Help with HSA, SE, & SW removal

Don't attempt partial fixes!!!! If you skip around and keep making changed like that, you will spread the problem all over the place. Also, the more you reboot the more it can mutate (especially if you start trying to delete one or to file or line here and there. The procedure must be followed step by step in the order it was written in a continuous fashion. That is, don't stop in the middle and come back later, especially rebooting at any point when you were not told to. If you stop or reboot at a point not specified you will have to start over again at the beginning.

Are you absolutely positive you have this hijacker? If so, post me a HijackThis log (as a .txt file attachment) and I'll try to point you in the right direction. If not positive, you should run the procedures here first: http://forums.majorgeeks.com/showthread.php?t=35407

 

Your Windows 2000 is out of date with proper service packs. This can be a security problem. The same is true for your Internet Explorer version.

Questions: These next three line from your log (related to two programs) are not part of the HSA hijack, but I do not like the looks of them. Have you run a full virus scan and or trojan scan lately? Unless you know what they are?
C:\WINNT\System32\vrmw.exe
O4 - HKCU\..\Run: [Supe] C:\Documents and Settings\Dora Lopez\Application Data\siwt.exe
O4 - HKCU\..\Run: [Voffxvx] C:\WINNT\System32\vrmw.exe


Okay here are your processes related to HSA:
C:\WINNT\system32\apijt32.exe
C:\WINNT\mfcqi32.exe


Here are your R0 & R1 lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\dgqcn.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\dgqcn.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dgqcn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dgqcn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\dgqcn.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\dgqcn.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\dgqcn.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dgqcn.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\dgqcn.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\dgqcn.dll/sp.html#96676


Here is your BHO line:
O2 - BHO: (no name) - {2337E364-64B1-714C-A6EE-D6016C7DA801} - C:\WINNT\d3ki32.dll

And here is the only line shown right now in the O4 startup section:
O4 - HKLM\..\Run: [mfcqi32.exe] C:\WINNT\mfcqi32.exe

Don't forget to add in any info (if found) from the Network Security Service

 

Is that enough info to get you on your way or do you have other questions about other steps?

 

I don't understand your question!
And what does this have to do with the HSA hijack?

 

Okay now I understand what you meant. Well we don't deal with any questions here related to illegally copied software.

Happy to hear your HSA issue is resolved though!