about HSA removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ShinMagus, Aug 16, 2004.

  1. ShinMagus

    ShinMagus Private E-2

    i get to step 8 and when i run hijack this i dont find any of these files
    O4 - HKLM\..\Run: [winya.exe] C:\WINDOWS\system32\winya.exe
    O4 - HKLM\..\RunOnce: [msfo.exe] C:\WINDOWS\system32\msfo.exe
    O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
    O4 - HKLM\..\RunOnce: [winuh32.exe] C:\WINDOWS\system32\winuh32.exe
    O4 - HKLM\..\RunOnce: [nthc32.exe] C:\WINDOWS\nthc32.exe
    O4 - HKLM\..\RunOnce: [syspg.exe] C:\WINDOWS\syspg.exe

    O2 - BHO: (no name) - {ADFA3880-261B-1BF8-91EB-1DEF4A8C4300} - C:\WINDOWS\atlef.dll


    also, when i do run and enter this notepad c:\path\xxxxx.dll, it doesnt come up with anything, i skipped deleting these files and went on with the rest of the steps, but HSA was not removed and im wondering if these are really important steps
     
    ShinMagus, Aug 16, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    If you do not find those files, good, but remove the lines anyhow.

    I do not understand this line:
    "also, when i do run and enter this notepad c:\path\xxxxx.dll,"

    Let me know.
     
    Major Attitude, Aug 16, 2004
    #2
  3. ShinMagus

    ShinMagus Private E-2

    5) Now we are going to use notepad to erase the contents of the DLL file shown in the R0 & R1 lines of your HijaakThis log. To do this click Start, Run, and enter the following command "notepad c:\path\xxxxx.dll" (without the quotes) and click OK.

    i type what it says in run but it doesnt find anything, or am i doing it wrong?
     
    ShinMagus, Aug 16, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please read the information again! You are not following along with the concept of a Generic Solution very well. It tells you in this procedure that everyone's problems are not the same so examples are provided. You have to substitute in your information.

    Also you are ignore the NOTE that is part of step 5. It clearly tells you:
    "You must replace the generic c:\path\xxxxx.dll will be replaced by the path and filename found in the R0 & R1 lines from your HijaakThis log."

    The items list in step 8 are also clearly spelled out to be for the "example" HijackThis log shown at the beginning. They will not necessarily be found in you log but could be. You most likely have other lines in you log with different filenames.
     
    chaslang, Aug 16, 2004
    #4
  5. ShinMagus

    ShinMagus Private E-2

    i know that all the Rs are what my homepage gets changed to but im not sure if anything else is HSA related
     

    Attached Files:

    Last edited by a moderator: Aug 16, 2004
    ShinMagus, Aug 16, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No one asked you to post your HJT log (well a partial one anyway) and if we did, they must be a text attachment. Your full log with processes list at the beginning would be important for me to see since you could have processes running that do not show in the startup section (O4) of HijackThis.

    From what you gave, these two lines are part of the hijacker:
    O2 - BHO: (no name) - {0458C7E1-967D-72B5-37E0-291214822599} - C:\WINDOWS\system32\ntei.dll
    O4 - HKLM\..\Run: [appvy.exe] C:\WINDOWS\appvy.exe

    Questions not related to HSA:
    1) did you install and do you use WildTangent stuff? If not, uninstall it.
    2) Who put this into your trusted zones? O15 - Trusted Zone: http://*.hoss.us.tc
    Is it a site you recognize?
     
    chaslang, Aug 16, 2004
    #6
  7. ShinMagus

    ShinMagus Private E-2

    sorry about posting all that, yes that is a site i recognize, and i did uninstall wildtangent

    i attached my whole log, thx for your help
     

    Attached Files:

    ShinMagus, Aug 16, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    These two processes are part of the hijack and you will need to add them to the deletion list in step 10.
    C:\WINDOWS\appvy.exe
    C:\WINDOWS\ieds.exe

    Did you find the Network Security Service running in step 6? If so, did you disable it and did you note the file name so you can add it to the list to delete?

    You should have HijackThis fix the below line too:
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/244a6aa172dfd01e9e05/netzip/RdxIE601.cab
     
    chaslang, Aug 16, 2004
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds