Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How To Remove A-search.biz - Ssearch.biz - Xysearch.biz


  • Please log in to reply
No replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:29 PM

Posted 28 September 2004 - 04:24 PM

This self-help guide will walk you through the steps to remove the Ssearch.biz and a-search.biz hijacker. This only applies to XP/NT/2000 Operating Systems.

There are currently two ways for your browser to be hijacked to A-search.biz - ssearch.biz or zysearch.biz. I have given a removal process for each method of infection.

Tools Needed for this fix:Related Tutorials:Symptoms in a HijackThis Log for method 1 of infection (Use Method 1 Removal Process):

O4 - HKLM\..\Run: [Cache] C:\Documents and Settings\Edited Name\qcache.exe
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\KNQTWZ]`.dll

Other symptoms are that your browser gets redirected to ssearch.biz or
http://a-search.biz/?wmid=1010
homepage.


Symptoms in a HijackThis Log for method 2 of infection (Use Method 2 Removal Process):

F2 - REG:system.ini: UserInit=Userinit.exe,_huytam_


Other symptoms are that your browser gets redirected to ssearch.biz or
http://a-search.biz/?wmid=1010
homepage.


If you have one of the two types of symptoms showing in your HijackThis log then use the appropriate removal process outlined blow. If you do not have any of these symptoms other than the redirection to a-search.biz then follow method 2.



Method 1 Removal Process

Step 1:

The first thing you need to do is determine if you actually are infected with this variant. To do this click on start, then run, and type services.msc and press the OK button.

You will now see the services window with a listing of all your services. Scroll through the services and see if you have a service with the following name:

Plug and Play svc service

If this service exists proceed to the next step.


Step 2:


Download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pnpsvc\Parameters\\ServiceDll

And press enter. You will now be presented with new information in the right and left sections of the program. In the right section you should see the ServiceDll value highlighted. Double-click on it and write down the name of the dll found there. This is the infection we need to remove.


Step 3:


Start Hijackthis and when it opens, click on Config then click on Misc Tools. Once at the new screen click on the "Delete a file on reboot" button. You will be presented with a dialog asking you to pick a file. Copy and paste the full path and name of the DLL found in the previous step into the file name field and press the open button.

When Hijackthis prompts you to reboot, please do so.

When the computer is back to your desktop confirm that the file from the previous step no longer exists.

If it is no longer there then do the following:

Delete the file c:\windows\system32\pnpsvc.inf

Then launch Notepad, and copy and paste the contents of the quote box below into a new text file.

Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\EventLog\Application\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\EventLog\Application\PNPSVC]


Now double-click on the fixme.reg file you just saved and click on the Yes button when it asks if you would like to merge the information.

Next start registrar lite again and enter into the address field each of these addresses:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PNPSVC

At each location delete the highlighted LEGACY_PNPSVC. If you have trouble deleting one of these, right click on it, and click on the properties. Then click on the permissions button and make sure everyone or users has full control set. Then try to delete it again.

Do not delete any other entries at all.


When that is completed, Run HijackThis again and click on the Scan button. If you see any entries that start with O4 and contain the the qcache.exe or look like this:

O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\KNQTWZ]`.dll


then place a checkmark next to that entry and click on the Fix button.

Then reboot your computer into Safe Mode using these instructions:

How to boot Windows into Safe Mode

and delete the qcache.exe file from the entry you just fixed it. If you can't find it, search for it and then when its found delete it.

Your computer should now be clean


Method 2 Removal Process


Step 1:

Start HijackThis and look for an entry like the following:

F2 - REG:system.ini: UserInit=Userinit.exe,_huytam_

The file we want to look for in this entry is the one surrounded by the _ character. In the example above, it is the _huytam_ file. We will then take that file and add .exe and .dll onto it. For example, _huytam_ corresponds to two files:

File 1: c:\windows\system32\_huytam_.dll
File 2: c:\windows\system32\_huytam_.exe

If the file identified in this step was _abbca_ then the files would be:

File 1: c:\windows\system32\_abbca_.dll
File 2: c:\windows\system32\_abbca_.exe

We will delete these files in the next step.

If you do not have a F2 entry or there is no file listed and you are still getting redirected after changing your homepage to something else then you should use these files in the next step:

File 1: C:\Windows\system32\tgbrfv_.exe
File 2: C:\Windows\system32\TGBRFV_5.dll


Step 2:

Download killbox here:

KillBox

Unzip the folder to your desktop.

Double-click on the Killbox.exe icon/

Select the Delete on reboot option.


In the field labeled "Full path of file to delete" enter File 1 found in step 1

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.


Next In the field labeled "Full path of file to delete" enter File 2 found in step 1

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the YES button.


Your computer will now reboot and check to see if the file is gone.


Step 3:

Now run HijackThis again and press the Scan button. Then place a checkmark in the F2 line identified in Step 1 and press the fix button.

Then exist HijackThis


Step 4:


Enter the control panel and double-click on the Internet Options icon.

In the Home Page section in the Address field, enter the website you would like Internet Explorer to open to automatically. For example if you want google to automatically open enter www.google.com

Close the Internet Options screen.

Your computer should now be clean




This is a self-help guide. Use at your own risk.


BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.

Edited by Grinler, 19 November 2006 - 10:30 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users