Remove Home Search Assistant Hijack

Home
What's New
AI Products
Alzheimer's, beat it
Android Eyes
Android Fingers
Android Hands
Animatronic Products
Animatronic Sites
Asimov's Laws
Baby Androids
Bipedal Projects
Books
Business Plan
Competitions
Conferences
Digital Gyro Board
Domestic robots
Education
Engineers Recommended
Entertainment robots
Future of Androids
Global Warming Fix
Globes of planets
Greatest Android Projects
Gyro/Accelerometer board
Haptic Sensor
Head Projects
Historical Projects
In the Movies
Kill Viruses/Trojans
Live to 100
Mecha Projects
NASA Projects
Planetary Globes
Personal projects
Philosophy of Androids
PRODUCTS
Robo-prize $5M
Robotics Sites
Secret Projects
Smaller projects
Sub-assembly projects
Superintelligence
Suppliers Recommended
Tactile Sensor
Touch Sensor
Valerie Android
Video cameras (smallest)
What's New
Home

                              Does your IE home page look like this?

 

It took me 3 days to kill this thing off. It is infuriating. I was editing the registry to get rid of the bad stuff and as soon as I exited the registry editor, IT WAS ALREADY CHANGED BACK TO THE BAD STUFF!   You will also find that many of the bad files, executables, and dlls CANNOT BE DELETED in the normal mode of operation.

  • 1.  What does this thing do?
    • It installs a local service which monitors its own health.
    • It puts executables into the C:\Windows\ directory. (or C:\Winnt\)
    • It puts dlls into the C:\Windows\system32\ directory.
    • These programs work together to change the registry entries for IE
    • The bad IE entries point to the dlls 
    • The dlls are also installed as BHOs in the class id section of the registry.
    • The dlls display the search assistant crap.
  • 2.  How do I find the bad guys.
    • Finding (and stopping) the local service.
      • click "start" (bottom left of your screen)
      • select "Run"
      • type "services.msc"
      • ok
      • maximize the window
      • open up the "name" & "description" columns by
      • putting the cursor over the column divider and dragging to the right.
      • look for any of the following:
        • Network Security Service
        • Workstation NetLogon Service
        • Remote Procedure Call (RPC) Helper
      • Select it
        • Right click on it.
        • the service name will probably be garbage.
        • STOP it if the service is running.
        • Right click again
        • select properties.
        • set it to "disabled"
        • write down the full path and name of the executable for use later.
      • Repeat the preceeding step if more than one is found.
      • exit the services window
    • Finding the bad executables in the C:\Windows\ directory
      • Use windows explorer to navigate to the C:\Windows\ directory
      • Click at the top of the "date modified" column to sort the list by date.
      • Click again to bring the most recent dates to the top.
      • Scan all executables which have dates in the last 2 months.
      • Write down the names of any which are suspicious.
        • Bad ones are:    sysxx.exe     xx = any letters
        • Bad ones are:    winxx.exe     xx = any letters
        • Bad ones are:    winxx32.exe   xx = any letters
        • there may be others
      • Move the cursor over each name in your list.
      • If you wait a few seconds a "Tooltip" message will appear.
      • Good programs will have a real message telling who they are (like Microsoft or McAfee or Norton)
      • Bad programs will have no such info.
    • Finding the bad dlls in the C:\Windows\system32\ directory.
      • Use windows explorer to navigate to the C:\Windows\system32\ directory
      • Click at the top of the "date modified" column to sort the list by date.
      • Click again to bring the most recent dates to the top.
      • Scan all dlls which have dates in the last 2 months.
      • Write down the names of any which are suspicious.
        • Bad ones are:    xxxxx.dll     xx = any letters
        • Bad ones are:    sysxx.dll     xx = any letters
        • Bad ones are:    winxx.dll     xx = any letters
        • Bad ones are:    winxx32.dll   xx = any letters
      • Move the cursor over each name in your list.
      • If you wait a few seconds a "Tooltip" message will appear.
      • Good programs will have a real message telling who they are (like Microsoft or McAfee or Norton)
      • Bad programs will have no such info.
  • 3.  Outline of how to get rid of it.
    • Turn off "system restore" if it is on using #4 below.
    • Stop the local service as given in #2 above.
    • Delete as many of the BAD executables and dlls as you can.
    • Download and install and run about:buster  (its FREE)
    • You may wish to try the procedure given in #6 below.
    • You will need to reboot in "Safe mode" to delete those files, executables, and dlls which you could not delete in normal mode.
    • When in "safe mode" navigate to each directory and delete the files which you could not delete in normal mode.
    • Next you will need to clean up your registry. Follow #5 below.
    • Finally you need to run Internet Explorer again to see if it is gone.
    • If it is gone, you can turn "system restore" back on.
  • 4. Turning off "system restore"
    • click "start" (bottom left of your screen)
    • select "control panel"
    • select "system"
    • right click & open
    • select "system restore" tab
    • check "turn off system restore on all drives"
    • click "apply"
    • click "ok"
    • close "control panel"
  • 5.  Cleaning up your registry.
    • Download and install and run about:buster  (its FREE)
    • To manually check (and fix) do the following:
      • click "start" (bottom left of your screen)
      • select "Run"
      • type "regedit"
      • ok
      • You need to fix the following three things:
        • You need to remove all references to all files, executables, and dlls in the lists you made in step #2 above.
        • You need to fix all Internet Explorer links which contain xxxxx.dll/sp.html#ddddd.  Simply modify them to http://www.google.com/  or whatever you want. Just search for "dll/sp.html#".
        • You need to kill the bad Run, RunOnce, and RunOnceEx entries under HKey/ LocalMachine/ Software/ Microsoft/ Windows/ CurrentVersion/ Run, RunOnce, & RunOnceEx.  Basically just delete any entry which runs one of the BAD names you found.
      • To remove any name do the following
        • Drag the scroll bar to the top
        • Click on "my computer" - this points you to the top
        • Edit & Find the name you want to delete.
        • delete or fix the entry
        • press F3 to find the next occurence of the same name.
        • repeat until no further occurences are found.
  • 6.  Home search assistant removal helper
  • 7.  Useful downloads
    • SpywareBlaster will help prevent these in the future. (its FREE)
    • Download and install it.
  • 8.  Who is doing this to us?
    • Here are the URLs and IP addresses which I have found.
      • looking-for.cc              195.225.176.27
      • lookingfor.cc               195.225.176.3
      • netcasthost.com      195.225.176.0 - 195.225.179.255
      • coolwebsearch.com     66.250.74.150
      • cogent communications        66.250.0.0 - 66.250.255.255
      • onlythebest.com           209.55.83.12
      • shoppingwizard.com    208.254.3.160
      • easy-search.biz            69.50.170.18
      • standard shells        69.50.170.0 -  69.50.170.255
    • Go into your FIREWALL and BLOCK all the above IP addresses.
  • 9.  IP tools to help you find these guys.

 

Comments?   Email me at crwillis@androidworld.com