on the download page. In particular note this part:

"The program should start scanning. Then hit exit and reboot.
Once rebooted run About Buster once more to make sure everything is ok."

Make sure you do not run ANYTHING before running AB again after reboot. Also I want to add some other important item.
- Shutdown all applications ESPECIALLY Internet Explorer before running about:Buster and DO NOT RUN Internet Explorer again until noted below.
- make sure you have done both runs
- after running AB the second time (after reboot), run HijackThis and clean up any left over info from the problem (which could be from your log):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\diqer.dll/sp.html#26512
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://diqer.dll/index.html#26512
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://diqer.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\diqer.dll/sp.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://diqer.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\diqer.dll/sp.html#26512
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
O2 - BHO: (no name) - {92785D9A-20BA-33B7-8258-1F1AF4B27CD0} - C:\WINDOWS\javapk.dll
O4 - HKLM\..\Run: [ieow.exe] C:\WINDOWS\system32\ieow.exe

Delete these file too if found (enable view of hidden files: http://forums.majorgeeks.com/showthread.php?t=37650)
C:\WINDOWS\javapk.dll
C:\WINDOWS\system32\diqer.dll
C:\WINDOWS\system32\ieow.exe

- now you can try Internet Explorer and post your results

Note: you did not follow directions. I told you to run Ad-aware FULLSCAN and VX2 cleaner AFTER RUNNING about:Buster. You will find quite often it is very important to follow steps exactly without skipping or leaving anything out. Will it always make a difference....who knows. But it can. And the things I have been telling you to do have work for everyone else. There is no reason why they should not be working for you unless there is a procedural type problem.

Do you have multiple accounts on this PC? If yes, all accounts must be cleaned.
Have you disabled system restore and left it disabled? Are you sure Network Security Service is disabled (or non-existent)?

 

Yes by multiple accounts I meant multiple user logins. You need to login to each user account and veryify that each one is clean. Same methods would be used to clean each one.

 

Not according to new write up. Run it in normal, do immediate reboot, then immediately run it again. Then look for the stuff I show from you HijackThis log and fix it if still there. Delete the files too. All this needs to be done before you open Internet Explorer again.

By the way are you using a Proxy Server? See this line in your HJT log:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081

 

Okay! For some reason I had not noticed you are not using the current version of HijackThis. Please get the proper version from here.

Please run ProcessExplorer and save a copy of the running processes and give me a new HijackThis log too. Put them together in one attachment. DO NOT REBOOT AFTER THIS.

 

Use ProcessExplorer to kill this process:

C:\WINDOWS\sysvy.exe

Then try to delete this file:
C:\WINDOWS\sysvy.exe

Tell me the results from above.

Now run HijackThis and fix these lines:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A7717956-9A67-0F8E-761C-A65492DB585D} - C:\WINDOWS\mfcmt.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

 

First, see if you can find this file and delete it
C:\WINDOWS\mfcmt.dll

If you cannot delete it now, reboot to safe mode and delete it.
If you boot to safe mode, run About:Buster one more time in safe mode.

If you do not need to boot to safe mode to delete the above DLL then just reboot and when you come back up. Do not run anything until running About:Buster? Then try doing some opening and closing of browser sessions and lets see what happens. The problem with Windows Installer opening is something that has happen in many cases where people have had HSA problems. I do not know of a fix yet. What happens if you let try to re-install FrontPage?

 

Your welcome.

Not sure about turning the installer service on manual. Give it a try. I don't think anyone understands how this HSA hijacker and the use of the HSremove and About:Buster tools to aid in its removal causes this type of problem but I have seen multiple complaints in this area. Most frequently it was an MS Office trying to install problem.

Make sure you get your system protected from reoccurrence of issues like this.
Here are some simple steps you can take to reduce the chance of infection in the future.
I strongly encourage you to do them all.
1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
Do this at least once a month.
b. Never add any site to your Trusted Sites Zone.

2) Anti Virus: make sure you have one and keep it updated. Here are some good free ones:
http://majorgeeks.com/download1968.html Avast
http://majorgeeks.com/download886.html AVG
The top two hands down. Better than Norton or McAfee!
Only run ONE AV!

3) Firewall: if you don't have one get one of these below. The last two are free versions:
Don't care if your on dial up or High Speed....you must have a firewall
http://majorgeeks.com/download738.html Kerio Personal Firewall http://majorgeeks.com/download3356.html Sygate Personal Firewall Free http://www.majorgeeks.com/download388.html ZoneAlarmFree

4) Get a Temp File/Cookies/index.dat cleaner
http://majorgeeks.com/download4191.html CCleaner (Crap Cleaner)

5) SpyWare Prevention (These prevent, they are not scanners. Scanners are listed later.)
http://majorgeeks.com/download2859.html SpyWare Blaster
http://majorgeeks.com/download3045.html SpyWare Guard

6) SpyWare Scanners/Removers
http://majorgeeks.com/download2471.html SpyBot (Use the Immunize feature. I don't activate the TeaTimer)
http://majorgeeks.com/download506.html Ad-aware http://www.majorgeeks.com/download4283.html VX2 Cleaner Plug-In for Ad-Aware

 

HSA can come from many different places. I don't think it would be a download. I think it just sneaks in. But it could be that it is embedded in some application that your kids have downloaded and installed (without reading or understanding the find print).

I think the other firewalls recommended would be a better choice than the WinXP firewall.

You can go into Internet Explorer's Tools, Internet Options, Security aread and block what you want for each of you kids. It will probably cause them some grief sometimes but that is a method by which you can block downloads and Active X stuff. Take a look at the options there.

 

In addition to what Chaslang said install SpywareBlaster. It wont stop everything, but a lot of it.

Better surfing habits. I doubt its any games they downloaded, but making typos or installing programs or hitting enter when a window opens at a website asking to install whatever. One typo and your hijacked, use bookmarks when you can.

Forget Internet Explorer and get Mozilla FireFox, again, not perfect, but much better.

 

It's in my list Major. See number 5.

 

Please start your own thread when you have problems.

Yes, system restore has worked in some cases. In many others it did not because the users may not have had any valid restore points prior to the HSA problem. Or they already disabled it while trying to fix the HSA problem prior to having tried to use it. Note, that this may bring back other problems that may have been fixed after that system restore point was made too.

Do not answer my post here! If you need to discuss this any further, start your own thread. If the problem comes back, see this thead: http://forums.majorgeeks.com/showthread.php?t=38772