Offer Optimizer, Shopping Wizard AND Search Assistant

Offer Optimizer can often be uninstall using Add/Remove programs.

Yes these are related to "Only The Best"

rottweilerjoe, You need to start your own thread but run all the steps in the READ ME FIRST sticky before you do.

Infected,

Please follow the steps below if you have run ALL steps in the sticky thread and also make sure you follow the steps related to about:blank and HSA hijackers.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Will not work! You have not been around Malware to much have you! HSA infections cannot be removed so easily.

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Remote Procedure Call (RPC) Helper (or if you cannot find that name, try the short name 11Fßä#·ºÄÖ`I ) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above for the following service: hpdj

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Remote Procedure Call (RPC) Helper

If that does not work, copy and paste in the short name: 11Fßä#·ºÄÖ`I
You have to copy and paste because these characters are not easily entered.

Now repeat the above step with HijackThis for the following service: hpdj

After doing that exit HijackThis.

Now please download the following tool: Pocket KillBox

Extract Pocket Killbox to its own folder but do not run it yet. We will need it later.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis again and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\sysxn.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {BF951D96-668C-0E40-F035-5B9FB0461652} - C:\WINDOWS\apife.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [sysxn.exe] C:\WINDOWS\sysxn.exe
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntsq.exe (file missing)
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\RICHAR~1\LOCALS~1\Temp\hpdj.exe (file missing)

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run Pocket Killbox.

Now, Copy and Paste C:\WINDOWS\sysxn.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\apife.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the RedX and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.
Now, Copy and Paste C:\WINDOWS\ntsq.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the RedX and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.
Now, Copy and Paste C:\Documents and Settings\RICHAR~1\Local Settings\Temp\hpdj.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the RedX and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\tss.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself.

Now get a new HJT log and post it here. And tell us how these steps went and how things are working.

 

Not in Control Panel, you mean they are in Add/Remove Programs.

Try uninstalling them now. If that does not work try the below:

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixreg.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixreg.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

 

Are you logged in with Administrator priviledges?

For the HSA hijacker related items, try the modified registry patch

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixhsa.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixhsa.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After doing the above, download and install Spy Sweeper . Then do the one time free update and run a full system scan with SpySweeper. Fix what it finds and save the log. Post it when you come back.

Let me know your status now.

 

After running SpySweeper, were do things stand. It found a lot of baddies.

Try booting in safe mode and logging into the Administrator account. Now try the registry patches and also run SpySweeper again. Also try uninstalling the programs again in safe mode.

Did the below get deleted when SpySweeper ran:
c:\program files\search3 toolbar
c:\program files\cxtpls
c:\windows\bsx32
c:\documents and settings\all users\application data\vbouncer
c:\documents and settings\all users\application data\addestroyer

 

You're welcome! If you are clean now, the below thread is the one you should be referring to:

How to Protect yourself from malware!

Run all steps (some you have already).