I've been helping a friend clean spyware from their
system over the last few days. We've run Hijack This and
while we can't seem to rid the computer of
SearchAssistant (as a previous post mentioned) even after
deleting form the registry, I can't figure out why two
computers in my house show one localhost file (127.0.0.1)
(Advanced Tools, System Explorers, Network, Windows Host
File) while he appears to have hundreds of them listed in
his MS AntiSpyware program.

I'm also wondering if this is a result of this
SearchAssistant that HJT removes in Safe Mode but not in
normal mode. Any suggestions or help would be appreciated.

Hi Catschool - Start here. Please post back with your results or if you
need
additional assistance.

Courtesy of Ron Kinner MVP:


"There is a German program called Spoonweg.exe which might
help.

http://lunatic-skydance.de/mr/soft/SpoonWeg.exe

It will start to download. Save it somewhere you can find
it again then Open it and say YES then Click on Trojaner-
Suchen. If it finds the version of about:blank that it is
meant to kill it will go and do it then reboot the PC.
Otherwise it will say Trojaner Spooner wird nicht gefunden.

Another German program is SpHjFix.exe.

http://www.trojaner-info.de/cgi-bin/download.cgi?
file=sphjfix

This one speaks English so just Press on Start Disinfection
If it doesn't find its target it will say Not Infected
across the top of the little window. Otherwise follow the
instructions.

Both of these probably run better in Safe Mode (F8 -
without Networking)

Finally if both of the above fail then try one of the
methods in:

http://www.pchell.com/support/aboutblank.shtml "



I can also recommend the procedures at www.pchell.com .



In addition, for your specific Home Search Assistant parasite, try the
following (extracted from one of my "standard" posts about this family of
parasites):

"If your hijacker is Home Search Assistant or one of these:

- Only The Best
- Home Search Extender
- Shopping Wizard
- res://****.dll/index.html#***** (or simply res .dll)

first see here:
http://www.short-media.com/forum/sho...774#post172774, and
here: http://www.pchell.com/support/onlythebest.shtml. Then you can try AT
YOUR OWN RISK, HSRemove, free, here: http://www.hsremove.com/. "A few
days ago I got hijacked - Nothing new in that, except this time it was a
real [censored] to get rid of. - There were simply no tools available to
remove this "Home Search" thing. Finally I ended up creating my own tool for
it. USE IT AT YOUR OWN RISK. And if you find it helpful, then please do not
hesitate to make a contribution."

Or, you can try AboutBuster, here, which is also designed to remove Home
Search Assistant: http://www.malwarebytes.biz/"


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In news:294601c50744$46505ed0$(E-Mail Removed),
catschool <(E-Mail Removed)> typed:
> I've been helping a friend clean spyware from their
> system over the last few days. We've run Hijack This and
> while we can't seem to rid the computer of
> SearchAssistant (as a previous post mentioned) even after
> deleting form the registry, I can't figure out why two
> computers in my house show one localhost file (127.0.0.1)
> (Advanced Tools, System Explorers, Network, Windows Host
> File) while he appears to have hundreds of them listed in
> his MS AntiSpyware program.
>
> I'm also wondering if this is a result of this
> SearchAssistant that HJT removes in Safe Mode but not in
> normal mode. Any suggestions or help would be appreciated.