At wit's end with HSA (hijacklog inside)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by lilnymphie, Jul 14, 2004.

  1. lilnymphie

    lilnymphie Private E-2

    In no particular order (since I've done these things at least 5+ times) I have:

    Updated and run a virus scan (Homecall and Norton)- all clean
    Run CWShredder- nothing found
    Updated and run Ad-aware- keeps finding two registry files that I keep on deleting
    Run HSRemove- Finds things and deletes things as if on whim, makes no difference as HSA keeps on coming back
    Run Hijack This- I've been deleting all the files that are bad, but they just keep on coming back as I can't get rid of the root of the problem.
    I've also cleared all my Temp files/cookies/offline files etc.
    I had disconnected my cable while doing these
    I have made sure there is no system restore
    I've rebooted numerous times, run things on safemode and normal mode

    The things that I've noticed are:
    1) mfche32.exe keeps on coming up in the task manager and hijiack this.
    2) now a mfcwn32.exe keeps coming back.
    (I don't know what these things are, and I can't even find them in my WINNT where it says it is)
    3) a javaxg.dll keeps on coming up, is that a good file? I've been deleting that manually, but it just reappears.
    4) I read somewhere that I should delete a regkey a LEGACY___NS_SERVICE_3, but I can't, and I don't know how.

    I don't know what else I can do, I've done the above for the past five hours, and all for naught.
    Here's the hijack log from after the last reboot, I have left it as it is, I know to delete the R1 and R0, but it makes no difference anyways as it comes back...

    Logfile of HijackThis v1.98.0
    Scan saved at 5:03:46 PM, on 14/07/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\wingp.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\MsgSys.EXE
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Trillian\trillian.exe
    C:\WINNT\mfcwn32.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ztypt.dll/sp.html#37794
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ztypt.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ztypt.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ztypt.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ztypt.dll/sp.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ztypt.dll/index.html#37794
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.library.utoronto.ca:8080
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {DD1EE870-2587-FBFB-3234-9255B74CC5B9} - C:\WINNT\javaxg.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [mfcwn32.exe] C:\WINNT\mfcwn32.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
     
    lilnymphie, Jul 14, 2004
    #1
  2. lilnymphie

    lilnymphie Private E-2

    I forgot to add that I ran SpyBlaster for good measure as well.

    And, while I was looking inside services.msc, I found that Remote Registry Service was automatic and running. Is that normal? I disabled it.
     
    lilnymphie, Jul 14, 2004
    #2
  3. pegg

    pegg MajorGeek

    Go here: http://www.blackviper.com/WIN2K/servicecfg.htm and there is a list of services for WINDOWS 2000 (I think that's what I saw that you have) and you can see for yourself what services to disable, leave on, etc.
     
    pegg, Jul 14, 2004
    #3
  4. lilnymphie

    lilnymphie Private E-2

    By the way, I also followed your instructions to Cord (in another thread), downloaded the new HSRemove 2.37.

    Still doesn't work.
     
    lilnymphie, Jul 14, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now follow these steps exactly. Read thru them first. If you cannot do them or do not understand anything, don't do anything until you get clarification from me. You may want to print these or copy them locally to a notepad file because I am going to have you physically disconnect from the internet very soon.

    - disable system restore: http://forums.majorgeeks.com/showthread.php?t=31668 (do not reboot when told to)
    - **** VERY IMPORTANT physically disconnect from the internet (unplug cables) ****
    - run HSremove
    - Boot into safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    - run HijackThis and fix these if found:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ztypt.dll/sp.html#37794
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ztypt.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ztypt.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ztypt.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ztypt.dll/sp.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ztypt.dll/index.html#37794
    O2 - BHO: (no name) - {DD1EE870-2587-FBFB-3234-9255B74CC5B9} - C:\WINNT\javaxg.dll
    O4 - HKLM\..\Run: [mfcwn32.exe] C:\WINNT\mfcwn32.exe

    - Reset Web Settings by right clicking on your Internet Explorer icon. Then click Properties, Programs, and click the Reset Web Settings button. Then go back to the General tab and set you home page back to something useful like www.majorgeeks.com
    - boot normal and reconnect to internet

    Now one more item. Download and run this:
    a² anti virus: http://www.majorgeeks.com/download4281.html
     
    chaslang, Jul 14, 2004
    #5
  6. lilnymphie

    lilnymphie Private E-2

    I use Windows 2000.

    Besides that step, I have done all the other steps.
     
    lilnymphie, Jul 14, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! That's good. So how are things working. Did we get rid of HSA?
     
    chaslang, Jul 14, 2004
    #7
  8. lilnymphie

    lilnymphie Private E-2

    Heh, no!
    That's what I was trying to say when I said I had followed your instructions to "Cord". They were the same instructions, didn't work.

    I also threw in a Spyblaster/CWShredder/Adware thing while in safe mode just in case. When I rebooted in normal again, HSA came right back to bite me in the butt.
     
    lilnymphie, Jul 14, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you talking about a previous time? Or did you just run all the steps in my message to you below. Including the A squared virus scan?

    If you did not do the steps again as indicated here in this thread please do so but first do this:

    Click Start, Run, and enter this in the Open box: services.msc Then click OK. Now in the Services window that pops up look for exactly the following service "Network Security Service". If you find that service, you must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, I also want to know the info in the "Path to executable" box.

    Then do all the steps I gave you in my previous message again (make sure you disconnect)
     
    Last edited: Jul 14, 2004
    chaslang, Jul 14, 2004
    #9
  10. lilnymphie

    lilnymphie Private E-2

    My steps:
    -windows 2000, so no system restore
    -don't have Network Security Services
    -ran HSRemove
    -disconnected internet
    -booted in safe mode
    -ran Hijack this
    -fixed the listed
    -reset webpage, set new homepage
    -booted in normal
    -ran a2, came out clean

    -still have HSA

    -i have updated norton/adware/spybot/cwshredder and run those a couple of times
    -this hijacklog looks almost the same as before i did anything, except now there's an additional 04 of ntmc that's out of the ordinary.
     
    lilnymphie, Jul 15, 2004
    #10
  11. ANHEDONIC

    ANHEDONIC Will Title For Food

    hmmm don't know if this makes a difference or not but Chase's instructions tell you to disconnect from the internet before running HSRemove
     
    ANHEDONIC, Jul 15, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! It does. Must be disconnected before you run HSremove. Am I positive this will resolve the problem. No! This sucker has been a pain since day one and many times we had to repeat procedures several times. Sometimes with slight modifications. The longer it has been on a system and the more incomplete/incorrect fixes were tried the harder it has become.

    Post new HijachThis log. Also do this:

    1) go here and download Registrar lite and install it: http://www.resplendence.com/reglite
    2) Run it, copy and paste this line to reglite's address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

    3) Click the "go" tab
    4) Find: "AppInit_Dlls" value on the right side panel.
    5) DoubleClick on AppInit_Dlls tell me exactly what you see in the Value.
     
    Last edited: Jul 15, 2004
    chaslang, Jul 15, 2004
    #12
  13. lilnymphie

    lilnymphie Private E-2

    I've done all the combinations I can think of (all with internet cable physically unplugged of course heh).

    I have:
    -run HSRemove, rebooted in safe, run Hijack and fixed, reset webpage, rebooted in normal and run a2
    -rebooted in safe, run HSRemove, Hijack, fixed, reset webpage, rebooted in normal
    -run HSRemove, run Hijack, fixed, reset webpage etc in normal, then rebooted again

    I just dled and run Registrar Lite, I don't HAVE a AppInit_Dlls.
    This is my most recent Hijack log (without the fixes, yes I know to fix the R1, R0, R3, ...the javaxg keeps on popping back even after I've manually deleted the file over and over again. and now there's a atlfi.exe that comes up)

    Logfile of HijackThis v1.98.0
    Scan saved at 1:48:20 AM, on 15/07/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\wingp.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\MsgSys.EXE
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Registrar Lite\rl.exe
    C:\WINNT\atlfi.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kzdwn.dll/sp.html#37794
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kzdwn.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kzdwn.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\kzdwn.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kzdwn.dll/sp.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kzdwn.dll/index.html#37794
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.library.utoronto.ca:8080
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {DD1EE870-2587-FBFB-3234-9255B74CC5B9} - C:\WINNT\javaxg.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [atlfi.exe] C:\WINNT\atlfi.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
     
    lilnymphie, Jul 15, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hopefully when you are doing any of this you do not have Internet Explorer running. One key thing we keep telling people is to shut down Internet Explorer when running HijackThis (especially before click Fix). What bothers me is that you seem to be ignoring that info. Notice in your log most recent log:

    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Registrar Lite\rl.exe

    And in all your other logs you also had it running. For proper operation shut down IE before running HijackThis and even better shut down all unncecessary applications before running to make log smaller and easier to read.

    Assuming your positive there is no Network Security Service for the below.
    While disconnected from the internet do this:
    1) Try bringing up Task Manager and ending the following process (assuming you have not rebooted which may cause its name to change):
    C:\WINNT\atlfi.exe

    2) Then click Start, Run, and in the Open box enter the following:
    notepad C:\WINNT\system32\kzdwn.dll

    Then hit CTRL-A to select all. The hit the Delete key to erase all. Now save the empty file.

    3) Now with all applications closed run only HijackThis and fix ONLY these lines:
    O2 - BHO: (no name) - {DD1EE870-2587-FBFB-3234-9255B74CC5B9} - C:\WINNT\javaxg.dll
    O4 - HKLM\..\Run: [atlfi.exe] C:\WINNT\atlfi.exe

    4) Now reboot in safe mode and delete:
    C:\WINNT\javaxg.dll
    C:\WINNT\atlfi.exe

    5) Now while in safe mode run HijackThis and fix (if found):
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kzdwn.dll/sp.html#37794
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kzdwn.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kzdwn.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\kzdwn.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kzdwn.dll/sp.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kzdwn.dll/index.html#37794

    6) Now right click on your desktop Internet Explorer icon and select Properties.
    Then click the Programs tab and then click "Reset Web Settings". Now go back
    to the General tab and set your home page address to something useful like
    www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and
    select Delete all Offline content too, Click OK. When it finishes Click OK.

    7) Now (still in safe mode) run Ad-aware & SpyBot S&D and clean what they find.

    8) Now click Start, Run, and in the Open box enter "regedit" (without the quotes). Now navigate thru the registry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    Click the [+] next to uninstall. Scroll down until you see the NAMES of
    programs (skip past the lines with numbers in {,} ). See if you can find
    any of the following listed:
    HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of
    assistant is wrong)
    SA = Search Assistant
    SW = Shopping Wizzard
    If you find any of them, select one at a time, and hit your delete key.
    Once you delete all three, you can exit the registry editor.
    As an alternate approach save the following 4 lines to a file called
    hsafix.reg, then using windows explorer double click on the hsafix.reg file
    a merge the fix into the registry.
    REGEDIT4
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

    9) Now reboot normal mode and reconnect to the internet
     
    chaslang, Jul 15, 2004
    #14
  15. lilnymphie

    lilnymphie Private E-2

    Oh I run Hijack this with all the programs closed while in safe mode. It's just after I've done it three times and I can't think of what else to do, that I reconnect the net and come onto here to post. And then to post a log, I just do a hijackthis right then, so that's why there are all those programs running...

    I've copied and pasted your instructions to a text file, and will try that tomorrow. *crosses fingers*

    Thanks a lot by the way, it's really great of you to help so many people!
     
    lilnymphie, Jul 15, 2004
    #15
  16. lilnymphie

    lilnymphie Private E-2

    Oh, I don't know if this is important, but I am on a network.

    Also, in the add/remove programs, besides HSA, there's also a Shopping Wizard and Search Extender.
     
    lilnymphie, Jul 15, 2004
    #16
  17. goldfish

    goldfish Lt. Sushi.DC

    If you're on a network then make sure the LAN cable is unplugged when running the remove program.
     
    goldfish, Jul 15, 2004
    #17
  18. lilnymphie

    lilnymphie Private E-2

    I followed all the steps, except during step 4) there is no physical atlfi file that I could find. This was the same problem as with the mfche32 and the mfcwn32. Those files are either hidden, or whatever...cos I can't find any when I go into the folder to look, nor when I use the search in windows.

    But I followed all the other steps. HSA is still here. Also, for the Network Security Service, I don't see that in services.msc. I see a NT LM Security Support Provider, a Network DDE, Network DDE DSDM...to be sure, I disabled all of them while I tried it.
     
    lilnymphie, Jul 15, 2004
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re-Enable those other services. They are not related to this problem.

    Several points:
    1) everytime you reboot or do a fix on this problem the EXE file names will most likely change. So do not reboot inbetween posting a HijackThis log and getting an answer on what to try next. Also, do not make any fixes using HijackThis or any other method inbetween either because that will also cause changes. I have seen cases where dozens of the EXE files are spawned.
    2) The same happens to the DLL file on the R0 & R1 lines each time too. Again it is important not to reboot in between posts.
    3) when looking for the files do you have viewing of hidden files and folders enabled:
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html
    4) for file search I don't remember whether Win2K has an Advanced options or not like XP to enable searching for hidden & system files.
    5) when you are looking for the Network Security Service, did you do it in safe mode or normal mode. It may only show in normal mode.

    Post a fresh HijackThis log after a reboot and do not modify anything. Do not reboot again (it is okay to un-plug from the Internet while waiting for a reply. Just don't reboot).
     
    chaslang, Jul 15, 2004
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's why I said unplug the cable. VERY IMPORTANT.

    See step 8 below. I told you about all 3 items in the registry. Only I called one of them Search Assistant. Sometimes it is also called Search Extender!
     
    chaslang, Jul 15, 2004
    #20
  21. lilnymphie

    lilnymphie Private E-2

    Erm, if I format and use Mozilla, will that solve this? ...
     
    lilnymphie, Jul 15, 2004
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Obviously, that can be done and all problems present in you system will be gone. But unless you have adequate protection in place you can still run into problems.

    I have not had a PC yet that we could not fix but in some cases it does take some repetition and the following of directions exactly. Also as I said before need to avoid reboots in between posting to avoid mutations. You probably have many EXE running that need to be killed. You could download Process Explorer and save a list of what is running to a file a post back here.

    Go here and download Process Explorer: http://www.sysinternals.com/ntw2k/f...e/procexp.shtml

    Click on the link at the bottom that says:

    Download Process Explorer (x86 - 230 KB) - you plan on using Process Explorer on WinNT/2K/XP

    I would recommend making a directory like c:\sysinternals and putting it in there because they have a load of other useful items you may need some day too.

    Then shut all un-necessary applications down and run process explorer (you need to unzip it) into the directory. Then click File and Save As, this will allow you to save the process list to a default file name called Procexp.txt. Post that file into your next message.
     
    chaslang, Jul 15, 2004
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds