Options

HSA removal

Unknown
edited May 2005 in Spyware & Virus Removal
I have a HSA infection that i tried to remove. I have win98 on my computer and i cannot double click on my computer to get in in safe mode

i ran spybot and adaware, however ad aware crashed in the deleting files stage

with the info posted here I tried twice to clean-up my hjt log and rename file-extensions in safe mode
then i opened IE and corrected my home page and bookmarks.

after the 2nd attempt the when i started in regular mode the home page was right for the first 3 minutes and then it got hijacked

can i post my hjt log and have one of you please help me

thanks
novice

Comments

  • novice
    edited May 2005
    logfile of HijackThis v1.97.7
    Scan saved at 2:19:52 AM, on 5/12/05
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
    C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\D3HM.EXE
    C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\SBC SELF SUPPORT TOOL\BIN\MPBTN.EXE
    C:\WINDOWS\CRLT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\DOWNLOADS\HIJACKTHIS1982.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    O2 - BHO: (no name) - {C405ABDB-4CCE-D02F-8677-825A3F453A44} - C:\WINDOWS\ADDAG.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [D3HM.EXE] C:\WINDOWS\SYSTEM\D3HM.EXE
    O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
    O4 - HKLM\..\RunServices: [CRLT.EXE] C:\WINDOWS\CRLT.EXE /s
    O4 - HKCU\..\Run: [Ckdwtftc] C:\WINDOWS\SYSTEM\gbpdl.exe
    O4 - Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\resource.dll
    O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/cab/prod/DD_v4.CAB
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = amd.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = amd.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 139.95.40.230,139.95.6.235

    I am not able to run about buster either. "Everytimg I get a message that says database is corrupted or missing. Please download a new one"
    novice wrote:
    I have a HSA infection that i tried to remove. I have win98 on my computer and i cannot double click on my computer to get in in safe mode


    i ran spybot and adaware, however ad aware crashed in the deleting files stage

    with the info posted here I tried twice to clean-up my hjt log and rename file-extensions in safe mode
    then i opened IE and corrected my home page and bookmarks.

    after the 2nd attempt the when i started in regular mode the home page was right for the first 3 minutes and then it got hijacked

    can i post my hjt log and have one of you please help me

    thanks
    novice
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    You have an HSA infection. The filenames on this type of infection can change each time you reboot your computer or use Internet Explorer. With that in mind some of these filenames may be different. But the pattern is the same and you may be able to determine the correct files to remove. The sooner you perform this fix, the higher it's chances for success.

    Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet. Please print out these instructions.


    Step 1
    Download CWShredder but don't run it yet.


    Step 2
    Download AboutBuster
    Unzip it to your desktop but don't run it yet.


    Step 3
    Download Ad-aware SE 1.05
    Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.


    Step 5
    Make sure that you can VIEW ALL HIDDEN FILES.


    Step 6
    Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rcvgk.dll/sp.html#14044
    O2 - BHO: (no name) - {C405ABDB-4CCE-D02F-8677-825A3F453A44} - C:\WINDOWS\ADDAG.DLL
    O4 - HKLM\..\Run: [D3HM.EXE] C:\WINDOWS\SYSTEM\D3HM.EXE
    O4 - HKLM\..\RunServices: [CRLT.EXE] C:\WINDOWS\CRLT.EXE /s
    O4 - HKCU\..\Run: [Ckdwtftc] C:\WINDOWS\SYSTEM\gbpdl.exe



    Step 7
    Reboot your computer into SAFE MODE


    Step 8
    Now run CWShredder, making sure to click "Fix".


    Step 9
    Then delete these files or directories (Do not be concerned if they do not exist)

    C:\WINDOWS\ADDAG.DLL
    C:\WINDOWS\rcvgk.dll
    C:\WINDOWS\CRLT.EXE
    C:\WINDOWS\SYSTEM\gbpdl.exe
    C:\WINDOWS\SYSTEM\D3HM.EXE


    Step 10
    Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.


    Step 11
    Run a full scan with Adaware.



    You are using an outdated version of Hijackthis.
    Please download the current version of Hijackthis and post a new hijackthis log.

    http://www.short-media.com/download.php?d=245
Sign In or Register to comment.