Help with HSA

There is no system restore on Win2K. Try my original Generic Solution to fix this. I have been using it again lately with a few additional steps added and it has worked. Note it is written "generically" so you have to subsitute in your info from your HijackThis log in the correct places. Here is the link: http://forums.majorgeeks.com/showthread.php?t=35917
Note: where ever it states c:\windows you will most likely have c:\winnt since you are using Win2k.

Before starting make sure you download and install CCleaner from here:
http://www.majorgeeks.com/download4191.html

Don't run CCleaner yet.

Also before starting make sure you have the current versions of:
HijackThis (you have an old version): http://www.majorgeeks.com/download3155.html
HSremove : http://www.majorgeeks.com/download4286.html
About:Buster: http://www.majorgeeks.com/download4289.html
Ad-aware: http://www.majorgeeks.com/download506.html
make sure Ad-aware reference file is updated.
Also first read about how to set Ad-aware for a fullscan: http://www.lavahelp.com/howto/fullscan/index.html


If you can follow how to substitute all of you info into the Generic Solution Thread, do it but when you get to step 13, add the steps below in and then after these continue on with step 14 and above:


13A. Search the registry for every instance of xxxxx.dll (the file from step 5). Change the values for your home and search pages to what you want (www.majorgeeks.com will do).
13B. Search the registry for every instance of the suspicious exe files found by Hijack This from step 8. Delete every instance.
13C. Run CCleaner and on the Windows tab (you'll see when you run it) leave the defaults and click Run Cleaner.
13D. Search your computer for xxxxx.dll. Delete each instance.
13E. Search your computer for the suspicious exe files. Delete each instance.
13F. If WinXP, Delete the Prefetch folder in C:\WINDOWS.
13G. Delete Memory.dmp in C:\WINDOWS or was it C:\WINDOWS\System32
13H. Run HSRemover. (save the log)
13I. Run about:Buster (save the log)

 

Thanks aLLiKZar,

Those are standard operating procedure (SOP) but they will not fix a true HSA or About:Blank hijack.

 

Okay! Let me know when you get finished or if you need help understanding all this.

 

This does not show the typical lines seen when having the HSA hijack problem. That is, unless this is a new strain of the problem. I see you already ran HSremove. Perhaps you need to reboot a few times and open & close Internet Explorer a couple of times to see if these lines change. If they do not change, the first thing I would do is download the latest About:Buster (it just updated so make sure your download this version) and run it and save its log. Then let me know where things stand. If still having problems, post the About:Buster log and a HijackThis log. Remember to post them as a text attachment (see this thread for new rules on this: http://forums.majorgeeks.com/showthread.php?t=35407)

 

You mean you have Active Desktop enabled and you have it set to Show Web Content?

 

Okay just tell me something. If you run HijackThis right now, does it still give the same log. Or are there other R0 & R1 lines now.

 

Wrong approach! Do not start a new thread! Stay in the same thread until your problem is resolved. If you have different problem then start a new thread.

 

You have multiple issues in here we have to take care of. They may be fighting each other. Let's try to work one at a time:

Bring up Task Manager using CTRL-ALT-DEL and select Processes. Find the winlgn.exe process (be careful!!!! I said winlgn.exe NOT winlogon.exe), when you find it, select it then click End process.
The have HijackThis fix the lines below:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://youriskalka.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://youriskalka.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://youriskalka.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://youriskalka.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://youriskalka.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://youriskalka.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://youriskalka.com/sp.htm
O4 - Global Startup: winlgn.exe

Now reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
and delete the below file:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
While in safe mode we may as well run About:Buster. Save its log.
Now reboot in normal mode and post you About:Buster log and a new HijackThis log (as an attachment).

 

I just noticed you have HijackThis running from your Desktop. You need to get it into its own directory where it can save backup files. Do not put it on the desktop or in a temp directory that is prone to cleanups (this could erase its backup files). You could make a c:\spyware-tools directory and put items like HijackThis, CWShredder, etc in it. None of these require installation. They just run.

 

I also want you to download ProcessExplorer from here: http://www.sysinternals.com/files/procexpnt.zip
Unzip it and have it ready to run. Tell me when you are up to this point.

 

Yo! Shultzie! Wake up! Where did you go!

 

I was just trying to wake you up. I thought maybe you fell asleep at the wheel (well the keyboard that is).

If you run Process Explorer, do you see any of these:
winlgn.exe
apiad.exe
apikh32.exe
msw3prt.exe
WEATHER.EXE

 

That's normal after running About:Blank and when it sucessfully completes.
Check my request below.

 

Also, check Add/Remove programs for anything that looks like WeatherCast and let me know if you find it. We have to get rid of WeatherCast.

 

Okay run windows explorer and navigate to these files (one at a time). Right click on them and select Properties and then version. I want to see if there is any version info and who the company could be if any. Also tell me the file sizes and Modification dates.

C:\WINNT\system32\apikh32.exe
C:\WINNT\System32\msw3prt.exe

 

Both WeatherBug and WeatherCast are not programs that you want to use. Both are Ad-aware (WeatherCast is even considered a Trojan: see this http://www.inet-mates.com/articles/3_rm_weathercast.html). Uninstall WeatherBug.

Where is "here"?

 

Try again but make sure you can view hidden files and folders: http://forums.majorgeeks.com/showthread.php?t=37650

 

But no apikh32.exe ?

Any version info on apiad.exe ?

 

All three were shown running in your HijackThis log. So use process explorer to kill these (if found):
apiad.exe
apikh32.exe
msw3prt.exe

The use windows explore to delete (if found! Tell me which ones you find too. And if you have any problems deleting them, I need to know before you continue.)
C:\WINNT\system32\apiad.exe
C:\WINNT\system32\apikh32.exe
C:\WINNT\System32\msw3prt.exe

Reboot to safe mode and run HSremove save log, run About:Buster twice and save each log. Reboot normal mode post those three logs along with a new HJT log. Put them all in one attachment.)

 

Kill the process. But tell me....do you see things running under those processes? If so, what?

 

When you kill those processes make sure to have all Internet Explorer sessions and any other applications closed. Then run Win Explorer to delete the files. Then quickly reboot in safe mode to continue the steps.

 

Okay go for it! Execute the rest of the steps! It's getting late! And I'm what an hour later then you (or is it two hours - 1:56 am here).

 

Physically run it twice! So yes, you will see 4 scans. These problems are persistent and sometimes restart themselves very quickly. So we are just trying to stop them.

 

You need to kill and delete netyt.exe too..

 

Well now you have other processes running. One as you mentioned is sdkz32.exe. There is also d3nv32.exe. And I still see this in your HJT log, msw3prt.exe. Were you able to find msw3prt.exe and delete it?

 

The only one I see in the current log running is: C:\WINNT\system32\sdkzk32.exe

 

Okay then right now have HijackThis fix this line:
O4 - HKCU\..\Run: [msw3prt] C:\WINNT\System32\msw3prt.exe

Do another quick scan and make sure it goes away.

The run Process Explorer and click File, Save As, and save the process list. Post it back here so I can see what is running.