Pls help on "About:Blank and Only the Best" spyware

You have a pretty bad HSA infection going there and whatever you have been doing to trying to fix it, you must stop doing because it is only spreading it and making it worse. You have a ton of bad process running. You need to run the thru the cleaning procedures and make sure you follow ALL steps especially the ones mentioning about:blank and HSA (Only the Best) hijackers. Make sure you stop & disable the service mentioned in step 2 (you'll see when you do the steps). Please follow the steps below. If I were you, I would run about:Buster (when you get to that step) let it do a secondary scan and then immediately reboot into safe mode again. And then run about:Buster again.


- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

If you can manually clean them, do so. You may need to be in safe mode to do so. Safe the logs if you can. Are you scanning with Symantec and TrendMicro in safe mode?

 

Attached is a list of some of the baddies that should be getting detected. I extracted these from your HJT log. There may be duplicate filenames in the list.

Having all of these processes running is probably why your scanning is taking so long. They have brought your processor to its knees.

 

You really should not be doing anything else (like connecting here) while these scans are running. You should only have the one browser session open that the scan is running in.

 

Yes you can delete all those files; however, there is going to be a bunch more to do in order to fix this. We need to get thru the initial cleaning procedures first. And then we have a bunch more to do. Deleting those files is part of it and the registry key values need to be fixed too using HijackThis. There will be a service to be stopped too as indicated in step # 2 of the READ ME FIRST.

We need to take this one step at a time. These hijackers are difficult to remove and if not done properly will just mutate and spread. Your PC is witness to that problem.

 

Before attaching another log, we need to make our job a little easier and get rid of some of the many problem line first. Try to delete all the files in the attachment I gave in message # 8 (the baddies.txt file). Some of them may not be deleteable if the process is running and you will need to end the process first using Task Manager. You also need to make sure hidden and system file viewing is enabled per the READ ME FIRST. Then run HijackThis and with NO browsers open select all of those O4 lines and then click fix. Then reboot the PC and get a new HJT log after reboot. Post that log.

 

You need to stop and disable the below Service per step 2 of the READ ME FIRST.


O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysxh.exe" /s (file missing)


See if you can do this and make sure it does not restart. If it does restart, let me know. Typically if it restarts it can be immediately to within a few minutes.

 

The services can restart themselves. Just run the steps below and make sure where indicated you check again. Do not skip any steps and make sure that you do not run any browsers during this process and make sure you physically unplug your cable to the internet as and when directed below.

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 26.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

We need to stop and disable the service indicated below. You should have already done this during the execution of the READ ME FIRST in step 2.
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysxh.exe" /s (file missing)


Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Workstation NetLogon Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Workstation NetLogon Service

If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
You will need to cut and paste the short name since the characters are not easily typed.

Now exit HijackThis.

Now restart HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\atlva.exe


After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tjobn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tjobn.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tjobn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tjobn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tjobn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tjobn.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8F6EB89B-594D-E5B7-F18D-1A0ABB1957C2} - C:\WINDOWS\system32\msyt32.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [atlva.exe] C:\WINDOWS\system32\atlva.exe
O4 - HKLM\..\RunOnce: [sysxh.exe] C:\WINDOWS\sysxh.exe
O4 - HKLM\..\RunOnce: [mfcan.exe] C:\WINDOWS\mfcan.exe
O4 - HKLM\..\RunOnce: [ipue32.exe] C:\WINDOWS\ipue32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysxh.exe" /s (file missing)

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others. If not sure, if they are bad or good, do nothing except write the filenames down and tell me what they are later.):
C:\WINDOWS\tjobn.dll
C:\WINDOWS\system32\msyt32.dll
C:\WINDOWS\system32\atlva.exe
C:\WINDOWS\sysxh.exe
C:\WINDOWS\mfcan.exe
C:\WINDOWS\ipue32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Now use the same procedure as above to try to delete any files that would not delete in the above step. Note any that still do not delete and continue.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot into normal mode.)

- Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

Check your a new HJT log on the problem PC a make sure that the O23 Service line has not mutated into something else using the atlva.exe file.

The previous service could have been seen as either
Remote Procedure Call (RPC) Helper
or
11Fßä#·ºÄÖ`I

 

Sorry about this. I guess I have too many threads going. It was my mistake. Look at the procedure again. I edited it see the edits in this color. It was Workstation NetLogon Service you should be looking for.

 

I'll be back in an hour or so. Got to do a 30 mile ride home right now.

 

Yes, it can wait but I would recommend not surfing. In fact if possible make sure a browser is not opened on the PC. Also since the hijacker typical spawns new processes and mutates at reboots and power downs, I would avoid rebooting or shutting down. You will have to post a new HJT log when you come back and if the people using the PC do start surfing you may find yourself with additional problems that require starting the cleanup process over.

I'm around quite a bit as you can tell from the number of threads I answer, but we do this in spare time. So just come back and look up this thread when you are able to sit in front of the PC again.

 

Okay! I assume that may take a month or so.