Need help removing about:Blank and HSA

I never had any spy/mal/ad-ware problems until a couple days ago. SpySheriff ended up on my system. (HOW does this happen??) I was able to remove it using the step-by-step instructions on this site. But I was left wtih about:Blank and HSA. I cannot get rid of these. I followed all the steps in READ & RUN ME FIRST and about:Blank and HSA - Generic Solution. Looks like it worked at first, but now I'm back to square one with my home page and search bar jacked and popup Only The Best ads.

I have attached two HJT logs. hijackthis.txt is from before I started the about:Blank and HSA cleanup procedure, and hijackthis2.txt is from immediately after.

I don't know if this is part of the same problem or something else entirely, but ever since I got infected, I've been getting a dialog box entitled "Windows Security Center" with the following text: "WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data, or passwords. [line break] Do you want to learn how to protect your computer?" I have never seen this before. Clicking Yes takes me to a website (sorry, I didn't write it down; if it happens again, I'll post the address) that I don't recognize and I doubt is from Microsoft. Considering I don't even use Windows Firewall (I use ZoneAlarm instead), I'm sure this is bogus. What can I do to get rid of this?

OK, here's my specs: custom-build running AMD K6, 400Mhz, 384MB RAM, XP Pro w/SP2, 7.85GB hard drive (NTFS formatting) with 1.26 GB free space.

I'm going to run the removal procedures again, but not right now since it takes several hours. I'll probably do it over the weekend. In the meantime, is there anything else I can do? Any thoughts on why the removal was unsucsessful?

Thanks in advance for your help.

 

Actually you did a pretty good job of getting rid of the HSA Hijacker. Now to get rid of the rest do the following:

Download
- Pocket Killbox

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to 11Fßä#·ºÄÖ`I ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press "OK":

11Fßä#·ºÄÖ`I

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis Log.

 

When you say, "Now to get rid of the rest," are you referring to the Security Center dialog box I mentioned?

Anyway, I followed your instructions, with a few exceptions:

1. I did not find 11Fßä#·ºÄÖ`I running in services.msc. So I skipped that step.
2. When I ran HJT in the next step, I did not find (and therefore could not fix) the following lines:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\addgm32.exe ​

Attached is the log from running HJT immediately after rebooting in normal mode. I changed my homepage back to Google, and so far so good. My search window still seems to be jacked. (See the attached image.) From looking at the latest HJT log, it looks like I still have about:Blank.

 

Please follow the instructions in the following threads:
How to view hidden, system files & folders!
Searching for Hidden Files on WinXP

Please make sure System Restore is OFF.

Please print these instructions out for use while not connected with the internet.

Now we are going to use notepad to erase the contents of the DLL file shown in the R0 & R1 lines of your HijaakThis log. To do this click Start, Run, and enter the following command "notepad C:\WINDOWS\system32\gyzib.dll" (without the quotes) and click OK.

Now in the notepad window, hit CTRL-A to select all contents of the file then hit the Delete key to delete all lines of the file. Now save the file (yes as an empty file). Now using Windows Explorer, locate the file gyzib.dll and right click on it and select Properties and change the attributes to Read Only and click OK.

Shutdown (not minimize) all applications (especially IE and Windows explorer) and run HijaakThis.

Now reboot in safe mode

Open Windows Explorer and navigate to and DELETE the following:

If you have a problem deleting any of these files (like it is denied because it is in use), run ProcessExplorer and try to locate the running process and kill it. Then try to delete the file.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now while still in safe mode, run only Hijaak This and have it fix the following:

Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now click on Start, Run, type regedit, click OK. When regedit opens click on Edit, select Find, appcr.dll and delete every instance. Do the same for netxw.exe, addgm32.exe, gzhyz.dll, d3tq.dll, appjm.exe, d3sj.exe, riwbi.dll.

Now click on Start, Search, select All files and folder, in the top box search for the following:

Delete each instance.

Once again delete the contents of C:\WINDOWS\Prefetch.

Delete Memory.dmp if found in either C:\WINDOWS or C:\WINDOWS\System32

Now run CCleaner.

Run HSRemover.

Run about:Buster (copy the output to a file ablog1.txt)

Also while still in Safe Mode to finish the cleanup process, please do the following:
Go to Start --> Run and type Regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:
__NS_Service
__NS_Service_2
__NS_Service_3
If any are listed, right-click that entry in the right pane and choose Delete.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
and highlight Root in the Left Pane. In the right pane, look for these entries:
LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3
If you find it, right-click it in the right-pane and choose delete.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Workstation NetLogon Service

If Workstation NetLogon Service exists , right click on it and choose delete from the menu.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Workstation NetLogon Service

If LEGACY_Workstation NetLogon Service exists then right click on it and choose delete from the menu.

Now navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Procedure Call (RPC) Helper

If Remote Procedure Call (RPC) Helper exists, right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Remote Procedure Call (RPC) Helper

If LEGACY_Remote Procedure Call (RPC) Helper exists, right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Now (still in safe mode) run Ad-aware SE and under scan select Perform Full System Scan and then SpyBot S&D and clean what they find.

Now click Start, Run, and in the Open box enter "regedit" (without the quotes). Now navigate thru the registry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Click the [+] next to uninstall. Scroll down until you see the NAMES of programs (skip past the lines with numbers in {,} ). See if you can find any of the following listed:

HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of
assistant is wrong)
SA = Search Assistant
SE = Search Extender
SW = Shopping Wizzard

If you find any of them, select one at a time, and hit your delete key. Once you delete all three, you can exit the registry editor.

Now reboot normal mode. And run about:Buster one more time saving the output again (ablog2.txt do not overwrite the first log)

Before running anything else run HijaakThis and save a log.

Reconnect your internet connection, run your browser, and connect here to MG's and post the new HijackThis and about:Buster logs as attachments. Then continue running and let's see how everything is working.

 

Actually, after I made my last post, I ran HJT again and fixed the first seven R1 lines and the R0 line. My computer has been fine ever since. I ran HJT earier today, and that log is attached.

Thanks for your help!

Here's a question out of curiosity. Are about:Blank and HSA part of the same hijacker, or are they seperate?

 

about:Blank and HSA belong to the same class of CoolWebSearch Hijackers. HSA being a particular stubborn variant.

If you don't use a proxy server then fix the following:

If the following IP do not belong to your ISP then fix the following: