i come to step 4 in hsa removal guide and it says:
''Cannot find the file services.msc (or one of its components). Make sure the path and file name are correct and that all requiered libraries are available.'' What do I do next? Help me if you can. Thanks. :banghead:
0
This discussion has been closed.
Comments
Logfile of HijackThis v1.98.2
Scan saved at 12:51:10, on 05. 09. 04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\APPYB.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {D6A3B473-D7BB-A3AE-64E4-E0A97A92906E} - C:\WINDOWS\D3WV32.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [1A:Stardock TrayMonitor] "C:\PROGRAM FILES\COMMON FILES\STARDOCK\TRAYSERVER.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [APPYB.EXE] C:\WINDOWS\SYSTEM\APPYB.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
I will get to you later this evening, the Windows 98 fix is a bit more complicated.
Dexter...
The .dll calls in the R1 and R0's all need to be pulled, from the registry. This is more a surface thing, this can be done in normal mode in regedit.
To run it, go to Start|Run and type regedit and tap the enter key.
Now, first thing is to tell regedit to back up the registry. This is important. VERY Important.
What we do next, IF it is done exactly as outlined, will NOT hurt your system at all, but do exactly what I outline here.
There is a way in 98 SE also to roll back the registry, but that might stick you back right where you are now, so I will simply say that to do this you need a Windows startup disk and some knowledge about a program that 98 SE and back have that is not talked about much-- program is called scanreg and THIS exact name can be used from DOS mode after a floppy boot with a Windows Startup Disk to choose from (by default) 5 registry rollback points.
It is called like this:
scanreg /restore
(and the reply will be a choice of registries whihc are old which you can cause this routine to restore)
The screen will be a dossy look list of files with dates, good ones will have (Started) next to them. Use up and down arrow keys to select, and then tap enter key to choose, let it work until it gives you a dos prompt and if it asks questions do the "just say yes" thing until it goes back to a dos prompt (Enter key will choose defaults for any choices).
Thats how to recover if you fubar a 95 OSR2, 98, or 98 SE registry. Worst case, you start over fixing. Done that a few times, few dozen dozens, that is, over a long period of time (starting in about 1997).
But, use regedit to make a backup also. That is extra protection in this case.
Next, click in left pane of regedit on a line that says ROOT in it. This puts you at top of registry for searching, and we will be strictly using search and kill results found and nothing else to start with.
Go to the Edit menu.
Type in:
vjypk.dll
Tap enter.
When it highlights something, press Delete key on keyboard. Tap F3 key. If it finds a result, repeat part about Deleting and using F3, but if it says "finished searching through registry" then it has found all those things you need to kill to eliminate the .dll entries so we will go on to the next step.
Next, there is one thing I know needs killing, that is APPYB.EXE.
So, do this, do not reboot first, stay in regedit.
The left pane of regedit has a scrollbar, drag it all the way up.
Use the horizontal scrollbar in the left pane, drag it left if needed.
Click on the word ROOT to highlight it.
Click on Edit menu.
Click on find.
Type in:
APPYB.EXE
Make sure the case sensitive option is NOT checked.
Tell it Ok or tap Enter key.
Repeat the sequence of killing all results found, then using F3 until the registry editor says it is "finished searching through registry."
It is possible this thing hooked through RPCSS and used a vuln in MDM.EXE, whihc is not a core Windows program, it is a script debugger program and you can turn off script debugging in IE and live without it, PER Microsoft. I woudl not kill that unless you need to, but see here for howto if you think you need to:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q221/4/38.asp&NoWebContent=1
Let's start there to get you some action, OK??? Dexter might have a way he likes better, this is my way, used for a LONG time given scanreg's /restore feature.
We will need to delete the files after a successful reboot, at which time they can be killed from a Windows Startup disk boot using the del command with use of attrib to unlock them at need. I myself use and recommend this method in 98 and 98 SE simply because I have used it uncountable times and talked many many people through it. I use it in Me also, though it is actually more complex there and I use F-Prot to ID things that other programs miss and take thier paths, deregister them, then delete with a DOS command strng set in ME or 98 SE or 98 oe 95 OSR2 and I am forever grateful to the Microsoft Third Level support Software Engineer who told me about the scanreg /restore function in VERY LATE 1997.
Yes, Charlotte County survived Frances(which passed a tib North of county as a Tropical Storm and was 15 miles ESE from Tampa last I checked an hour ago plus a bit with 65 mile an hour winds per NOAA), I am typing on Comcast from my Linux box in Punta Gorda now.... Using FPL\Pike\and many others(thanks to the folks from Colorado, Georgia, Lousiana, Texas, Florida and other states who did the work) restrung power grid power, in an AC'd environment at home. So I will help, as can, from time to time here. I grew up on DOS and Windows 3.1 and 95 through 98 SE if folks wonder why I know this stuff...
dj20
Microsoft Windows 98
Second Edition
4.10.2222 A
AuthenticAMD
AMD-K6tm w/ multimedia extensions
64.0MB RAM :bawling:
Here is how to fix Homesearch Assistant on Windows 98.
First of all, you need to click the link in my signature for our Security Downloads page, and download a program called Killbox. Put that in the same directory as Hijack This.
Run HJT, and fix the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vjypk.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D6A3B473-D7BB-A3AE-64E4-E0A97A92906E} - C:\WINDOWS\D3WV32.DLL
O4 - HKLM\..\RunServices: [APPYB.EXE] C:\WINDOWS\SYSTEM\APPYB.EXE
Using Killbox as I instructed you to download above, you need to delete each and every .dll and .exe file in the list above.
Run the program. In the bottom right hand corner you will see a drop-down box labelled (System Process.) Drop that down, and select the active process that is likely to be your main infection reloader. For you that will be:
C:\WINDOWS\SYSTEM\APPYB.EXE
Once you have selected any file name, click the yellow triangle with the ! inside it to end that process.
Next, at the top of the window, use the folder icon to browse to that exe file, and press the red X button to delete that file. If it will not delete, repeat, but select Delete on Reboot. When it asks if you want reboot now, choose "No" and do a manual reboot later.
Then browse to each of the dll files:
C:\WINDOWS\system\vjypk.dll
C:\WINDOWS\D3WV32.DLL
and select them one at a time. Turn on the option "unregister dll before deleting." Then delete each dll.
Next reboot, even if you did not tag anything for delete on reboot. You need to reboot to test to see if you get re-infected.
Do this in regular mode first. If it does not work, try it in Safe Mode, except that the exe will probably not be running as a system process in safe mode, so all you will need to do is locate and delete it.
Try that, and let me know. This worked succesfully for another Win 98 user, and I believe it will work for you too. Come post a fresh log for review.
Dexter...
Logfile of HijackThis v1.98.2
Scan saved at 00:55:08, on 08. 09. 04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SDKIR.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {02DBF81A-0D79-ABA6-BFC7-3A461736483E} - C:\WINDOWS\SYSTEM\NETNP.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [1A:Stardock TrayMonitor] "C:\PROGRAM FILES\COMMON FILES\STARDOCK\TRAYSERVER.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SDKIR.EXE] C:\WINDOWS\SDKIR.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
What now? To repeat the whole thing? Explain it to me in detail. Thanks.
SDKIR.EXE
Use Killbox to delete these files:
C:\WINDOWS\SDKIR.EXE
C:\WINDOWS\system\dwqdv.dll
C:\WINDOWS\SYSTEM\NETNP.DLL
Use the unregister option on the DLL's. Tag for delete on reboot if you cannot do them normally.
Fix the appropriate entries in HJT:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dwqdv.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {02DBF81A-0D79-ABA6-BFC7-3A461736483E} - C:\WINDOWS\SYSTEM\NETNP.DLL
O4 - HKLM\..\RunServices: [SDKIR.EXE] C:\WINDOWS\SDKIR.EXE
Reboot and check.
Dexter...
If you want to thank us for help you, you can do two things:
1) Stick around. This is a great site with great people.
2) Learn about Folding, it's a good cause, and we would love to have you join our team and our family.