HSA hijack remnants

Unknown

First, thank you very much for your detailed explanation of how to get rid of this very pesky hijack. I had tried a number of things before, including Spybot, CWShredder, HijackThis, AVG and others, without success. Finally, after following your instructions, I SEEM to have eliminated it, or at least the worst of it.

I must say that the first time after starting up after following all your instructions, including the regedit, HijackThis still reported some nasties like a BHO "C:\WINDOWS\winqk.exe (file missing)" and O23 "C:\WINDOWS\mfchz.exe (file missing)", but there was no hijacking of my browser home page and HijackThis no longer reports these things.

LET'S HOPE!

However, HijackThis has always failed to remove 4 O15 - Trusted Zone entries, as follows:
*.frame.crazywinnings.com
*.static.topconverting.com
*.frame.crazywinnings.com (HKLM)
*.static.topconverting.com (HKLM)

I don't know if these are associated with HSA or not, but I would certainly like to remove them. Why doesn't HijackThis remove them? Is this something I need to do in regedit?

Your help is appreciated!

LawMan

mtrox

I had the same thing. Then I noticed when I booted up into a safe mode as Administrator, HiJackThis didn't show the trusted zone entries. So I made a new user, same result, even booted up in a normal mode. The trusted entries were gone.

So....I use File and Settings Transfer Wizard to save all my files and settings. However, when you save all your files and settings, you MUST check the box that says, "Let me select a custom list of files and settings when I click next". Then in the next window click on Internet Explorer securtiy settings and then hit the "remove" button so that those settings are not transfered. Then use F.A.S.T wizard ro import everything into the new user. Worked great for me. After doing all of that I had all my files and settings except for the fact that I had the default IE security settings.

mtrox

Oh, and then when you're done and sure all your stuff is there under the new user, go back and delete the old user and all the files and settings. You'll see the user under C:\Ducments and Settings\. Just delete the whole folder.

lawfind

Now I think something is really wrong -- I can't start in Safe Mode!

When I start normally, it's OK, but I have tried 4 times to start in Safe Mode and it just won't start.

Whoops! After several minutes of "deadness", it DID start in Safe Mode!!! Never had it take so long!

I'll try your suggestions, thanks.

lawfind

Sorry, I should have waited on the previous reply until I ran HijackThis in Safe Mode.

You are correct, the 4 Trusted Zone entries do not appear if I log in as Administrator in Safe Mode, though they do still appear if I log in as "me". I guess that makes sense.

So hopefully your suggestion works, though I would still like to know where those entries are kept and how to get rid of them in a less "drastic" way.

mtrox

Good luck. It worked for me but ya gotta make sure you don't transfer the IE settings. I had the exact same 4 "trusted" URL's and just like you, HJT would not change them.

Buckeye_Sam

Download(right click and select Save file as or Save link as): DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf

To use: Close all open browsers
Right-click DelDomains.inf and select: Install

This should remove those 015 entries.

lawfind

Thanks, I used DelDomains.inf and it seemed to work fine. (I had created a new account, but had not deleted my old one -- hopefully no need to now, because the FAST gambit leaves a lot of things behind in terms of configuration, desktop icons, etc.

I also have installed IESPYAD, which adds a big list of Restricted sites to IE, which hopefully will help prevent this problem for a while.

SpywareShooter

Along with IE-Spyad you should also install Spyware Shooter. I have some malicious domains in Spyware Shooter that are not covered in IE-Spyad, and they have a few that are not in Spyware Shooter. Both of them add sites to the Restricted Zone, and together both of them should make good protection.