GENERIC SOLUTION FOR "Only the Best" aka "HSA" and about:blank HIJACKERS
Last update 10/22/2004 - Added update for ADS infection type in services file. Removed the colors that indicated updates (was getting too colorful).
INTRODUCTION
Below is an almost generic solution to use in attempting to fix the now infamous "Only the Best" aka "HomeSearchAssistent" aka "HSA" hijacker. I say almost generic because it is impossible to predict what DLL and EXE filenames everyone having this problem will see on their computer. In addition, it is also impossible to determine how many of these files will be found running. It appears that the more times an incorrect or incomplete fix is attempted the more EXE file names will be spawned. The difficult area is steps 7 and 8 below.
I have now added about:blank to the title since some form of the about:blank hijack can also be fixed using this procedure. The form I'm referring to is one the has R0, R1, and O2 type lines in a HijackThis log that are similar to those of an HSA hijack. The syntax of those lines are mentioned below in the section titled HOW TO IDENTIFY HIJACKER LINES: AN EXAMPLE. The kind of about:blank hijack that CANNOT be fixed with this procedure is of the following form:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
Before starting the steps below, I want you to make sure you have several applications already installed and updated. Click on each of the links and make sure that is the version you are using. Then quickly run the programs just to verify that you have the current updates already installed (click check for updates or whatever they use to update). It is well worth the time to check this first. Don't just assume you have the correct versions. There have been many instances where we have found that users are not using current versions of applications. We may not use every one of these programs in all cases, but they may be necessary sometimes.
- Ad-aware SE
- SpyBot S&D
- HSRemover
- about:Buster
- HijackThis
- ADSspy
- Ccleaner
- ProcessExplorer for Win 9x/Me
- ProcessExplorer for Win NT/2K/XP
ADDITIONAL THINGS TO KNOW
If you do not know how to use the Windows Registry Editor please see this.
If using WinXP, setup search to locate hidden/system files: click Start, Search, All Files and folders, select More advanced options. Make sure you have checks on:
1) Search system folders
2) Search hidden files and folders
3) Search subfolders
HOW TO IDENTIFY HIJACKER LINES: AN EXAMPLE
Okay, below are the steps we are going to use. Make sure you print these or save them to a file on your PC because I am going to have you disconnect your PC from the internet at a certain point (Not Yet!). Once disconnected, do not connect again until I tell you to do so. In many cases this step had been one of the most important steps. Do not ignore it!!!
In an attempt to make this solution easier to follow, I'm first going to show parts of the information we are concerned with from a sample HijaakThis log. Sample log snipets:
Note, your filenames will be different. The above lines are examples that I am using below for demonstrating the generic solution. The full path to the DLL file that you obtain from your HijaakThis log on the R0 & R1 lines is what you will need to substitute into step 5 below where it gives c:\windows\system32\xxxxx.dll as an example. Your R0 & R1 lines may not even have c:\windows\system32 as the directory. There have been several cases where the directory was either c:\windows or c:\windows\system.
This next paragraph will be important for you to understand before you get to step 8. You will need to do all of the online searching for good/bad files before I take you offline. So read the next paragraph and look at your HijackThis log and see if you can identify the bad files indicated in the O4 section. Some of these EXE files may only show in the processes list of HijackThis, and some may show in both the process list and the O4 section of HijaakThisNow. This is the hardest part, you need to identify these files good or bad. Try excite.com or google.com (I find excite.com to come up with more useful hits than google.com). Use PacMan's Startup List ( http://www.sysinfo.org/startuplist.php ) to find the entry and see if it's good or bad. You can also use http://www.liutilities.com/products...processlibrary/ to compare against. My experience is that typically these bad EXE file names will be 4 to 7 characters long + .exe Sometimes (as shown above) the have a 32 just before the .exe. In addition, when performing all the possible searches listed, you typically do not get any hits describing a valid EXE or even a known other type of bad EXE. You either get no hits or the only hits will be other peoples HijaakThis logs with the same type of hijack going on. Sometimes you can locate all of these EXE files in c:\windows, c:windows\system, or c:\windows\system32 easily by using Windows Explorer and sorting on modification date. Look for a date to be anywhere between the time you first got the problem to the current date. One additional note in identifying these bad files they, always have the following pattern:
[syspg.exe] C:\WINDOWS\syspg.exe
notice the name in [] is an exact match of the file name at the end of the line.
ALMOST READY TO START
Obviously before continuing, you need your current HijaakThis log. So if you rebooted since last checking your log, run another one to make sure it has not changed the filenames again. You should print this information so you can refer to it later when you are offline.
Note: In the steps below the blue underlined items are links that MUST be clicked to see additional important information and directions (how to do's)!
THE STEP BY STEP SOLUTION
1) If running WinMe or WinXP, disable system restore and reboot! Here's how to disable system restore.
2) Make sure you have enabled viewing of Hidden Files and Folders and system files with Windows Explorer. While doing this, also verify that you do NOT have a check on the option to Hide extensions for known file types.
3) Make sure you know how to boot in safe mode too (but don't do it yet!):
4) Physically disconnect from the internet (pull your ethernet cable if you have DSL or cable modem. If you have an analog modem, drop your connection and unplug the telephone line to the modem.) Also at this point, you MUST exit all Internet Explorer sessions (it would be a good idea to exit anything that is not necessary).
5) Now we are going to use notepad to erase the contents of the DLL file shown in the R0 & R1 lines of your HijaakThis log. To do this click Start, Run, and enter the following command "notepad c:\path\xxxxx.dll" (without the quotes) and click OK.
NOTE: You must replace the generic c:\path\xxxxx.dll will be replaced by the path and filename found in the R0 & R1 lines from your HijaakThis log. So for the example log being used the command would be:
notepad C:\WINDOWS\system32\ftlsk.dll
Now in the notepad window, hit CTRL-A to select all contents of the file then hit the Delete key to delete all lines of the file. Now save the file (yes as an empty file). Now using Windows Explorer, locate the file ftlsk.dll and right click on it and select Properties and change the attributes to Read Only and click OK.
6) This step only applies to WinNT, Win2K or WinXP systems. For Win9x and Me based systems you will most likely see additional lines in the O4 section of HijaakThis (typically O4 - HKLM\..\RunServices).
Check to see if a Windows service name "Network Security Service" (NSS for short) is running. To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now in the Services window that pops up look for Network Security Service. If you find that service, you must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, make note of the information in the "Path to executable" box. You are going to use this
later.
Another service has been found to possibly be used. So we also need to look for the "Workstation Netlogon Service" (WNS for short) using the same method as above. And again, if found, stop it and disable it. Again make note of the "Path to executable" for later use.
A third possible service has been identified to be used sometimes. So now we need to look for the Remote Procedure Call (RPC) Helper using the same method as above. And again, if found, stop it and disable it. Again make note of the "Path to executable" for later use.
If you do not find any of these services running, just continue with the next steps.
Only look for those exact names "Network Security Service" and/or "Workstation Netlogon Service" and/or "Remote Procedure Call (RPC) Helper" nothing else.
7) This is where things become difficult. You need to determine the BHO (Browser Helper Object) line added by the hijacker. Normally you will see the hijacker add only one BHO line, however, there have been cases with many these BHO lines added. Be careful not to confuse the hijacker BHO with valid BHO lines. A typical BHO line may look like the line below from the example HijaakThis log:
O2 - BHO: (no name) - {ADFA3880-261B-1BF8-91EB-1DEF4A8C4300} - C:\WINDOWS\atlef.dll
8) You also need to determine all the executable (EXE) files that are loading during Startup. These EXE files can be loaded many different ways. Most of them will show in one of many types of O4 lines that HijaakThis can display. From the example HijaakThis log (there are more types that could occur):
9) Shutdown (not minimize) all applications (especially IE and Windows explorer) and run HijaakThis. Have it fix all the lines determined to be part of the hijacker in steps 7 & 8.
10a) Now reboot in safe mode (via method given in step 3) and then delete all the DLL and EXE file names found in steps 7 and 8.
10b) This step only applies to WinNT, Win2K or WinXP systems. If you found the Network Security Service or the Workstation Netlogon Service, or the Remote Procedure Call (RPC) Helper runnning in step 6, delete the files indicated in the Path to executable!
The Service file found in step 6 may look similar to any of the below (your file name will most likely be different):
C:Windows\system32\javajt32.exe /s
C:Windows\javajt32.exe /s
C:\WINDOWS\smscfg.ini:tfuqu
C:\WINDOWS\SYSTEM32\smscfg.ini:tfuqu
For the first two types, be careful here the Path to the executable always contains a trailing /s. The /s is not part of the filename. For example the Path to executable could be C:Windows\system32\javajt32.exe /s but the filename (with path) is C:Windows\system32\javajt32.exe If you have a problem deleting any of these files (like it is denied because it is in use), run ProcessExplorer and try to locate the running process and kill it. Then try to delete the file.
For the second two types with the colon in the filename. This is a new type. It is an Alternate Data Stream (ADS) infection and must be handled differently. Locate the ADSspy.zip file you downloaded at the beginning of this process and extract the executable program. Then double-click on ADSSpy.exe. Now click on the "Scan the system for alternate data streams" button. After ADSSpy has finished scanning your computer, you will see a list of files that were found. Look in this list for the entry that you found in Step 6 (the Path to executable service). This is the one that has the colon separating two filenames. When you find it, put a checkmark next to it. Then click on the "Remove selected streams" button. This should delete ADS file.
11a) This part of step 11 is for WinXP only. Now also look in c:\windows\Prefetch for all of the above files deleted in steps 7 to 10. If found, delete them too.
11b) Now for all OS's, after deleting all of the items from the steps above, empty your Recycle bin.
12) Now while still in safe mode, run only Hijaak This and have it fix all the R0 and R1 lines that have the typical symptom information. For example, these R0 & R1 lines always end with something like one of the following three lines:
13a) Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
13b) Search the registry for every instance of xxxxx.dll (the file from step 5) and delete every instance.
13c) Search the registry for every instance of O2 BHO DLL file found in step 7 and delete every instance.
13d) Search the registry for every instance of the suspicious exe files found by Hijack This from step 8. Delete every instance.
13e) Search your computer for xxxxx.dll. Delete each instance. Also, look for files with the same name but having an extension of .DAT or .EXE. For example, if looking for ftlsk.dll, also look for ftlsk.dat and ftlsk.exe.
13f) Search your computer for the suspicious exe files. Delete each instances. Also, look for files with the same name but having an extension of .DAT or .DLL. For example, if looking for nthc32.exe, also look for nthc32.dat and nthc32.dll.
13g) Now for a second time: if running WinXP, delete everything in the Prefetch folder in C:\WINDOWS\Prefetch and now for all OS's empty your Recycle Bin again.
13h) Delete Memory.dmp if found in either C:\WINDOWS or C:\WINDOWS\System32
13i) Run CCleaner and on the Windows tab (you'll see when you run it) leave the defaults and click Run Cleaner.
13j) For Win NT/2K/XP, run HSRemover (does not support Win9x/Me)
13k) Run about:Buster (copy the output to a file ablog1.txt)
If you receive an error message about a missing MSCOMCTL.OCX file when you run about:Buster, download the file in the link below and run it. It will give you the necessary file.
If LEGACY_Remote Procedure Call (RPC) Helper exists, right click on it and choose delete from the menu.
If you have trouble deleting a key from steps 13l or 13q. Then click once on the key name to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.
14) Now (still in safe mode) run Ad-aware SE and under scan select Perform Full System Scan and then SpyBot S&D and clean what they find.
15) Now click Start, Run, and in the Open box enter "regedit" (without the quotes). Now navigate thru the registry to:
Click the [+] next to uninstall. Scroll down until you see the NAMES of programs (skip past the lines with numbers in {,} ). See if you can find any of the following listed:
HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of
assistant is wrong)
SA = Search Assistant
SE = Search Extender
SW = Shopping Wizzard
If you find any of them, select one at a time, and hit your delete key. Once you delete all three, you can exit the registry editor.
As an alternate approach save the following 4 lines to a file called hsafix.reg, then using windows explorer double click on the hsafix.reg file a merge the fix into the registry.
16) Now reboot normal mode. And run about:Buster one more time saving the output again (ablog2.txt do not overwrite the first log)
17) Before running anything else run HijaakThis and save a log.
18) Reconnect your internet connection, run your browser, and connect here to MG's and post the new HijackThis and about:Buster logs as attachments. Then continue running and let's see how everything is working.
19) After you have gone thru a few reboots and performed some typical surfing and if everything is working okay, re-enable your system restore (again only applies for WinMe and WinXP).