Need help deciding which HSA trojan files to kill

delucaland · Oct 8, 2004

Hi,
I have read all the suggested help materials to defeat the HSA hijack and have followed directions several times and have not succeeded. I must be missing a file or two and would like some help by looking at my Hijack This log for advice on what looks bad. I see that I need to be asked to post prior to posting.
Thanks,
Jim

Kodo · Oct 8, 2004

post your log please. Make sure you have the latest version of HJT 1.98.2 and you don't run it from the desktop, any folder in documents and settings or from an archive. Put it in its' own folder (C:\HJT for ex: )

delucaland · Oct 10, 2004

This is the Hijack This log scan in regular mode after running Ad-Aware and Spybot. The second one is scanned from Safe Mode after running Ad-Aware only. Thanks for your help.

Logfile of HijackThis v1.98.2
Scan saved at 2:07:33 PM, on 10/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

chaslang · Oct 10, 2004

Please read the HJT tutorial. Logs must be posted as attachments.

chaslang · Oct 10, 2004

Please remember to shutdown ALL browsers before running HJT (C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe ).

Make sure viewing of hidden files is enabled and system restore is disabled.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it:
ueaa.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: (no name) - {4E238102-DB04-0585-E373-CBD82407DA2D} - C:\WINDOWS\system32\msyy32.dll (file missing)
O2 - BHO: (no name) - {6A886E76-9B31-4DE6-8A52-17557BF22A49} - C:\WINDOWS\system32\wapwe.dll
O4 - HKCU\..\Run: [Codn] C:\Documents and Settings\Jim\Application Data\ueaa.exe
O4 - HKCU\..\Run: [Yccmg] C:\WINDOWS\system32\??rvices.exe

Boot in safe mode and use Windows Explorer to delete:
C:\Documents and Settings\Jim\Application Data\ueaa.exe
C:\WINDOWS\system32\wapwe.dll
C:\WINDOWS\system32\??rvices.exe <--- do not delete services.exe

Now boot in normal mode and post a new log and tell us how things are working.

delucaland · Oct 11, 2004

Hi,
Thanks for the help. When booting in Safe MOde to delete the 3 files you mentioned, I was not able to locate them where they should have been; so I could not do so.

I have attached the new Hijack This log. It shows a Mozillla process but I thought I ended all the browsers.

Jim

chaslang · Oct 11, 2004

You did not attach the log.

Are you sure you enable viewing of hidden files?

And how did you attempt to locate the files?

Log in or Sign up

Need help deciding which HSA trojan files to kill

delucaland Private E-2

Kodo SNATCHSQUATCH

delucaland Private E-2

Attached Files:

hjt.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

delucaland Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Log in or Sign up

Need help deciding which HSA trojan files to kill

delucaland Private E-2

Kodo SNATCHSQUATCH

delucaland Private E-2

Attached Files:

hjt.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

delucaland Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches