Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Home search assistent


  • Please log in to reply
8 replies to this topic

#1 MJSKCANgirl

MJSKCANgirl

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 03 January 2005 - 10:52 PM

My friend has received the home search assistent on his computer and we can not get it removed with the program as he runs Windows 98.

Can you give me instructions on how to remove it. I need careful instructions as we do live in the same town, he knows nothing about computers and I have to try and guide him over the phone.

We have run spybot and adaware. He has a very poor system and cannot download much programs(16 MB ram, 3 GB hard drive)

Can it be done?

MJSKCANgirl

BC AdBot (Login to Remove)

 


m

#2 matt_com911

matt_com911

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 05 January 2005 - 12:01 AM

Alrite, I'll give you some easy instructions.

1. Go to www.hsremove.com

2. Click on the link in the box at the bottom of the page labelled HSRemove.exe

(not very big, only about 180KB, your friend should be able to download it easily)

3. Save the file to a place you can easily get to (ie My Documents)

4. Wait for the file to download :thumbsup:

5. When the file has finished downloading, restart your computer.

6. IMPORTANT - Before the Windows 98 screen comes up and there is only black, press F8 and choose the Safe mode option. Windows 98 will now run in safe mode. If it's not running in safe mode, you'll have to restart and press F8 again.

7. Double click on the HSRemove.exe file.

8. Popup will come up saying

This program is provided as-is, use it entirely at your own risk

9. Click ok

10. Window will come up with a button "Scan and Remove" Press this button.

11. Some text will come up in the yellow box. This is just showing overall progress nothing to worry about - normal. Everything should go well. Scanning for leftovers may take a while if your computer is slow.

12. IMPORTANT - Now run spybot and adaware (hopefully your friend still has these). This cleans up the remainder of the home search program.

13. Restart Computer but don't press F8.

14. Double click on Internet Explorer. If you now do not have the home search homepage, click on the Tools button on the top of the window and then click on Internet options from the menu that comes up.

15. On the General tab, there will be a home page box. In the text box, type in the home page you wish to have.

Home Search should now be removed. If it's not. Post back.

Edited by matt_com911, 05 January 2005 - 12:23 AM.


#3 MJSKCANgirl

MJSKCANgirl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 05 January 2005 - 12:29 AM

We downloaded HSremove and tried it before(not in safe mode) but it did not support Windows 98. Hence the dilemma.

I have asked him to download hijackthis as this seems to be what everyone here uses so hopefully I'll be able to talk him through sending me a log I can post.

Thanks

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:41 AM

Posted 05 January 2005 - 01:28 AM

Download About:Buster from here: About:Buster Download. Once it is downloaded extract it to
c:\aboutbuster. Reboot into safe mode and run the program . Let it run a pass through your computer twice. Then reboot and do this:

Create a directory on your hardrive, to save HijackThis.exe, called c:\hijackthis. This is a mandatory step, for the backup and restore functions, of HijackThis, to be able to work.

Download the latest version, from here.

Read the pinned post in the HJT forum, here

Then, run a log, and post it in the HJT forum. Do not fix anything, yet.
A member, of the HJT Team, will help you out.
Please, be patient, these people are volunteers. They will help you out, as soon as possible.


If you want to try cleaning it all yourself, there is a self-help guide here:

How to remove Home Search Assistant

#5 MJSKCANgirl

MJSKCANgirl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 09 January 2005 - 10:06 PM

Hi! Okay We ran About:Buster (Twice) and the following is the Log file:

Logfile of HijackThis v1.99.0
Scan saved at 8:52:12 PM, on 1/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\SASKTEL\IP INSIGHT\IPCLIENT.EXE
C:\PROGRAM FILES\SASKTEL\IP INSIGHT\IPMON32.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\ATI\ATIDESK\ATISCHED.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bjmbk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bjmbk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bjmbk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bjmbk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SaskTel
R3 - Default URLSearchHook is missing
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\PROGRAM FILES\SUBMIT\SUBMITHOOK.DLL
O2 - BHO: Class - {F49CDCAF-423F-0C17-7D9F-0426F77CD991} - C:\WINDOWS\APIBW.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\SASKTEL\IP INSIGHT\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SASKTEL\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [SYSWW32.EXE] C:\WINDOWS\SYSWW32.EXE
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRAM FILES\PANICWARE\SURECLEAN PROFESSIONAL\SRCLEAN.EXE"
O4 - Startup: ATI Scheduler.lnk = C:\ati\atidesk\atisched.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.mysask.com
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1991b21231cd55edfb00/...ip/RdxIE601.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archives.ca/mrsidi_cab/MrSIDI.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

MJSKCANgirl

#6 MJSKCANgirl

MJSKCANgirl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 09 January 2005 - 10:11 PM

By the way since running About:Buster he says that the internet is working a little better but he still has Home search assistent, shopping wizard and search extender are in his add/remove programs list.

MJSKCANgirl

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:41 AM

Posted 09 January 2005 - 10:12 PM

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please download About:Buster from here: About:Buster Download. Once it is downloaded extract it to
c:\aboutbuster. We will use that program later in this process.

Reboot your computer into Safe Mode and follow these steps:

Step 1:
Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and press the fix button when ready:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bjmbk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bjmbk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bjmbk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bjmbk.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\PROGRAM FILES\SUBMIT\SUBMITHOOK.DLL
O2 - BHO: Class - {F49CDCAF-423F-0C17-7D9F-0426F77CD991} - C:\WINDOWS\APIBW.DLL
O4 - HKLM\..\RunServices: [SYSWW32.EXE] C:\WINDOWS\SYSWW32.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1991b21231cd55edfb00/...ip/RdxIE601.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archives.ca/mrsidi_cab/MrSIDI.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab

Step 2:
I now need you to delete the following files or directories:

C:\WINDOWS\system\bjmbk.dll
C:\PROGRAM FILES\SUBMIT\
C:\WINDOWS\APIBW.DLL
C:\WINDOWS\SYSWW32.EXE

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 3:

Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Step 4:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 5.


Step 5:
Reboot your computer back to normal mode so that we can restore files that were deleted by this infection:
  • This infection deletes the windows file, shell.dll.

    If you are using XP,2000, or NT please download shell.dll from here: shell-dll.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

    %windir%\system32
    %windir%\system

    If you are using Windows 98 please download shell.dll from here: shell-dll98.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

    %windir%\system

    If you are using Windows ME please download shell.dll from here: shell-dll98.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

    %windir%\system

  • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

  • If you have Spybot S&D installed you will also need to replace one file. Go here: SDHelper.zip and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button

  • If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.
Step 6:

Run an online antivirus scan at:

http://housecall.antivirus.com/

Reboot and post a last log

#8 MJSKCANgirl

MJSKCANgirl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 24 January 2005 - 02:28 PM

Today I ran all the things youidentified in your previous post.

Home Search Assistent and the other program names that go with it (search extender, shopping wizard etc..) are still showing upon the Add/Remove Programs in the control panel.

We also had a TIBS connection icon in the Dial-Up networking folder which I just deleted but want to make sure it is gone.

As well, Antivir 9.0 is installed on this computer and it is forever popping up thatt the following virus is attached to a number of files:

TR/Dldr.Agent.BC

and we can't seem to get rid of this either.

The following is the latest Hijack Logfile:


Logfile of HijackThis v1.99.0
Scan saved at 1:22:41 PM, on 1/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\ATLSB32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\SASKTEL\IP INSIGHT\IPCLIENT.EXE
C:\PROGRAM FILES\SASKTEL\IP INSIGHT\IPMON32.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\ATI\ATIDESK\ATISCHED.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\PROGRAM FILES\SASKTEL\IP INSIGHT\IPCLIENT.EXE
C:\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SaskTel
R3 - Default URLSearchHook is missing
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: Class - {404E5F28-4F5E-24E2-B02E-43EB9C95C683} - C:\WINDOWS\SYSVE.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\SASKTEL\IP INSIGHT\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SASKTEL\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [ATLSB32.EXE] C:\WINDOWS\ATLSB32.EXE
O4 - Startup: ATI Scheduler.lnk = C:\ati\atidesk\atisched.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.mysask.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Thank You!

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:41 AM

Posted 24 January 2005 - 11:30 PM

What files is it saying its finding and where are they?

Download and save this file:

http://www.bleepingcomputer.com/forums/ind...e=post&id=22927

When its downloaded double-click on it and let it merge the data.

Reboot into safe mode and fix these entries:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {404E5F28-4F5E-24E2-B02E-43EB9C95C683} - C:\WINDOWS\SYSVE.DLL (file missing)
O4 - HKLM\..\RunServices: [ATLSB32.EXE] C:\WINDOWS\ATLSB32.EXE

Reboot and delete c:\windows\atlsb32.exe

Then post a new log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users