Originally Published 2005-07-29 16:31:02
The misspelling in "assistant" is on purpose. Apparently the authors of this nasty little trojan/spyware app didn't spell all that well.
The HomeSearchAssistent application creates copies of itself -- thousands of them -- and dumps them into c:\windows and c:\windows\system32. It's quite painful to remove it, as it involves some direct removal of the duplicates.
The purpose of the app is to create add revenue. When you launch Internet Explorer, it displays about:blank and starts generating pop-up windows. (That's if you can launch IE at all, of course.) The pop-up windows come from a company called Commision Junction, a reputable ad brokering company that connects a network of affiliates (content providers) with advertisers (merchants). It's not unlike google's or overture's (a yahoo subsidiary) business model, although they have an application (search) that drives usage of the ad network. Commission Junction (and the merchants behind the ads) pays out based on ad impressions -- so these bastards that infected your machine are making a penny or three every time you try to use your own computer. Not a bad business model if it weren't offensively intrusive.
It took me two days, but here's how you remove the damn thing:
Use msconfig (Run> msconfig) to disable all startup apps. Then disable all the services marked with an unknown authorship. Reboot.
Download MS Antispyware. It's currently in beta, but it rocks from what I've seen so far -- the product of an MS acquisition. I don't have the link handy... just gooogle "microsoft anti spyware" and you'll find it. Install and run it. Delete everything found unless you explicitly want something it finds (like kazaa, eDonkey, or similar). Make sure you do the deep scan. It will take a long, long time. Go to sleep with the thing running. It's that painful.
Use the advanced features in MS anti-spy to reset your IE settings. All of them. You can reset your home page to what you want once you've regained control of your PC.
Reboot and test. You should actually NOT be running the HSA app any longer, but your chances of re-infection are probable, because the damn thing is still present. Thousands of copies of it, in fact.
Maybe the next revision of the antispyware tool will include a method to remove HSA completely. I doubt it, however, because scripting a removal is a pain. This means you'll need to do this manually.
Home search assistent creates copies of itself that look like this:
...and similar files, with a .dll extension. The .exe files are all 12-14K in size. The .dll files are all ~164K. There will also be randomly named .log files with 0k used.
You need to delete all of these from c:\windows and c:\windows\system32. It will take you awhile, but you'll see that there is a pattern to the madness -- the files all have origination dates that begin with the initial infection. If you don't know your way around windows, that's ok. Just take the files that meet my description and move them to another location -- say, a folder on your desktop. Then reboot and make sure windows loads properly.
If you still can't break this thing, send me an email... I'll do what I can to help. And stop downloading pirated content! That's probably how you got it.
On 2008-11-18 17:16:56 Cheap Ipods said:
Hey there! Nice blog, I stumbled upon it after my friend told to to check out one of your posts. Btw, what wp template theme are you using?