About:Blank home page Help

If you have run all the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal and you still have a problem, follow the guidelines below and post your HJT log.


Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Are you filtering or editing lines from your HJT log? There should be many things showing in the O4 section of your log that are missing. Please do not post edited or filtered HJT logs. We need complete logs to really understand what could be happening at your end. Try the below, if it does not work we may have to uninstall a few programs (like SpySubtract, Spybot, and any other possible things that could block changes) and then we may need to to a power plug pull procedure.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\protect32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\protect32.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\protect32.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\protect32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\protect32.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\protect32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {B807AA94-CC26-491F-8A70-6B8D0789B52B} - C:\WINDOWS\system32\protect32.dll
O18 - Filter: text/html - {11CE99A8-9A3F-40E1-8F1B-3F1503759515} - C:\WINDOWS\system32\protect32.dll
O18 - Filter: text/plain - {11CE99A8-9A3F-40E1-8F1B-3F1503759515} - C:\WINDOWS\system32\protect32.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\protect32.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

If you still cannot delete that file. Do the following:

Open a command prompt by clicking Start, Run, and enter cmd and click OK.
Now in the command prompt window enter the following lines each followed by the enter key (at any prompts you get just answer yes! Make sure you enter the commands correctly, don't miss the spaces):

C:\WINDOWS\System32\cacls.exe C:\WINDOWS\system32\protect32.dll /g Everyone:f
cd C:\WINDOSW\System32
attrib -r -h -s protect32.dll
del protect32.dll
exit

When you come back, you must tell me what happens with the above steps!

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

I don't know! Tell me what it is that you fixed. As long as you had HJT installed properly you should be able to look at the Backups created and figure that out.

 

Okay! It looks like you hijacker is gone based on that log but you have a different problem with a Trusted Zone hijacker.

Did you have to do anything special to delete the C:\WINDOWS\system32\protect32.dll
file? Like did you need to do any of those additonal steps I gave.

I'll get back to you on the other fix we need to do in a little while.

 

Okay on to the O15 Trusted Zone problem.

Please download this tool: REM.ZIP

Now extract the two files from the REM.Zip file PP had you download. The files are rem.bat and zip.exe. You must extract them to the C:\Windows\System32 folder.

NOW:
Boot into Safe Mode and double click the rem.bat file to run it.

Then, while still in Safe Mode, scan with HijackThis and save the log (call it safe.log)

Next, Reboot to Normal Windows, scan with HJT again and save that log (call it normal.log)


Please come back here and attach those two HJT logs.

Now:
Look in Local Disk C: and find log.txt. Open it and copy and paste the contents into your post.

 

Use this one:


But now you will run RemV3.bat

 

I found the correct external link but the one in my message is okay.

This is new link for the tool:

REMV3.ZIP Removal Tool

 

You log looks clean now! Delete the stuff you saw in your Favorites. It must be left over from one of the malware items.

 

No donate options! But you can order a Majorgeeks Teashirt off the main board when it is working again. Currently down.

The real Geeks are here! Stores like that do not have the kind of expertise you will find on MG's. Not even close!

You shoud do the stuff in the below link now to help avoid future problems:

How to Protect yourself from malware!