Jump to content


Photo

plse review log, res: //.random.// keeps returning


  • Please log in to reply
6 replies to this topic

#1 zyx

zyx

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 01:38 PM

Hi,

I have tried Ad-Aware, CWSshredder, Spybot (as described in the standard approach that we neeeded to read) and this thing keeps coming back!

Today, I have been following the advice from:
http://www.spywarein...showtopic=11069

I ran Ad-Aware (with version 01R325 27.06.2004) from Safe Mode and again in Normal mode. My log is attached below but I have a few more comments:

1) Last time when I did this, I opened Explorer and it was ok (msn.com home page). I also cleaned out the R0 with the random letters in it. But when I opened a second IE it reverted back to the bad page (I re-did everything so it should be clean now). This time I have Browser Hijack Blaster running and it is preventing lots of things form changing as we speak (including the default home page).

2) I also notice that ctrl-alt-del shows very few programs running, including one that I have never seen before D3sd- If I close it- it will still be back the next reboot. Logfile of HijackThis v1.97.7
Scan saved at 2:35:10 PM, on 7/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\NTYY32.EXE
C:\WINDOWS\SYSTEM\D3SD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\HPJETDSC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\BROWSER HIJACK BLASTER\BHBLASTER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xzhrv.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\xzhrv.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xzhrv.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\xzhrv.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_2_6.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: (no name) - {0C174FA1-2295-2ED5-D2AB-627C21ADBD52} - C:\WINDOWS\WINRL.DLL (file missing)
O2 - BHO: (no name) - {050F0369-818D-897A-88BE-54102C0B2632} - C:\WINDOWS\SYSTEM\IEZZ.DLL (file missing)
O2 - BHO: (no name) - {66E0BB58-5F1A-3C89-6233-F802B7FF6A3B} - C:\WINDOWS\APIOX.DLL (file missing)
O2 - BHO: (no name) - {46C59131-C2CD-A440-5179-146B0661C16F} - C:\WINDOWS\SYSTEM\IPFN.DLL (file missing)
O2 - BHO: (no name) - {64EFC959-3683-6DEA-F6F7-AEDC8A42565F} - C:\WINDOWS\SYSTEM\MSFV32.DLL (file missing)
O2 - BHO: (no name) - {0F313BDA-32FB-0649-F293-33716F75BAB9} - C:\WINDOWS\MSSS.DLL (file missing)
O2 - BHO: (no name) - {0FD330D5-D102-3F23-69CD-43366CD32156} - C:\WINDOWS\SYSTEM\ATLTE32.DLL (file missing)
O2 - BHO: (no name) - {8D61D565-594D-1C95-CFF7-EAEB4D30FF42} - C:\WINDOWS\NTYI32.DLL (file missing)
O2 - BHO: (no name) - {C4034374-647F-4FCD-3140-C5C8F83F20F8} - C:\WINDOWS\SYSTEM\APIYW.DLL (file missing)
O2 - BHO: (no name) - {E0E2793F-6D6D-0A8A-2FED-A75A00AAADF6} - C:\WINDOWS\SYSTEM\NTDT.DLL (file missing)
O2 - BHO: (no name) - {F5E048DD-258B-2E9B-569A-F6C76B4C7152} - C:\WINDOWS\SYSTEM\NETLK.DLL (file missing)
O2 - BHO: (no name) - {37143F26-6EC4-8AF0-3D27-1DC8DE844E20} - C:\WINDOWS\SYSTEM\MSWA32.DLL (file missing)
O2 - BHO: (no name) - {4571E64C-49B6-A143-2CF3-78C94E0C0E5A} - C:\WINDOWS\SYSAB.DLL (file missing)
O2 - BHO: (no name) - {E744D294-2AA6-B5FC-A3C2-48601F4CDCDD} - C:\WINDOWS\MFCGW32.DLL (file missing)
O2 - BHO: (no name) - {D5615F3D-EF34-6F81-60E3-EA936A483D12} - C:\WINDOWS\SYSTEM\ATLGI.DLL (file missing)
O2 - BHO: (no name) - {F8D1EA89-4410-D2AC-241E-9F0036B11B2D} - C:\WINDOWS\WINTN32.DLL (file missing)
O2 - BHO: (no name) - {D3B904F8-2593-CC6B-115F-038CC3428486} - C:\WINDOWS\SYSTEM\IPRG32.DLL (file missing)
O2 - BHO: (no name) - {2B4E1834-BFE0-707E-3449-46EC0AEDF9DC} - C:\WINDOWS\NTPI.DLL (file missing)
O2 - BHO: (no name) - {75ADD628-AC15-21C5-A0CB-117FD483C169} - C:\WINDOWS\SDKSM.DLL (file missing)
O2 - BHO: (no name) - {EE588249-89FE-CC0C-5F52-8B9B0349363A} - C:\WINDOWS\ATLFK32.DLL (file missing)
O2 - BHO: (no name) - {D4BBFCAF-3F30-7E69-4762-58A3BA736796} - C:\WINDOWS\IEOA32.DLL (file missing)
O2 - BHO: (no name) - {302FCDF6-C3B8-FDEF-DB33-BD6C8D4D3F17} - C:\WINDOWS\ATLKJ32.DLL (file missing)
O2 - BHO: (no name) - {A13A235C-EE8E-7F0F-35D2-BB318893F03A} - C:\WINDOWS\SYSTEM\MFCLX32.DLL (file missing)
O2 - BHO: (no name) - {AEF319B8-61C4-EA19-F010-C8C9BB5429EC} - C:\WINDOWS\SDKKR.DLL (file missing)
O2 - BHO: (no name) - {4FD6DEC3-D767-0600-E95B-E73A52CF4826} - C:\WINDOWS\SYSTEM\MFCNW.DLL (file missing)
O2 - BHO: (no name) - {591169A9-F4B3-8C94-B066-964A53C37205} - C:\WINDOWS\SYSTEM\MFCXR32.DLL (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_2_6.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [D3SD.EXE] C:\WINDOWS\SYSTEM\D3SD.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [APPIG.EXE] C:\WINDOWS\APPIG.EXE
O4 - HKLM\..\RunServices: [NETMI.EXE] C:\WINDOWS\NETMI.EXE
O4 - HKLM\..\RunServices: [IEEJ.EXE] C:\WINDOWS\IEEJ.EXE
O4 - HKLM\..\RunServices: [SYSEN32.EXE] C:\WINDOWS\SYSTEM\SYSEN32.EXE
O4 - HKLM\..\RunServices: [APPET32.EXE] C:\WINDOWS\APPET32.EXE
O4 - HKLM\..\RunServices: [NTNB32.EXE] C:\WINDOWS\SYSTEM\NTNB32.EXE
O4 - HKLM\..\RunServices: [WINYY.EXE] C:\WINDOWS\SYSTEM\WINYY.EXE
O4 - HKLM\..\RunServices: [ADDBR.EXE] C:\WINDOWS\SYSTEM\ADDBR.EXE
O4 - HKLM\..\RunServices: [SDKTN.EXE] C:\WINDOWS\SDKTN.EXE
O4 - HKLM\..\RunServices: [NETGY32.EXE] C:\WINDOWS\SYSTEM\NETGY32.EXE
O4 - HKLM\..\RunServices: [SYSXV.EXE] C:\WINDOWS\SYSXV.EXE
O4 - HKLM\..\RunServices: [IPUS.EXE] C:\WINDOWS\SYSTEM\IPUS.EXE
O4 - HKLM\..\RunServices: [NTMA32.EXE] C:\WINDOWS\SYSTEM\NTMA32.EXE
O4 - HKLM\..\RunServices: [CRSG32.EXE] C:\WINDOWS\CRSG32.EXE
O4 - HKLM\..\RunServices: [SYSRJ32.EXE] C:\WINDOWS\SYSTEM\SYSRJ32.EXE
O4 - HKLM\..\RunServices: [ATLZB.EXE] C:\WINDOWS\SYSTEM\ATLZB.EXE
O4 - HKLM\..\RunServices: [WINWU32.EXE] C:\WINDOWS\SYSTEM\WINWU32.EXE
O4 - HKLM\..\RunServices: [ATLXQ.EXE] C:\WINDOWS\SYSTEM\ATLXQ.EXE
O4 - HKLM\..\RunServices: [APPHC.EXE] C:\WINDOWS\SYSTEM\APPHC.EXE
O4 - HKLM\..\RunServices: [SYSPB32.EXE] C:\WINDOWS\SYSTEM\SYSPB32.EXE
O4 - HKLM\..\RunServices: [WINQM.EXE] C:\WINDOWS\WINQM.EXE
O4 - HKLM\..\RunServices: [MFCVO.EXE] C:\WINDOWS\SYSTEM\MFCVO.EXE
O4 - HKLM\..\RunServices: [SDKIP32.EXE] C:\WINDOWS\SDKIP32.EXE
O4 - HKLM\..\RunServices: [MSQB32.EXE] C:\WINDOWS\MSQB32.EXE
O4 - HKLM\..\RunServices: [IPWK32.EXE] C:\WINDOWS\IPWK32.EXE
O4 - HKLM\..\RunServices: [CRCW32.EXE] C:\WINDOWS\SYSTEM\CRCW32.EXE
O4 - HKLM\..\RunServices: [IPRF32.EXE] C:\WINDOWS\SYSTEM\IPRF32.EXE
O4 - HKLM\..\RunServices: [IPOX.EXE] C:\WINDOWS\IPOX.EXE
O4 - HKLM\..\RunServices: [NETYT32.EXE] C:\WINDOWS\SYSTEM\NETYT32.EXE
O4 - HKLM\..\RunServices: [ADDKL.EXE] C:\WINDOWS\ADDKL.EXE
O4 - HKLM\..\RunServices: [APICB.EXE] C:\WINDOWS\SYSTEM\APICB.EXE
O4 - HKLM\..\RunServices: [NETQY32.EXE] C:\WINDOWS\SYSTEM\NETQY32.EXE
O4 - HKLM\..\RunServices: [IPZK.EXE] C:\WINDOWS\IPZK.EXE
O4 - HKLM\..\RunServices: [IPDX32.EXE] C:\WINDOWS\IPDX32.EXE
O4 - HKLM\..\RunServices: [CRGY32.EXE] C:\WINDOWS\CRGY32.EXE
O4 - HKLM\..\RunServices: [MFCBI.EXE] C:\WINDOWS\SYSTEM\MFCBI.EXE
O4 - HKLM\..\RunServices: [MFCSW.EXE] C:\WINDOWS\MFCSW.EXE
O4 - HKLM\..\RunServices: [APPOG32.EXE] C:\WINDOWS\APPOG32.EXE
O4 - HKLM\..\RunServices: [IEPU32.EXE] C:\WINDOWS\IEPU32.EXE
O4 - HKLM\..\RunServices: [SYSVM.EXE] C:\WINDOWS\SYSTEM\SYSVM.EXE
O4 - HKLM\..\RunServices: [NTYY32.EXE] C:\WINDOWS\NTYY32.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ComcastHSI (HKLM)
O9 - Extra button: Support (HKLM)
O9 - Extra button: Help (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://education.dellnet.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.102...etzip/RdxIE.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37876.268912037
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab

#2 zyx

zyx

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 01:52 PM

I meant to say that D3sd returns even if I use HiJackThis to delete O4 HKLM.....D3SD.exe and the R0 & R1 files with the random numbers.

#3 erexx

erexx

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 01 July 2004 - 02:24 PM

Sounds like HSA.

You must delete every single damn illegit it creates or start from scatch once IE is launched again.
This includes the damn HSA installation folder itself which seems impossible without a 3rd party add/remove program app like Uninstaller Pro.

I posted my fix for this here:
http://www.spywarein...t=0

#4 zyx

zyx

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 02:47 PM

I do have HSA but I also now have hope!

Thanks so much! :)

#5 zyx

zyx

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 06:43 PM

:grrr:

OK I have tried all those things you suggested- actually been workign on it for the past 4-5 hours.

I guess I missed something because it is back.

I couldn't kill the d3tk32.exe file even though I could kill the d3sd.exe file.

I was wondering if you had any other suggestions............

I am gonna have to reformat my hard drive I think.

Looking for some help before it gets to that , but I have wasted two days already.

Here is the new log file:

Logfile of HijackThis v1.97.7
Scan saved at 7:43:43 PM, on 7/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SDKYV32.EXE
C:\WINDOWS\SYSTEM\IEQS32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cuhjy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cuhjy.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cuhjy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cuhjy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cuhjy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cuhjy.dll/sp.html#96676
O2 - BHO: (no name) - {F30ADCA2-9B50-A3DF-80FF-E651181CAF34} - C:\WINDOWS\SYSTEM\JAVAJY.DLL
O2 - BHO: (no name) - {037715E1-A5E8-1C92-C21F-31683C3675C1} - C:\WINDOWS\SYSTEM\SDKGA32.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_2_6.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [IEQS32.EXE] C:\WINDOWS\SYSTEM\IEQS32.EXE
O4 - HKLM\..\RunServices: [APPIG.EXE] C:\WINDOWS\APPIG.EXE
O4 - HKLM\..\RunServices: [NETMI.EXE] C:\WINDOWS\NETMI.EXE
O4 - HKLM\..\RunServices: [IEEJ.EXE] C:\WINDOWS\IEEJ.EXE
O4 - HKLM\..\RunServices: [SYSEN32.EXE] C:\WINDOWS\SYSTEM\SYSEN32.EXE
O4 - HKLM\..\RunServices: [APPET32.EXE] C:\WINDOWS\APPET32.EXE
O4 - HKLM\..\RunServices: [NTNB32.EXE] C:\WINDOWS\SYSTEM\NTNB32.EXE
O4 - HKLM\..\RunServices: [WINYY.EXE] C:\WINDOWS\SYSTEM\WINYY.EXE
O4 - HKLM\..\RunServices: [ADDBR.EXE] C:\WINDOWS\SYSTEM\ADDBR.EXE
O4 - HKLM\..\RunServices: [SDKTN.EXE] C:\WINDOWS\SDKTN.EXE
O4 - HKLM\..\RunServices: [NETGY32.EXE] C:\WINDOWS\SYSTEM\NETGY32.EXE
O4 - HKLM\..\RunServices: [SYSXV.EXE] C:\WINDOWS\SYSXV.EXE
O4 - HKLM\..\RunServices: [IPUS.EXE] C:\WINDOWS\SYSTEM\IPUS.EXE
O4 - HKLM\..\RunServices: [NTMA32.EXE] C:\WINDOWS\SYSTEM\NTMA32.EXE
O4 - HKLM\..\RunServices: [CRSG32.EXE] C:\WINDOWS\CRSG32.EXE
O4 - HKLM\..\RunServices: [SYSRJ32.EXE] C:\WINDOWS\SYSTEM\SYSRJ32.EXE
O4 - HKLM\..\RunServices: [ATLZB.EXE] C:\WINDOWS\SYSTEM\ATLZB.EXE
O4 - HKLM\..\RunServices: [WINWU32.EXE] C:\WINDOWS\SYSTEM\WINWU32.EXE
O4 - HKLM\..\RunServices: [ATLXQ.EXE] C:\WINDOWS\SYSTEM\ATLXQ.EXE
O4 - HKLM\..\RunServices: [APPHC.EXE] C:\WINDOWS\SYSTEM\APPHC.EXE
O4 - HKLM\..\RunServices: [SYSPB32.EXE] C:\WINDOWS\SYSTEM\SYSPB32.EXE
O4 - HKLM\..\RunServices: [WINQM.EXE] C:\WINDOWS\WINQM.EXE
O4 - HKLM\..\RunServices: [MFCVO.EXE] C:\WINDOWS\SYSTEM\MFCVO.EXE
O4 - HKLM\..\RunServices: [SDKIP32.EXE] C:\WINDOWS\SDKIP32.EXE
O4 - HKLM\..\RunServices: [MSQB32.EXE] C:\WINDOWS\MSQB32.EXE
O4 - HKLM\..\RunServices: [IPWK32.EXE] C:\WINDOWS\IPWK32.EXE
O4 - HKLM\..\RunServices: [CRCW32.EXE] C:\WINDOWS\SYSTEM\CRCW32.EXE
O4 - HKLM\..\RunServices: [IPRF32.EXE] C:\WINDOWS\SYSTEM\IPRF32.EXE
O4 - HKLM\..\RunServices: [IPOX.EXE] C:\WINDOWS\IPOX.EXE
O4 - HKLM\..\RunServices: [NETYT32.EXE] C:\WINDOWS\SYSTEM\NETYT32.EXE
O4 - HKLM\..\RunServices: [ADDKL.EXE] C:\WINDOWS\ADDKL.EXE
O4 - HKLM\..\RunServices: [APICB.EXE] C:\WINDOWS\SYSTEM\APICB.EXE
O4 - HKLM\..\RunServices: [NETQY32.EXE] C:\WINDOWS\SYSTEM\NETQY32.EXE
O4 - HKLM\..\RunServices: [IPZK.EXE] C:\WINDOWS\IPZK.EXE
O4 - HKLM\..\RunServices: [IPDX32.EXE] C:\WINDOWS\IPDX32.EXE
O4 - HKLM\..\RunServices: [CRGY32.EXE] C:\WINDOWS\CRGY32.EXE
O4 - HKLM\..\RunServices: [MFCBI.EXE] C:\WINDOWS\SYSTEM\MFCBI.EXE
O4 - HKLM\..\RunServices: [MFCSW.EXE] C:\WINDOWS\MFCSW.EXE
O4 - HKLM\..\RunServices: [APPOG32.EXE] C:\WINDOWS\APPOG32.EXE
O4 - HKLM\..\RunServices: [IEPU32.EXE] C:\WINDOWS\IEPU32.EXE
O4 - HKLM\..\RunServices: [SYSVM.EXE] C:\WINDOWS\SYSTEM\SYSVM.EXE
O4 - HKLM\..\RunServices: [NTYY32.EXE] C:\WINDOWS\NTYY32.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SDKYV32.EXE] C:\WINDOWS\SDKYV32.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ComcastHSI (HKLM)
O9 - Extra button: Support (HKLM)
O9 - Extra button: Help (HKLM)
O9 - Extra button: Dell Home (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://education.dellnet.com/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37876.268912037
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab




zyx

Edited by zyx, 01 July 2004 - 06:45 PM.


#6 erexx

erexx

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 02 July 2004 - 01:57 AM

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cuhjy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cuhjy.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cuhjy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cuhjy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cuhjy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cuhjy.dll/sp.html#96676

O4 - HKLM\..\Run: [IEQS32.EXE] C:\WINDOWS\SYSTEM\IEQS32.EXE
O4 - HKLM\..\RunServices: [APPIG.EXE] C:\WINDOWS\APPIG.EXE
O4 - HKLM\..\RunServices: [NETMI.EXE] C:\WINDOWS\NETMI.EXE
O4 - HKLM\..\RunServices: [IEEJ.EXE] C:\WINDOWS\IEEJ.EXE
O4 - HKLM\..\RunServices: [SYSEN32.EXE] C:\WINDOWS\SYSTEM\SYSEN32.EXE
O4 - HKLM\..\RunServices: [APPET32.EXE] C:\WINDOWS\APPET32.EXE
O4 - HKLM\..\RunServices: [NTNB32.EXE] C:\WINDOWS\SYSTEM\NTNB32.EXE
O4 - HKLM\..\RunServices: [WINYY.EXE] C:\WINDOWS\SYSTEM\WINYY.EXE
O4 - HKLM\..\RunServices: [ADDBR.EXE] C:\WINDOWS\SYSTEM\ADDBR.EXE
O4 - HKLM\..\RunServices: [SDKTN.EXE] C:\WINDOWS\SDKTN.EXE
O4 - HKLM\..\RunServices: [NETGY32.EXE] C:\WINDOWS\SYSTEM\NETGY32.EXE
O4 - HKLM\..\RunServices: [SYSXV.EXE] C:\WINDOWS\SYSXV.EXE
O4 - HKLM\..\RunServices: [IPUS.EXE] C:\WINDOWS\SYSTEM\IPUS.EXE
O4 - HKLM\..\RunServices: [NTMA32.EXE] C:\WINDOWS\SYSTEM\NTMA32.EXE
O4 - HKLM\..\RunServices: [CRSG32.EXE] C:\WINDOWS\CRSG32.EXE
O4 - HKLM\..\RunServices: [SYSRJ32.EXE] C:\WINDOWS\SYSTEM\SYSRJ32.EXE
O4 - HKLM\..\RunServices: [ATLZB.EXE] C:\WINDOWS\SYSTEM\ATLZB.EXE
O4 - HKLM\..\RunServices: [WINWU32.EXE] C:\WINDOWS\SYSTEM\WINWU32.EXE
O4 - HKLM\..\RunServices: [ATLXQ.EXE] C:\WINDOWS\SYSTEM\ATLXQ.EXE
O4 - HKLM\..\RunServices: [APPHC.EXE] C:\WINDOWS\SYSTEM\APPHC.EXE
O4 - HKLM\..\RunServices: [SYSPB32.EXE] C:\WINDOWS\SYSTEM\SYSPB32.EXE
O4 - HKLM\..\RunServices: [WINQM.EXE] C:\WINDOWS\WINQM.EXE
O4 - HKLM\..\RunServices: [MFCVO.EXE] C:\WINDOWS\SYSTEM\MFCVO.EXE
O4 - HKLM\..\RunServices: [SDKIP32.EXE] C:\WINDOWS\SDKIP32.EXE
O4 - HKLM\..\RunServices: [MSQB32.EXE] C:\WINDOWS\MSQB32.EXE
O4 - HKLM\..\RunServices: [IPWK32.EXE] C:\WINDOWS\IPWK32.EXE
O4 - HKLM\..\RunServices: [CRCW32.EXE] C:\WINDOWS\SYSTEM\CRCW32.EXE
O4 - HKLM\..\RunServices: [IPRF32.EXE] C:\WINDOWS\SYSTEM\IPRF32.EXE
O4 - HKLM\..\RunServices: [IPOX.EXE] C:\WINDOWS\IPOX.EXE
O4 - HKLM\..\RunServices: [NETYT32.EXE] C:\WINDOWS\SYSTEM\NETYT32.EXE
O4 - HKLM\..\RunServices: [ADDKL.EXE] C:\WINDOWS\ADDKL.EXE
O4 - HKLM\..\RunServices: [APICB.EXE] C:\WINDOWS\SYSTEM\APICB.EXE
O4 - HKLM\..\RunServices: [NETQY32.EXE] C:\WINDOWS\SYSTEM\NETQY32.EXE
O4 - HKLM\..\RunServices: [IPZK.EXE] C:\WINDOWS\IPZK.EXE
O4 - HKLM\..\RunServices: [IPDX32.EXE] C:\WINDOWS\IPDX32.EXE
O4 - HKLM\..\RunServices: [CRGY32.EXE] C:\WINDOWS\CRGY32.EXE
O4 - HKLM\..\RunServices: [MFCBI.EXE] C:\WINDOWS\SYSTEM\MFCBI.EXE
O4 - HKLM\..\RunServices: [MFCSW.EXE] C:\WINDOWS\MFCSW.EXE
O4 - HKLM\..\RunServices: [APPOG32.EXE] C:\WINDOWS\APPOG32.EXE
O4 - HKLM\..\RunServices: [IEPU32.EXE] C:\WINDOWS\IEPU32.EXE
O4 - HKLM\..\RunServices: [SYSVM.EXE] C:\WINDOWS\SYSTEM\SYSVM.EXE
O4 - HKLM\..\RunServices: [NTYY32.EXE] C:\WINDOWS\NTYY32.EXE


All of these R0, R1's an 04's are bad and must be removed.
(Not just the registry entires but the DLL's themsleves.)
I never have never seen 04's listed before so that is new to me.
Every single 04 exe listed is suspect and should be deleted.
(with caution use, google to search)

Every single [HSA] DLL and EXE must be deleted like cuhjy.dll and IEPU32.EXE

Since you left a single scrape of it behind d3tk32.exe HSA reincarnated itself.
Obviously your going to have to get access to the files before you can delete it.
I didnt have to use a DOS/FAT32 boot disk, Exotic NTFS boot disk
or set any permissions to eventually get rid of this.
(it did take me about 16 hours of searching and destroying though in the meantime
I used Mozilla's FireFox to browse the net without issue. Honestly, I probably could have rebuilt or clean installed my own PC in about the same amount of time..ack!)

If the HSA app itself is still installed you will never get rid of it because the app will process lock itself preventing any access.
Goto your Program Files directory and look for a lower cased file directory that is spelled something like "srasst" or something like that.
This is the installation directory of HSA.
For "fun" you can try and delete any file in the directory
and then watch them reappear almost immediately.
If its there then the HSA app itself has not been sucessfully removed.

However the HSA agents themselves do not require HSA to be installed at all.
Only to be executed by IE when its run.

Did you remove HSA and its brothers from the Control Panel as suggested?
Remember to remove this shit with a 3rd part add/remove app since windows wont do it.

ANYONE wanting to look at my HijackThis log files for referance are more than welcome. I can email them upon request.

HSA is a real MF B*tch.
The @ss who created it, Is a Real Looser.
In IMHO it should be classified as just another virus.

#7 zyx

zyx

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 02 July 2004 - 02:20 PM

OK here is the update. I have done various order of steps about 4 times as well as a variety of other techniques suggested by others. After 40 hours of near non-stop attempts to clean, I think this coudl go on forever so I give up. In screwing around with the stuff, I have become increasingly aggressive and stupid. I stupidly deleted my IEEXPLORE.EXE file- yup tossed it from my recycle bin and all. When I try to re-install it says all component parts are already there..... Any ideas? actually, if I re-format, it won't matter so before tackling that read on.

I tried to restore yesterday but it said everything was the same and now it won't give me any dates from before I had the virus.

I think I really am gonna just start all over. I have my installation disks, an emergency boot disk (made today when reinstalling Windows ME as a check that I have the ability to do that- lost my original boot disk and I never made another copy) and all my documents on CD back up.

How do you re-format a hard drive from Windows ME?

Once I re-format, I just put in the boot disk and load everything again, right?

If I made the boot disk this morning, is it possible that will be infected too?

Any suggestions??

I may not get into this til Monday cause you know it is Friday afternoon on a long weekend and I need a drink or 2 or more and a dose of sun and denial.........

I really appreciate your help BobO.. I just don't think I am getting it right somehow. If you can help me with this next stuff (questions above) that would be cool-

Thanks

-zyx




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button