I have had my web browser hijacked - my home page has been reset to
res://nrisg.dll/index.html#96676 after going to some web pages.  I
have tried clearing it out through IE, Options, Tools but it comes
back again.  Of course a popup window appears saying to get rid of
Pop-ups, having your web browser highjacked, etc. - click here.  But,
they are the dirty dastards who did this in the first place?  How do I
go about getting rid of it?  Norton anti-virus? Spybot-Search &
Destroy (which I already had and is not the culprit)?  How can I
remove the program from my computer and know that it has been cleared?

---

Request for Question Clarification by bobbie7-ga on 17 Jul 2004 09:50 PDT

Here are some detailed instructions for removal.
http://www.pchell.com/support/onlythebest.shtml

Does this help?

Thanks,
Bobbie7

Greetings, kehardware-!

Your computer has been taken over by "Homesearch Assistant" a new
variant of the CoolWebSearch adware / spyware.

Please download, install, and run the following free anti-scumware utilities:

Spybot Search & Destroy
http://security.kolla.de/index.php?lang=en&page=download
Start up Spybot Search & Destroy. Pull down the "Help" menu and select
"About". You should see
Spybot Search & Destroy 1.3
Latest detection update: 2004-07-09.
If your settings for either of these do not match, click the "Update"
icon menu on the left-hand side of the screen, and then click on
"Search for Updates" near the top of the page.  You'll need to exit
Spybot and restart it to check the "About" information page. If this
doesn't work, you may need to uninstall Spybot, and then download and
install the latest version. Once you have the latest Version and
Detection Update, try running Spybot again and remove the recommended
items.

AdAware
http://www.lavasoft.de/support/download
Start up AdAware. In the bottom right-hand corner, it should say
"AdAware 6.0 Personal, Build 6.181". Up above, under "Initialization
Status", it should say "Reference file 01R332 12.07.2004 loaded". If
your settings for either of these do not match, click "Check for
updates now". Once the update has completed, if one or both of these
still doesn't match the settings I listed, you may need to uninstall
AdAware, and then download and install the latest version. Once that's
installed, be sure to click "Check for updates now" to get the latest
reference files. Once you have the latest Build and Reference file,
try running AdAware again and remove any recommended items.

*** IMPORTANT ***
The first time you run them, or if you already have Spybot and/or
AdAware installed on your PC, be sure to download the latest updates
first **each time you run them**.
*****************


Once you've done those, shut down your computer and restart.

Then download and run CoolWebShredder (scroll down):
http://www.spywareinfo.com/~merijn/downloads.html
When you start up CoolWebShredder, it should say Version 1.59.1 .

Then shut down your computer and restart.


Something to keep in mind is that even if these programs give your
system a "clean bill of health", it does *not* mean that you can be
absolutely sure that your system is clean. It is only a *reasonable
assurance* that it is clean.

After following all those steps, if your problem is still occurring, I
will work with you until we get it resolved. If that's the case,
download and run HijackThis!, and copy and paste your scan log here in
a Clarification (scroll down):
http://www.spywareinfo.com/~merijn/downloads.html


You don't say what AntiVirus program you are running. You will want to
be sure to get the latest detection updates for your AntiVirus program
by running your system's LiveUpdate process.


It's also VERY important to continue to check with Microsoft
periodically and make sure that you have installed any new
security-related patches that have been released. Go to the following
site and download and install any critical updates which it may say
that you need:
http://v4.windowsupdate.microsoft.com/en/default.asp


Before Rating my Answer, if you have any Questions about the above
information, please post a Request for Clarification, and I will be
glad to see what I can do for you.

Please let me know whether you are able to resolve your problem, or
whether you need more assistance.


Regards,

aceresearcher

---

Request for Answer Clarification by kehardware-ga on 17 Jul 2004 16:50 PDT

I am having trouble with the first part, getting the "Latest detection
update: 2004-07-09".  Every time I try to download it, I get the info
message "!!!bad checksum!"  I had and have Version 1.3, but for some
reason not the latest version.  I have uninstalled it a couple of
times and can not find a location to download the absolute latest
update of 7-09.  I definitely have Version 1.3.  Is there a location
where I can directly download the latest version.  Neither the
location you gave, nor download.com allows me to get it.  The download
of Lavasoft seemed to go OK and I have Reference Number : 01R332
12.07.2004.   Should I try running these programs. It looks like I
have Trojan Horse (at C:\\WINNT\ntjk.exe which Norton Anti-virus
(SARC) tells me" filename: Message.hta
machine:  ... (mine)
result: This file is infected with W32.Beagle.X@mm 

Also - the CoolWebSearch trys to Load settings for MS FrontPage when I
start a new version of IE Explorer.  Should I try using Mozilla
FireFox instead?

Should I try 1.) The slightly older version of Search & Destroy 1.3
2.) Current version of AdAware 3.) then CoolWebShredder  I have a
feeling I'll need to run HijackThis! and send you the information. 
Finally, I believe that I am not totally current with the Windows
updates.  When should I do this? (after which step?).  Thanks, let me
know what other info you need or actions to take.

---

Clarification of Answer by aceresearcher-ga on 18 Jul 2004 09:31 PDT

First, let's wait on the Microsoft Update. I know of at least one
person who had problems trying to update Windows while their system
was infected.

Second, did you just now uninstall Spybot and reinstall it, or was
that done some time ago? What method did you use to uninstall it?

Third, go ahead and try 1.) The slightly older version of Search & Destroy 1.3
2.) Current version of AdAware 3.) then CoolWebShredder . Let me know
how that goes.

ace

---

Request for Answer Clarification by kehardware-ga on 22 Jul 2004 15:18 PDT

It's gone from bad to worse.  I was able to d/l the current Spybot and
Adaware. Have run them and seemingly quarantine the items. Took
computer in to local store and they didn't find any virus.  Trojan
horse seems to be on there.  Went out and bought Norton Internet
Security 2004 (NAV + other programs) and loaded that on. Have run NAV
2004 (supposedly has the tools for the Spyware), deleted some, but it
left about 11 quarantined.  The sneaky Scumware keeps me from d/l
CoolWebShredder on this computer.  Have been able to do it on others. 
Finally got HijackThis and the results are below.  System is really
dragging and I have to click on most things twice or thrice to get
them to work.  Should I remove any programs - are they acting against
each other?  Also, I have apikx.exe trying to keep loading itself.  I
can't tell if it's safe or not, but I'm assuming it's not.

Logfile of HijackThis v1.98.0
Scan saved at 6:01:47 PM, on 7/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Retrospect\Launcher.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\javatk.exe
C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINNT\system32\nc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Link Popularity Check\LPC.exe
C:\WINNT\apikx.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S00MT2.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S00RN2.EXE
C:\WINNT\System32\MsiExec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\nrisg.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
res://nrisg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
res://nrisg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= res://C:\WINNT\nrisg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\nrisg.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
res://nrisg.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D3092C0-63C1-1E9F-9DB1-4E15DDAA0E96} -
C:\WINNT\system32\nttu.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton Internet Security\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\winnt\googletoolbar3.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet
Security\UrlLstCk.exe
O4 - HKLM\..\Run: [javatk.exe] C:\WINNT\javatk.exe
O4 - HKLM\..\RunOnce: [apikx.exe] C:\WINNT\apikx.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop
Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [NetCleaner] nc.exe /install
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search
& Destroy\TeaTimer.exe
O4 - Startup: checksale.lnk = C:\Program Files\Microsoft
Office\Templates\1033\Webs\storefront50.tem\sfcksale.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk =
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program
Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program
Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program
Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Qchex Tray Icon.lnk = C:\Program Files\Common
Files\G7PS\Shared Files\Qchex\Qchex.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search -
res://c:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://c:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages -
res://c:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .SWF: C:\Program
Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -
http://support.dell.com/us/en/systemprofiler/SysProfLcd.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI
Registry Information Class) -
http://security.norton.com/SSC/SharedContent/common/bin/cabsa.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} -
C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll