Followed all major threads about Home Search but still no answer..please HeLP!!

Hi,

I have been on this website for quite some time reading some threads on Home Search Assistent. I got this dreadful 'virus' the other day and cannot get it off at all. Tried many things. I followed the following thread and still haven't really gotten it fixed. http://forums.majorgeeks.com/showthread.php?t=37981


I did everything including: boot in safe mode, run about:buster twice, ran Ad-aware full scan, ran VX2 cleaner plugin, and rebooted in normal mode. The following are my logs.

Log 1 from About:Buster
-------------------------
{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fcharset0 Arial;}}
{\*\generator Msftedit 5.41.15.1503;}\viewkind4\uc1\pard\f0\fs20 -- Scan 1 --------\par
About:Buster Version 1.31\par
Removed! : C:\\WINDOWS\\d3py32.exe\par
Removed! : C:\\WINDOWS\\sjustk.dat\par
Removed! : C:\\WINDOWS\\winkb32.exe\par
Removed! : C:\\WINDOWS\\xzoac.dat\par
Removed! : C:\\WINDOWS\\xzoac.dll\par
Removed! : C:\\WINDOWS\\System32\\appbg.exe\par
Removed! : C:\\WINDOWS\\System32\\netih.exe\par
Removed! : C:\\WINDOWS\\System32\\winsp32.exe\par
Removed! : C:\\WINDOWS\\System32\\xhjfz.dat\par
Attempted Clean Of Temp folder.\par
Removed Uninstall Key (HSA)\par
Removed Uninstall Key (SE)\par
Removed Uninstall Key (SW)\par
Pages Reset... Done!\par
}

Log 2 from About:Buster
-----------------------
{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fcharset0 Arial;}}
{\*\generator Msftedit 5.41.15.1503;}\viewkind4\uc1\pard\f0\fs20 -- Scan 1 --------\par
About:Buster Version 1.31\par
Attempted Clean Of Temp folder.\par
Pages Reset... Done!\par
}

HijackThis Log
--------------
Logfile of HijackThis v1.98.0
Scan saved at 2:34:25 PM, on 7/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\mfcpp32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\user\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\wxo4hddx.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9DCC21EB-9E73-1C71-85DE-CA0AD61BEDA8} - C:\WINDOWS\iewt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunOnce: [mfcpp32.exe] C:\WINDOWS\mfcpp32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe


but after i did all this and connected to the internet, the dreadful things came back. I would really appreciate any help on this. Thanks

 

would system restore being turned on have anything to do with it?

 

Please read the sticky on posting HJT logs in here. The sticky is located in the spyware section. You are supposed to attach your HJT log as an attachment and only if someone asks you to.

To answer your question, you must run about:buster in safe mode to prevent it from returning and you must have system restore turned off.

 

sorry...next time i will attach it...

i ran About:buster in safe mode and the system restore is off...but the things keeps coming back.

what causes this to mutate?