My name is Salena & I've been Hijacked!!!!

Unknown

First off I want to let you know how grateful I was to stumble across your website and forum. I downloaded McAfee and ran my virus scanner but, it was useless against the Home Search Assistant that has taken over my browser. I have read thru all the forum threads for the advice you have offered and was still unable to make a dent in the stupid thing. Thank you all in advance for taking the time out of your busy days to help the rest of us as we try to figure out solutions to our PC issues.

Here is what I have done so far and then I am going to include my HJT log for adult supervision! Thanks!

OK- I ran McAfee Virus Scan, then ran Spybot, then ran Ad-Aware (all updated verrsions- they found some things but, nothing that affected the HSA). Then I followed the clean up steps laid out by Dexter and PrimeSuspect. Still no luck...either this is the sneakiest hijacker in the world or I will have to admit defeat to my computer. So here are the logs....any suggestions gratefully accepted!!!

Logfile of HijackThis v1.99.0
Scan saved at 6:55:02 PM, on 2/16/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\HPZTSB09.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\WINDOWS\SYSTEM\HPHMON05.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {45FA4221-7D67-4ABE-9AA2-BD4FCD8FCC52} - C:\WINDOWS\SYSTEM\JECB.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\SYSTEM\HPHMON05.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL
O18 - Filter: text/html - {AD3CB0BE-F368-496F-8AF7-D938B9D63203} - C:\WINDOWS\SYSTEM\JECB.DLL
O18 - Filter: text/plain - {AD3CB0BE-F368-496F-8AF7-D938B9D63203} - C:\WINDOWS\SYSTEM\JECB.DLL

Thank you for your time!!!!
Salena

Tiribulus

We may be able to arm wrestle this machine back into line, but I'm sure I won't be alone in telling you that priority 1 for you is expunging Millenium Edition from your computer. Which would in essence mean all the spyware would die with it. I cannot emphasize enough how an upgrade to even 2000 would improve your life though it won't stop spyware. I'm not trying to be harsh, but ME was abominable the day it was released nevermind 4 years later. However I suspect that ME came on what is probably your store bought machine (HP Pavillion most likely) and you may not know how to do the upgrade, but we could help you with that too, it's easier than you think. Indeed there's a possibility that in it's present state it won't run anything higher, but more info is needed to determine that. If you could post a make and model number I could find out. I mean all this in only the most friendly and helpful terms, but IMHO that's the direction I would go in even if it cost a few bux.
>>>--Tiribulus->

Buckeye_Sam

Hi Salena! If you are still looking for help, please post a new hijackthis log.

SalenaHale

Will do as soon as I get home this afternoon. I have been following Tiribulus' advice and looking for a copy of XP to upgrade my OS. I also just through sheer frustration ( and reading advice in the forums) downloaded Firefox to use as my browser until I can get rid of this stupid HSA. (Which I know is just a work around and does not solve the problem).

The truly frustrating thing is I think I may have figured out where the little virus is hiding ( there is a new Restore/ Temp file on my C drive which my Mcafee keeps screaming contains se.dll but, it will not let me access to delete...it keeps saying it is write protected, I don't have access, etc ).

I'll update the HJT logs tonight. Thank you again for everyone's help!
Salena

Tiribulus

Find out the specs on your machine first. Processor speed, disk space and especially memory size. It may not run XP. 2000 is just is good as XP most of the time and can be made to do virtually anything XP does anyway and is much more forgiving on your hardware. However if you're willing to spend, probably under 100 bux you could throw some memory in there and XP should be fine. Memory upgrades could almost be done a moderately precocious monkey however getting to it can be a blast sometimes in oem machines.
>>>--Tiribulus->
BTW. If you've never done any of this before be sure to come back before you start because for instance, when you run the format utility you irretrievably lose all the data on that drive. There may be some ways to save your important stuff first. We'll help you if you need it.