HSA problem - running ME, need guide

Unknown

your help is needed asap and much appreciated

trying to download hijack this, but cannot see the text to type, need help with that too

thanks

i have an older version of adaware, not the se, though I went through the update. i ran that earlier and 3 files were removed. let me know if that is not enough

I also ran a free version of spybot which picked up nothing.

i have since rebooted a few times, let me know if I need to do more...

thanks again.

Dexter

You can download Hijack This from many different locations. Click here:

http://www.spywareinfo.com/~merijn/downloads.html

scroll half way down to the HJT section, there are links to many different download sites.

Dexter...

azn_qd

Thanks for the reply... been studying for finals... now that they're out of the way...

I read through a lot of stuff on your forum and apparently, I need to do some manual stuff since I am running ME. What's my next step? You guys are a lifesaver. Here's my highjackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:47:57 PM, on 5/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\ATLWL32.EXE
C:\WINDOWS\SYSTEM\SDKVO32.EXE
C:\WINDOWS\SYSTEM\WINMO32.EXE
C:\WINDOWS\CRRR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\ADDCH.EXE
C:\WINDOWS\ADDPY32.EXE
C:\WINDOWS\CROD.EXE
C:\WINDOWS\WINXQ.EXE
C:\WINDOWS\ATLSU.EXE
C:\WINDOWS\SYSTEM\ATLGD.EXE
C:\WINDOWS\SYSTEM\D3OZ32.EXE
C:\WINDOWS\SYSTEM\SYSYM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\SIS630_V1.05\UTILITY\SISTRAY.EXE
C:\PROGRAM FILES\SIS630_V1.05\UTILITY\3D\KHOOKER.EXE
C:\WINDOWS\SYSTEM\SKDAEMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPHA1MON.EXE
C:\PROGRAM FILES\ZIPCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINPOET BROADBAND CONNECTION\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\WINMO32.EXE
C:\WINDOWS\MSEZ32.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\WINDOWS\MSEZ32.EXE
C:\WINDOWS\APPGJ.EXE
C:\WINDOWS\IPBP32.EXE
C:\WINDOWS\SYSTEM\WINMO32.EXE
C:\WINDOWS\SYSLT32.EXE
C:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Program Files\Netscape\Users\conrad\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [GDRIVE] C:\IBMTOOLS\IBMBOOT\GDRIVE.EXE -N
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [SiS Tray] C:\PROGRAM FILES\SIS630_V1.05\UTILITY\SISTRAY.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\Program Files\SiS630_V1.05\utility\3d\khooker.exe
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [HPHA1MON] C:\WINDOWS\SYSTEM\HPHA1MON.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ZipCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [IEBF.EXE] C:\WINDOWS\IEBF.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATLWL32.EXE] C:\WINDOWS\ATLWL32.EXE /s
O4 - HKLM\..\RunServices: [SDKVO32.EXE] C:\WINDOWS\SYSTEM\SDKVO32.EXE /s
O4 - HKLM\..\RunServices: [WINMO32.EXE] C:\WINDOWS\SYSTEM\WINMO32.EXE /s
O4 - HKLM\..\RunServices: [CRRR.EXE] C:\WINDOWS\CRRR.EXE /s
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\RunServices: [ADDCH.EXE] C:\WINDOWS\SYSTEM\ADDCH.EXE /s
O4 - HKLM\..\RunServices: [ADDPY32.EXE] C:\WINDOWS\ADDPY32.EXE /s
O4 - HKLM\..\RunServices: [CROD.EXE] C:\WINDOWS\CROD.EXE /s
O4 - HKLM\..\RunServices: [WINXQ.EXE] C:\WINDOWS\WINXQ.EXE /s
O4 - HKLM\..\RunServices: [ATLSU.EXE] C:\WINDOWS\ATLSU.EXE /s
O4 - HKLM\..\RunServices: [ATLGD.EXE] C:\WINDOWS\SYSTEM\ATLGD.EXE /s
O4 - HKLM\..\RunServices: [D3OZ32.EXE] C:\WINDOWS\SYSTEM\D3OZ32.EXE /s
O4 - HKLM\..\RunServices: [SYSYM.EXE] C:\WINDOWS\SYSTEM\SYSYM.EXE /s
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Iomega QuikSync.lnk = C:\Program Files\ZipCD\QuikSync\QUIKSYNC.EXE
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620/qtinstall.info.apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {DBB2DE32-61F1-4F7F-BEB8-A37F5BC24EE2} (MozillaPluginHostCtrl Class) - http://www.musicnotes.com/download/adaptor.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {F76DF680-EC17-4272-B1C7-CDB2641FA20B} (KB836528 Object) - http://microsoft.com/security/controls/DoomChk.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

Buckeye_Sam

Please disable Spybot's Teatimer function before you proceed with this fix.
http://russelltexas.com/malware/teatimer.htm


You have an HSA infection. The filenames on this type of infection can change each time you reboot your computer or use Internet Explorer. With that in mind, some of these filenames may be different. But the pattern is the same and you may be able to determine the correct files to remove. The sooner you perform this fix, the higher it's chances for success.

Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.
Please print out these instructions.


Step 1
Download CWShredder but don't run it yet.


Step 2
Download AboutBuster
Unzip it to your desktop but don't run it yet.


Step 3
Download Ad-aware SE 1.05
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.


Step 5
Make sure that you can VIEW ALL HIDDEN FILES.


Step 6
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uymmt.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [IEBF.EXE] C:\WINDOWS\IEBF.EXE
O4 - HKLM\..\RunServices: [ATLWL32.EXE] C:\WINDOWS\ATLWL32.EXE /s
O4 - HKLM\..\RunServices: [SDKVO32.EXE] C:\WINDOWS\SYSTEM\SDKVO32.EXE /s
O4 - HKLM\..\RunServices: [WINMO32.EXE] C:\WINDOWS\SYSTEM\WINMO32.EXE /s
O4 - HKLM\..\RunServices: [CRRR.EXE] C:\WINDOWS\CRRR.EXE /s
O4 - HKLM\..\RunServices: [ADDCH.EXE] C:\WINDOWS\SYSTEM\ADDCH.EXE /s
O4 - HKLM\..\RunServices: [ADDPY32.EXE] C:\WINDOWS\ADDPY32.EXE /s
O4 - HKLM\..\RunServices: [CROD.EXE] C:\WINDOWS\CROD.EXE /s
O4 - HKLM\..\RunServices: [WINXQ.EXE] C:\WINDOWS\WINXQ.EXE /s
O4 - HKLM\..\RunServices: [ATLSU.EXE] C:\WINDOWS\ATLSU.EXE /s
O4 - HKLM\..\RunServices: [ATLGD.EXE] C:\WINDOWS\SYSTEM\ATLGD.EXE /s
O4 - HKLM\..\RunServices: [D3OZ32.EXE] C:\WINDOWS\SYSTEM\D3OZ32.EXE /s
O4 - HKLM\..\RunServices: [SYSYM.EXE] C:\WINDOWS\SYSTEM\SYSYM.EXE /s



Step 7
Reboot your computer into SAFE MODE


Step 8
Now run CWShredder, making sure to click "Fix".


Step 9
Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\IEBF.EXE
C:\WINDOWS\ATLWL32.EXE
C:\WINDOWS\SYSTEM\SDKVO32.EXE
C:\WINDOWS\SYSTEM\WINMO32.EXE
C:\WINDOWS\CRRR.EXE
C:\WINDOWS\SYSTEM\ADDCH.EXE
C:\WINDOWS\ADDPY32.EXE
C:\WINDOWS\CROD.EXE
C:\WINDOWS\WINXQ.EXE
C:\WINDOWS\ATLSU.EXE
C:\WINDOWS\SYSTEM\ATLGD.EXE
C:\WINDOWS\SYSTEM\D3OZ32.EXE
C:\WINDOWS\SYSTEM\SYSYM.EXE
C:\WINDOWS\uymmt.dll


Step 10
Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.


Step 11
Run a full scan with Adaware.


Reboot your computer to go back to normal mode and post a new hijackthis log and the log from About Buster.

azn_qd

thanks buckeye sam, i'm going to give this a try... guess i'll try the spongebob look icon.

you guys are so cool...