PDA

View Full Version : Home Search Assistant- AllanB

AllanB
3 Aug 2004, 9:13am
Hi I am having problems with getting rid of Home Search Assistant, I am a new user and would very much welcome any advice any of you guys could give.

Here is my HJT Log ( I have already Run AdWare6 & Spy Bot)

Logfile of HijackThis v1.98.0
Scan saved at 17:08:06, on 02/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\Symantec\ANTIVI~1\DefWatch.exe
c:\PROGRA~1\Symantec\ANTIVI~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\VPNClient\vpnservices.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Symantec\VPNClient\logd.exe
C:\Program Files\Symantec\VPNClient\emroute.exe
C:\WINDOWS\system32\mfcpq32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\Symantec\ANTIVI~1\vptray.exe
C:\WINDOWS\system32\addxp32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dohac.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dohac.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dohac.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dohac.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dohac.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dohac.dll/index.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FEE8EDD9-2CC5-7C3A-52D9-E3D36BC93FF7} - C:\WINDOWS\winls.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\Symantec\ANTIVI~1\vptray.exe
O4 - HKLM\..\Run: [addxp32.exe] C:\WINDOWS\system32\addxp32.exe
O4 - HKLM\..\RunOnce: [iely.exe] C:\WINDOWS\iely.exe
O4 - HKLM\..\RunOnce: [mfcpq32.exe] C:\WINDOWS\system32\mfcpq32.exe
O4 - HKLM\..\RunOnce: [atldh.exe] C:\WINDOWS\atldh.exe
O4 - HKLM\..\RunOnce: [Q828026] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60D14BA4-EA70-4467-82B2-9B0E040C6D7A}: NameServer = 158.152.1.43 158.152.1.58
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 194.40.195.189
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 194.40.195.189

Many Thanks

Allan :ukflag:
primesuspect
4 Aug 2004, 1:18am
Welcome to short-media. You came to the right place.

Get rid of the following:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dohac.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dohac.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dohac.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dohac.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dohac.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dohac.dll/index.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {FEE8EDD9-2CC5-7C3A-52D9-E3D36BC93FF7} - C:\WINDOWS\winls.dll

O4 - HKLM\..\Run: [LaunchApp] LaunApp

O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [addxp32.exe] C:\WINDOWS\system32\addxp32.exe
O4 - HKLM\..\RunOnce: [iely.exe] C:\WINDOWS\iely.exe
O4 - HKLM\..\RunOnce: [mfcpq32.exe] C:\WINDOWS\system32\mfcpq32.exe
O4 - HKLM\..\RunOnce: [atldh.exe] C:\WINDOWS\atldh.exe
O4 - HKLM\..\RunOnce: [Q828026] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.ex

O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/...ller/dwnldr.cab



After you reboot, re-run Spybot & AdAware and then post a new log.
AllanB
6 Aug 2004, 12:24pm
Hi again thanks for your response and sorry for my delay, I work away from home alot..

I followed your recommendations, rebooted & ran Spybot & Adware.

There is still something going on because Spybot is popping up all the time with X value has changed - Allow or Deny (I'm Denying all of them), any how here is my latest HJT file:-

Logfile of HijackThis v1.98.0
Scan saved at 12:07:18, on 06/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\Symantec\ANTIVI~1\DefWatch.exe
c:\PROGRA~1\Symantec\ANTIVI~1\Rtvscan.exe
C:\WINDOWS\system32\d3ng32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\VPNClient\vpnservices.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Symantec\VPNClient\logd.exe
C:\Program Files\Symantec\VPNClient\emroute.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Symantec\ANTIVI~1\vptray.exe
C:\WINDOWS\system32\addxp32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Symantec\VPNClient\nsetup.exe
C:\Program Files\Symantec\VPNClient\isakmpd.exe
C:\Program Files\Symantec\VPNClient\vpnd.exe
C:\WINDOWS\System32\cmd.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\llayi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\llayi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\llayi.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\Symantec\ANTIVI~1\vptray.exe
O4 - HKLM\..\Run: [addxp32.exe] C:\WINDOWS\system32\addxp32.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\RunOnce: [iezc.exe] C:\WINDOWS\iezc.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O17 - HKLM\System\CCS\Services\Tcpip\..\{60D14BA4-EA70-4467-82B2-9B0E040C6D7A}: NameServer = 194.40.195.189
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 194.40.195.189
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 194.40.195.189

Many thanks once again for your help here, as with out you I think it would be time to reformat & start again.

Cheers

Allan
marlin29311
7 Aug 2004, 1:12am
First off, thank you to all of the people at this website. I have had similar problems with the "Home search assistant" and from reading the posts in here i figured out how to remove it. There is something that i noticed when this crap ended up on my computer.
In your system services section (Right Click "My computer", hit manage, open services and applications, and then open services), there is a service in there that caused many problems for me. "Network Security Service" is a service that appears to have been created with my version of the spyware, and it controls the regeneration of the files that eat your computer alive. (I say appear because on all of my other computers with XP Pro, i have not seen this service ever before, although it might be there for others legitimatly). By running your computer in safe mode and setting the startup value of this service to "disabled," it hinders this application from running. I did this, and after removing all of the stuff you find with Hijackthis!, you shouldn't encounter problems at all. As I said though, I am not sure if this is on everyone's computer. Hope this helps!
Dexter
7 Aug 2004, 11:49pm
Thanks for the tip Marlin, we will test it out on some other users and see how it works :)

Dexter...
AllanB
16 Aug 2004, 12:18pm
Hi Guys,

I tried your tip Marlin, but it didn't work for me, thanks anyway.

This pesky sucker is really doining my head in so as I don't do much with my machine I think it's time to wipe and start again.

Thanks to you all for your efforts and good luck in your continued quest to beat the HSA.

Thanks again

Allan
Dexter
16 Aug 2004, 3:57pm
Please follow our Home Search Assistant Removal Guide (http://www.short-media.com/forum/showthread.php?t=18315) first, then come back to this thread and let us know if it worked or not for you.

Part of that guide recommends updating your virus defs and running a full scan in safe mode. I suspect your mouse problem may resolve itself after cleaning HSA, but run a virus scan to make sure.

Post a fresh HJT log for review when you are done.

Dexter...
AllanB
6 Sep 2004, 9:29am
Hi Dexter

Before I reinstalled XP I followed the removal guide doing the hard reboot and HJT removals in safe mode etc.

However after trying it 2 or 3 times I eventually gave up and that thing just kept comming back! As I said before I only really run a few programs on this machine and my personal data is on a separate partion so reinstalling XP took considerably less time than I've spent so far trying to get rid of HSA.

Again thanks for all of your help, the service you guys offer is a credit to society and I'm having a look at team93 so that I can try and put a bit back...

Cheers

Allan
marlin29311
6 Sep 2004, 4:26pm
Hi AllanB-

If your not finding any luck with removing the HSA by doing the stuff, the only way that you are going to be able to wipe it off will be to re-format your drive. Redoing the windows installation is only going to overwrite the files that aren't corrupt; in order to get rid of everything you will need to have a clean drive. I know this is bad, but as long as you back up all of your data and reformat, you should have a clean computer, not to mention one that will run a little faster as well.
Marlin29311
Dexter
8 Sep 2004, 10:04am
We don't like to recommend reformatting and re-installing. It is the last, worst option. Many, many people have defeated this hijack using our guide.

I'm sorry you gave up, we could have helped you through it. :)

Dexter...