Window ME HSremove

owen77 · Aug 11, 2004

Hi all,

I am having alot of trouble getting rid of a search-to-find.com pop up.

I am aware that this is quite a nasty one. I have ran ad-aware, spybot, and cwshredder, all fully updated and although it has found a few little buggers it has not fixed the afformentioned problem.

I havent run an anit virus application yet because I want to get rid of all the hijackers and spyware before I spend time running a full AV scan.

I have run hijackthis and found quite allot of strange things. Most of the R2- listings were not recognised in bobs list (or whatever list it is that you check for that) and they have (file missing) or something to that effect after them. As a result I have deleted most of the R2 - listings. I have since rebooted several times and everyhting still seems stable. (I did a registry backup just in case). I havent fixed any of the startup listings but I was tempted because as before quite allot of them were not recognised in the list (bob's or whatever)

The HSREMOVE utlilty requires that NT or XP be installed. I am running Windows ME. Your help would be greatly appreciated.

Here is my hijackthis log:

Awaiting your help.

Thanks for your time

Owen Lamont

Edit by chaslang: changed HJT log to attachment! Please follow directions in:
http://forums.majorgeeks.com/showthread.php?t=38752

chaslang · Aug 11, 2004

Try using About:Buster and follow the directions given in the download link (also in the ZIP file):
http://majorgeeks.com/download4289.html

Let us know how this works for you. Save a log from About:Buster and post it back here as an attachment.

Notice in your first message I changed the HJT log to an attachment. Make sure you read and follow the guidelines in the link I gave you in my Edit of your post.

owen77 · Aug 12, 2004

Thanks for your reply.

Sorry about not following protocol and attaching the hijack log properly.

I downloaded the about:buster and followed the instructions. It removed allot of stuff but unfortunately did not fix the problem.

I still get hijacked by search-to-find.com and get various other pop ups.

Please find a more up to date hijackthis log and the about:buster log attatched.

Thanks for your time

Owen

chaslang · Aug 12, 2004

Download ProcessExplorer from here: http://www.sysinternals.com/files/procexp9x.zip
Unzip it but do not run yet.

Print these instructions or save them locally. I want you to physically disconnect (unplug you analog modem or ethernet cable) from the internet NOW!
Remain disconnected until I tell you otherwise. Also EXIT all Internet Explorer or other browser applications NOW!

Now run ProcessExplorer and locate the following processes (if running) and have Process Explorer kill them:

Win86.exe
win32x.exe
BASPI32.EXE
ATLHL32.EXE
A0YSF9.EXE
MFCLE32.EXE
APIDO.EXE
ATLUH32.EXE
JAVAKC32.EXE
APIDN.EXE
IEAM.EXE
APPSD.EXE
WINFA32.EXE
IPTP32.EXE
ATLOM.EXE
NTYN.EXE
MFCGS32.EXE
IPYO.EXE
ADDAX32.EXE
D3YO.EXE
ADDIO.EXE
IEVT32.EXE
WINRZ.EXE
MFCUS.EXE
IEUD32.EXE

Now run about:Buster (but only run it once right now and do not reboot) and save the log (log1.txt).

Now run HijackThis and put check marks on the below lines but DO NOT CLICK FIX yet:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hsgcw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hsgcw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\hsgcw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\hsgcw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hsgcw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hsgcw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hsgcw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\hsgcw.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hsgcw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hsgcw.dll/sp.html#96676
O2 - BHO: Class - {0E367930-654D-7C53-BF90-51083EB7625C} - C:\WINDOWS\SYSTEM\D3XA32.DLL
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [p4mW37X] BASPI32.EXE
O4 - HKLM\..\Run: [ATLHL32.EXE] C:\WINDOWS\SYSTEM\ATLHL32.EXE
O4 - HKLM\..\Run: [A0YSF9] C:\WINDOWS\TEMP\A0YSF9.EXE
O4 - HKLM\..\RunServices: [MFCLE32.EXE] C:\WINDOWS\SYSTEM\MFCLE32.EXE
O4 - HKLM\..\RunServices: [APIDO.EXE] C:\WINDOWS\APIDO.EXE
O4 - HKLM\..\RunServices: [ATLUH32.EXE] C:\WINDOWS\SYSTEM\ATLUH32.EXE
O4 - HKLM\..\RunServices: [JAVAKC32.EXE] C:\WINDOWS\SYSTEM\JAVAKC32.EXE
O4 - HKLM\..\RunServices: [APIDN.EXE] C:\WINDOWS\SYSTEM\APIDN.EXE
O4 - HKLM\..\RunServices: [IEAM.EXE] C:\WINDOWS\IEAM.EXE
O4 - HKLM\..\RunServices: [APPSD.EXE] C:\WINDOWS\SYSTEM\APPSD.EXE
O4 - HKLM\..\RunServices: [WINFA32.EXE] C:\WINDOWS\WINFA32.EXE
O4 - HKLM\..\RunServices: [IPTP32.EXE] C:\WINDOWS\SYSTEM\IPTP32.EXE
O4 - HKLM\..\RunServices: [ATLOM.EXE] C:\WINDOWS\ATLOM.EXE
O4 - HKLM\..\RunServices: [NTYN.EXE] C:\WINDOWS\NTYN.EXE
O4 - HKLM\..\RunServices: [MFCGS32.EXE] C:\WINDOWS\SYSTEM\MFCGS32.EXE
O4 - HKLM\..\RunServices: [IPYO.EXE] C:\WINDOWS\SYSTEM\IPYO.EXE
O4 - HKLM\..\RunServices: [ADDAX32.EXE] C:\WINDOWS\SYSTEM\ADDAX32.EXE
O4 - HKLM\..\RunServices: [D3YO.EXE] C:\WINDOWS\SYSTEM\D3YO.EXE
O4 - HKLM\..\RunServices: [ADDIO.EXE] C:\WINDOWS\ADDIO.EXE
O4 - HKLM\..\RunServices: [IEVT32.EXE] C:\WINDOWS\IEVT32.EXE
O4 - HKLM\..\RunServices: [WINRZ.EXE] C:\WINDOWS\WINRZ.EXE
O4 - HKLM\..\RunServices: [MFCUS.EXE] C:\WINDOWS\MFCUS.EXE
O4 - HKLM\..\RunServices: [IEUD32.EXE] C:\WINDOWS\SYSTEM\IEUD32.EXE
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=0c8af29cad1529a0c2f12262efe492244d317f6ab2c86bff7585b7e883263ddf35912dd813dee463c744961d2b31add589650eef4d876c0fc2a2f745d64562:c31e3730b38c174130e1e2729109a237
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

MAKE SURE YOU HAVE NO BROWSER SESSIONS RUNNING and then click FIX in HijackThis.

Now reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
Make sure you can view hidden files and folders: http://forums.majorgeeks.com/showthread.php?t=37650

Use Windows Explorer to navigate to the following files and delete them. If you have a problem deleting any of them, run ProcessExplorer again and look for the process and if running kill it. Then try to delete it again. Make note of any filenames that you cannot get deleted or cannot find.
C:\WINDOWS\hsgcw.dll
C:\WINDOWS\SYSTEM\D3XA32.DLL
C:\win86.exe or C:\WINDOWS\win86.exe C:\WINDOWS\SYSTEM\win86.exe C:\WINDOWS\SYSTEM32\win86.exe
c:\win32x.exe or C:\WINDOWS\win32x.exe C:\WINDOWS\SYSTEM\win32x.exe C:\WINDOWS\SYSTEM32\win32x.exe
c:\BASPI32.EXE or C:\WINDOWS\BASPI32.EXE C:\WINDOWS\SYSTEM\BASPI32.EXE C:\WINDOWS\SYSTEM32\BASPI32.EXE
C:\WINDOWS\SYSTEM\ATLHL32.EXE
C:\WINDOWS\TEMP\A0YSF9.EXE
C:\WINDOWS\SYSTEM\MFCLE32.EXE
C:\WINDOWS\APIDO.EXE
C:\WINDOWS\SYSTEM\ATLUH32.EXE
C:\WINDOWS\SYSTEM\JAVAKC32.EXE
C:\WINDOWS\SYSTEM\APIDN.EXE
C:\WINDOWS\IEAM.EXE
C:\WINDOWS\SYSTEM\APPSD.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\SYSTEM\IPTP32.EXE
C:\WINDOWS\ATLOM.EXE
C:\WINDOWS\NTYN.EXE
C:\WINDOWS\SYSTEM\MFCGS32.EXE
C:\WINDOWS\SYSTEM\IPYO.EXE
C:\WINDOWS\SYSTEM\ADDAX32.EXE
C:\WINDOWS\SYSTEM\D3YO.EXE
C:\WINDOWS\ADDIO.EXE
C:\WINDOWS\IEVT32.EXE
C:\WINDOWS\WINRZ.EXE
C:\WINDOWS\MFCUS.EXE
C:\WINDOWS\SYSTEM\IEUD32.EXE

Run about:Buster again in safe mode and safe another log (log2.txt).
Reconnection your cable for internet access and reboot in normal mode.
Open up TWO Internet Explorer sessions (do not go anywhere) and then exit them.
Now run HijackThis and save a new log.

Now connect back here and post both about:Buster logs and the HJT log (all as attachments).
If this does not work, we will need to go thru the Generic Solution:
http://forums.majorgeeks.com/showthread.php?t=38772

owen77 · Aug 13, 2004

Chaslang ... You are truely a legend.

I think thats fixed it. I have done several reboots and I am no longer getting hijacked.

I also used a tool called CCleaner that emptied all the temp folders, cookies etc. It found 180mb of stuff that needed deleting.

Thanks very much for your help. Again ... a true legend

Thanks

Owen

chaslang · Aug 13, 2004

Your welcome! Wow!! Now I'm a legend! Thanks!

Yes, CCleaner was a good thing to run. If you look at my long Generic Solution you will notice I make use of it in that procedure.

Just double check right now and make sure your Recycle Bin is empty (I'm not sure when you ran CCleaner but I just want to make sure none of the bad files are still in Recycle.)

If you have rebooted a few times and opened and closed Internet Explorer a couple of times with no problems, you are probably okay. Let me know if it comes back.

Log in or Sign up

Window ME HSremove

owen77 Private E-2

Attached Files:

hjt.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

owen77 Private E-2

Attached Files:

AB LogFile.txt

hijackthis1a.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

owen77 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Log in or Sign up

Window ME HSremove

owen77 Private E-2

Attached Files:

hjt.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

owen77 Private E-2

Attached Files:

AB LogFile.txt

hijackthis1a.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

owen77 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches