The Home Search Assistant (HSA) browser hijack is a very persistent hijack. It is characterized by multiple redundant Hijack This entries and re-infection files, all with random names. However, the names follow some recognizable patterns, so they can be determined by checking using Hijack This.exe (
HJT) with some patience and determination.
This hijack is also known as:
- Only The Best
- Home Search Extender
- Shopping Wizard
- res://****.dll/index.html#***** (or simply res .dll)
Removal Guide:
(PRINT THESE INSTRUCTIONS OUT FOR YOUR REFERENCE)
Step 1 - Download and install the program Hijack This.exe. Instructions and download link:
http://www.short-media.com/forum/sh...584&postcount=2
Please make sure that HijackThis.exe is in its own folder (eg: c:\hijackthis or C:\
HJT).
Also, download the program about
:Buster and unzip it's contents to the same folder you put Hijack this into.
http://www.atribune.org/downloads/AboutBuster.zip
Please test about
:buster right away. Make sure to check for and download the latest update to the program, then start a scan to see if it works. You don't need to let it scan all the way, just see if it works or not. If you get an error message about a file: "MSCOMCTL.OCX" you need to download the following fix:
http://www.javacoolsoftware.net/dow...ngfilesetup.exe
Run that fix, re-run about
:buster to see if it works. If it still does not, do not worry, you can proceed with the guide without this program.
When you have these programs installed properly in their own directory, run Hijack This and perform a scan as per the instructions. Press the Save Log button. Save the log, but also PRINT IT OUT. You will use that print out to determine the problem entries, and you will be comparing this against a second scan in Safe Mode, so you will need this printed out. Once that is done, exit
HJT.
What you are looking for are the following:
- multiple R0 and R1 entries with the same dll name in them, followed by /sp.html#xxxxx where x is a random number
- R3 entry - Default URLSearchHook is missing
- an 02 BHO entry with a random seeming dll name, usually 5 characters followed by a 32
- an 04 HKLM run entry with a random seeming exe name of either 4 or 5 chars, often with 32 in the name.
- multiple 04 RunOnce entries with random seeming exe name of either 4 or 5 chars, often with 32 in the name.
An example taken from our forum:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\zxzgr.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\zxzgr.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxzgr.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
res://zxzgr.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINNT\zxzgr.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\zxzgr.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\zxzgr.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxzgr.dll/index.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINNT\zxzgr.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINNT\zxzgr.dll/sp.html#12802
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5EA09FEA-707B-FB28-AF23-9B7F1EA97C20} - C:\WINNT\mfcwz32.dll
O4 - HKLM\..\Run: [sdkql.exe] C:\WINNT\sdkql.exe
In that case, the files that are causing the problem are:
C:\WINNT\SDKQL.EXE
C:\WINNT\zxzgr.dll
C:\WINNT\mfcwz32.dll
Here is an example of the 04 Runonce entries:
O4 - HKLM\..\RunOnce: [apisn.exe] C:\WINDOWS\apisn.exe
O4 - HKLM\..\RunOnce: [sysdl.exe] C:\WINDOWS\system32\sysdl.exe
O4 - HKLM\..\RunOnce: [iehe.exe] C:\WINDOWS\system32\iehe.exe
O4 - HKLM\..\RunOnce: [javaiz32.exe] C:\WINDOWS\javaiz32.exe
O4 - HKLM\..\RunOnce: [winqe.exe] C:\WINDOWS\winqe.exe
O4 - HKLM\..\RunOnce: [appxv32.exe] C:\WINDOWS\appxv32.exe
O4 - HKLM\..\RunOnce: [addji32.exe] C:\WINDOWS\addji32.exe
O4 - HKLM\..\RunOnce: [iefj32.exe] C:\WINDOWS\iefj32.exe
O4 - HKLM\..\RunOnce: [ieif.exe] C:\WINDOWS\ieif.exe
O4 - HKLM\..\RunOnce: [mswl.exe] C:\WINDOWS\system32\mswl.exe
O4 - HKLM\..\RunOnce: [apioi32.exe] C:\WINDOWS\system32\apioi32.exe
O4 - HKLM\..\RunOnce: [netgi.exe] C:\WINDOWS\system32\netgi.exe
O4 - HKLM\..\RunOnce: [apiey32.exe] C:\WINDOWS\apiey32.exe
O4 - HKLM\..\RunOnce: [appxa.exe] C:\WINDOWS\appxa.exe
O4 - HKLM\..\RunOnce: [winvr.exe] C:\WINDOWS\system32\winvr.exe
O4 - HKLM\..\RunOnce: [mfcib32.exe] C:\WINDOWS\mfcib32.exe
O4 - HKLM\..\RunOnce: [atlvf.exe] C:\WINDOWS\atlvf.exe
O4 - HKLM\..\RunOnce: [winhj.exe] C:\WINDOWS\system32\winhj.exe
One giveaway of the 04 Run and RunOnce entries is that the process name and filename will be identical, for example:
O4 - HKLM\..\RunOnce: [winhj.exe] C:\WINDOWS\system32\winhj.exe
This gives you some idea of what to look for in your log.
Step 2 - Set your computer to show all hidden files and folders. Instructions:
http://www.short-media.com/forum/sh...588&postcount=3
Step 3 - If you are running Windows XP or ME, disable System Restore. Instructions:
http://www.short-media.com/forum/sh...591&postcount=4
Step 4 - Click Start, and then Run. Type "Services.msc" in the run box and hit enter. Look for any of the following services:
- Network Security Service
- Workstation NetLogon Service
- Remote Procedure Call (RPC) Helper
If any of those are there, right-click on it and STOP the service, then right-click again, go into properties, and set the service to "disabled." Exit the services control panel.
(Note 1 - if you do not see any of the services listed here, then click here. Do not "guess" and disable a service with a name that looks close to one of these. If it does not match one of those listed items exactly, leave it alone, or you could disable a legitimate service needed by Windows.)
Step 5- Hard Reboot your computer via one of the methods above.
Step 6 - When the computer starts to come to life, start tapping the F8 key on your keyboard. Eventually this will bring you to the Advanced Boot Options screen. Use the arrow up/down keys on your keyboard to select the option which says SAFE MODE (make sure it says only that, not any other options like with networking or with command prompt.) This screen will vary somewhat with different OS versions. Press Enter, and stand-by for the computer to boot in Safe Mode. Depending on the speed of your computer, this may take up to several minutes.
***Note - on some computers, tapping the F8 key will first bring up a mother-board based boot device selection menu. It will have options for what device to boot from, such as Floppy Drive, IDE Hard Drive, ATAPI CD-ROM, Removable Device, etc. Choose IDE HARD Drive. Then, once that menu disappears, begin tapping the F8 key again to get the Advanced Boot Options screen outlined above. ***
Step 7 - Once the computer is booted up in Safe Mode, locate and run
HJT again. Scan and save a log. Compare this log against the one you printed earlier. If the files have renamed themselves, compare your current log with the one you printed out earlier, to see which R0, R1, 02 and 04 entries appear in the log now that are not on the printed log. If the file names are named the same as in the normal mode scan, then follow the explanations above to determine which files fit the pattern and are likely the cause of your problem. The R0 and R1 entries will be pretty obvious (and if you are not sure, you can fix all R0 and R1 entries, as you can easily reset these in your browser later.) The 03 and 04 entries will have to be selected using the naming criteria above. You may use a search engine like Google.com to search for the file name to see if it is a valid file. There are also many good resources for determining if
HJT entries and file names are legitimate files or not. Short-Media has a listing of some of the best of these resources here:
http://www.short-media.com/forum/showthread.php?t=15488
If you absolutely cannot figure it out, join our forum membership, post your
HJT log, and one of our members will help you determine which entries are your problem.
Fix the offending R1, R2, 02 BHO entries, and any 04 Run / RunOnce entries. Put a checkmark beside them in
HJT, and press FIX.
Then, exit
HJT, but stay in Safe Mode.
Step 8 - Locate and run about
:Buster. Scan your computer by pressing the Start button in about
:Buster, and clicking OK. It will attempt to identify and fix the R0 and R1 entries above, plus any other versions of this or certain other infection files that it finds on your computer.
Step 9 - After running about
:Buster, you need to confirm that the files in your
HJT log have been removed. Stay in Safe Mode, open My Computer, and then open your "C" hard drive. Right-click in there and create New Folder. Name this folder Quarantine. From the
HJT entries above, determine the file names and directory paths of the infection files.
For instance:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\zxzgr.dll/sp.html#12802
O2 - BHO: (no name) - {5EA09FEA-707B-FB28-AF23-9B7F1EA97C20} - C:\WINNT\mfcwz32.dll
O4 - HKLM\..\Run: [sdkql.exe] C:\WINNT\sdkql.exe
O4 - HKLM\..\RunOnce: [addji32.exe] C:\WINDOWS\addji32.exe
Locate those files by navigating to their locations. If any of them still exist on your computer, proceed to Step 10. Otherwise, skip to Step 11.
Step 10 - Move these files to the Quarantine folder on your C drive. Rename all of the .dll extensions to .ddd, and all of the .exe's to .xxx. That way, if you accidentally quarantined a legitimate file, you can always replace it by renaming it and moving it back to where it came from (consult your printed
HJT log to determine the correct folder it came from, or save the text file of your
HJT log with the date on it for reference.)
Step 11 - (Warning - this step uses the Regedit tool. Be very cautious, making a mistake here can seriously foul up your computer!) Still in Safe Mode, click on Start-> Run. Type REGEDIT and press Enter .
Click the + signs next to the folders to navigate the registry folder:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es
Highlight Services on the left hand side of the window. In the right hand side pane, look for any entries named:
- Network Security Service
- Workstation NetLogon Service
- Remote Procedure Call (RPC) Helper
-__NS_Service
-__NS_Service_2
-__NS_Service_3
Obviously, you would expect to see the one that matches the service you identified in Step 4, but check for them all to be safe. If you see any of them, right click on them, and delete them.
Next, navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot and highlight Root on the left side. Look on the right side for any of these:
- LEGACY Network Security Service
- LEGACY Workstation NetLogon Service
- LEGACY Remote Procedure Call (RPC) Helper
- LEGACY___NS_Service
- LEGACY___NS_Service_2
- LEGACY___NS_Service_3
Again, you would expect to see the one that matches the service you identified in Step 4, but check for them all to be safe. If you see any of them, right click on them, and delete them.
If you cannot remove these entries, right click on it and choose Permissions. Check the Full Control box and click OK. Then try to delete it again. If you are using Windows 2000, close Regedit. Click on Start-> Run, and type in REGEDT32. Locate the same folder, and highlight it. Click on the Security menu at the top of the Regedt32 program, select permissions and change the permissions to Full Control. Then try to delete the key. Once the keys are deleted, close the Registry Editor.
(Note - you may not have these entries in your Registry. This list is being updated as new entries are located on various sources on the interenet. New registry variants may appear at any time. If you do not find one of the ones listed, do not worry, just proceed to Step 12. So long as you have stopped the service and quarantined the files, the stray registry entries will not cause the hijack to return. Your registry is likely full of stray entries like this from various software that has been installed and removed from your system. Of you are concerned about this, install a registry cleaning program to identify and clean stray entries. I recommend Easy Cleaner.
Step 12 - Clean out temporary and temporary Internet files. There are a couple of ways to do this:
a - Open My Computer, right click on your C drive, select Properties, and click Disk Cleanup.
b - Go to "Start" => "Run" and type in the box: "cleanmgr".
c - Use a cleaning program like Easy Cleaner to clean out temporary files.
Either way, let the disk cleanup manager scan your system for files to remove. Set it to clean Temporary Files, Temporary Internet Files, and Recycle Bin. Click OK to begin.
Step 13 - Hard boot the computer again. Manually shut the computer down, by either yanking the plug out of it, or shutting it off with the rear power switch. Then, plug it back in or turn it back on. Let it boot up normally.
Step 14 - Launch Internet Explorer, and see if the problem is gone. You may need to reset your home page settings by clicking the Tools menu -> Internet Options -> Programs -> Reset Web Settings. Then click the General Tab in that same window, and manually set whatever home page you want. Surf a few websites to make sure the hijack is gone.
Step 15 - Exit Internet Explorer and run
HJT again. Scan again and search once more for any entries that match the HSA criteria. If any are there, repeat the process. If none are there, Exit
HJT and celebrate...you have slain the monster!
If you still have the problem, register for Short-Media's forums and post a
HJT log in the Spyware/Virus/Trojan Discussion forum:
http://www.short-media.com/forum/forumdisplay.php?f=57
Let us know if you followed this guide, as well as whether or not you ran Ad Aware / Spybot SD. If your problem is not fixed, do not complete steps 13 or 14 yet.
Step 15 - Reset the "Hide Protected Operating System Files option that was changed in Step 2. Keep the "Show Hidden" turned on, and the "Hide Extensions" turned off. This gives you better control of seeing what is on your computer.
Step 15 - On XP and ME, re-enable System Restore as per the instructions here:
http://www.short-media.com/forum/sh...591&postcount=4
If you have removed this hijack successfully, you may notice that it left some entries in your Add/Remove Programs control panel, that cannot be removed from it. The program Easy Cleaner, linked above, will also take care of that problem, and many others. It is a very useful application.
This information was taken from
http://www.short-media.com/forum/sho...74#post172774"
PC Help Forum
» Security & Safety
» Security Watch
»
[Information] Home Search Assistant removal
[Information] Home Search Assistant removal
Linear Mode
