Quick web search problem

Rajn,

The tools you keep suggesting here (while they are good tools) are not required to fix most of the problems that come in. Also suggesting the registry edits you propose are not required to fix this problem either and should never be performed without creating a registry backup to begin with.


Kittee,

If you have completed all the steps in the READ ME FIRST and you are still having a problem with Quickweb search follow the below steps (which I believe you already know):

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

First you must address two items I gave you in my procedure.

1) All browsers MUST be shut down before running HijackThis. You had this running:
C:\Program Files\Internet Explorer\iexplore.exe

It will be impossible to fix your problems if you do not remember to do this. Especially since your problem is that you have an HSA hijack.

2) We specifically ask that HijackThis not be run from the ZIP file you downloaded. You are running it from the ZIP.
C:\Documents and Settings\Andrew\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

Please extract the EXE from the ZIP file and put it in a folder you create named:
C:\Program File\HJT

 

In step 2 of the Getting Prepared section of the READ ME FIRST, we asked that you stop and disable any of the three services listed. You did not do that step as evidenced by the line below in your log

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javaxl32.exe

Please go back and do that now. And then after that and what I gave you in my last message about where to install HJT and with browsers closed, post a new HJT log. Do not reboot or shut your PC down after posting or the problem could mutate.

 

OK! The NSS still looks like the below:

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javaxl32.exe

When you run Services.msc, does it show it as stopped and disabled right now?

Note: we have you look for all three but they don't all happen (not typically but they could) at the same time. Usually you see one out of the three.

 

OKAY! From that log it appears that the service is missing but I'm guessing it will come back due to another process that is running:
C:\WINDOWS\javanb32.exe

I'm going to start working up a procedure, in the mean time just let me know if the service has restarted again.

 

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 25.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\javaxl32.exe
C:\WINDOWS\javanb32.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nccfv.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nccfv.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nccfv.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nccfv.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nccfv.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nccfv.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nccfv.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {927C0C93-B6C9-2E0A-236A-282EE3A26535} - C:\WINDOWS\winwt.dll
O4 - HKLM\..\Run: [javanb32.exe] C:\WINDOWS\javanb32.exe
O15 - Trusted Zone: www.hotmail.com

Do you recognize this www.netmails.com line? If not, fix that line too.
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.netmails.com/members/debradf/sx.cab

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javaxl32.exe

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others):
C:\WINDOWS\nccfv.dll
C:\WINDOWS\winwt.dll
C:\WINDOWS\javanb32.exe
C:\WINDOWS\system32\javaxl32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure, run CCleaner which was installed while running the READ ME FIRST.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

 

There was no javal32.exe file in my message. Which one did you have a problem killing? Was it the one that appears in the services line?

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javaxl32.exe

If so, we should kill the other file first. Then use services.msc to stop and disable the Network Security Service. Then reboot to safe mode and delete the files.

You said Windows Explorer would not open but then you say it was "looping me to my documents". This means it did open. So are you saying that you can run Windows Explorer but cannot get out of the My Documents folder?

 

It is critical that yo remember to exit your browser sessions before using HJT. Not doing this will result in your problems not getting fixed. You had the below running:

C:\Program Files\Internet Explorer\iexplore.exe

Your problem has now mutated. And the below entires are now problems:

C:\WINDOWS\system32\javaxl32.exe
C:\WINDOWS\system32\addzr.exe

O2 - BHO: (no name) - {17FC5AF7-0C0F-B62B-EE7D-6FB2FEABA69B} - C:\WINDOWS\system32\appqi32.dll
O4 - HKLM\..\Run: [addzr.exe] C:\WINDOWS\system32\addzr.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javaxl32.exe

When you posted the log there where no R0 or R1 lines which there typically are with these infections. Perhaps there are now. If not, open and close a couple browsers sessions (even if you cannot connect to the internet). And then post a new log.

It is absolutely imperative that we get the Network Security Service stopped and disabled. Try opening up both Task Manager and run services.msc and locate the NSS service (but do not doing anything with it yet). Also please run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Just leave this running we will use it below.

The follow the steps below as quickly as possible (read them in advance before starting):
1) in Task Manager end the addzr.exe process
2) in the Services windows stop the NSS and then disable it.
3) in the HijackThis Delete and NT service window, Try entering the following into the box and then click OK:
Network Security Service (NSS)
If that does not work try cutting and pasting (you need to cut and paste as you cannot type these characters) the short name: 11Fßä#·ºÄÖ`I

4) Now see if you can run Windows Explorer and delete the below files:
C:\WINDOWS\system32\javaxl32.exe
C:\WINDOWS\system32\addzr.exe

5) Then reboot and let's see if the service is truly gone. Post a new HJT log.

 

Yes! That is what I said but you said

That is why they call it explorer! Use it to explore or navigate to the correct folders and delete the files.

 

Yes! That is why it is the first step in the READ ME FIRST. Are you saying it is not disabled?

If not, why not?

 

You forgot to attach the log. Have you done what I asked in message # 17.

 

I repeat:

Have you done what I asked in message # 17.

 

You must provide feedback on steps! I need to know what is happening at your end. You still do not have the NSS disabled. What problems are you having in following my steps? What files are you not finding? Are you sure you have viewing of hidden files enabled (check again) also did you uncheck the option to Hide extensions for known file types (check again)?

 

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wekwq.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wekwq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wekwq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wekwq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wekwq.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wekwq.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wekwq.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A40065FF-BD8D-CBD6-9113-F234816A3EC3} - C:\WINDOWS\system32\crqx.dll
O4 - HKLM\..\Run: [addzr.exe] C:\WINDOWS\system32\addzr.exe



After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\wekwq.dll
C:\WINDOWS\system32\appqi32.dll
C:\WINDOWS\system32\crqx.dll
C:\WINDOWS\system32\addzr.exe
C:\WINDOWS\system32\javaxl32.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file. YOU MUST TELL ME IF YOU CANNOT FIND THESE FILES OR DELETE THEM. Make sure you can view hidden files.


Now run Ccleaner (installed while running the READ ME FIRST).


Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

It's in the READ ME FIRST procedure. Step # 3.

 

Well that's because the hijacker is still there and spawning new problems. See the below problems entries from your log:

End these with Task Manager or HJT's process manager:
C:\WINDOWS\system32\javahr32.exe
C:\WINDOWS\system32\javavy.exe

Fix these using HJT when all browsers are closed
O2 - BHO: (no name) - {A771213E-BCAA-47E6-BF98-36D9049B7ADF} - C:\WINDOWS\iecb.dll
O4 - HKLM\..\Run: [javavy.exe] C:\WINDOWS\system32\javavy.exe
O4 - HKLM\..\RunOnce: [javahr32.exe] C:\WINDOWS\system32\javahr32.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javaxl32.exe (file missing)

Boot to safe mode and delete all the problem files (the files are there):
C:\WINDOWS\system32\javahr32.exe
C:\WINDOWS\system32\javavy.exe
C:\WINDOWS\iecb.dll

Empty your Recycle Bin and C:\windows\Prefetch folder

Run About:Buster (multiple times if necessary) until it shows you are clean.

Reboot in normal mode a post a new HJT log. If this does not work we are going to have to use the long hand process covered in the below link or try another Power Plug removal procedure:

When all else fails - Generic Solution to HSA (Only the Best) & About:Blank hijack

 

You still show multiple signs of the hijacker.
You should delete: C:\WINDOWS\javahz32.exe that you found too.

Windows Explorer should be able to show you the files you need to delete (in most case) without having to do a Windows Search. Your problem files are in one of the below folders and you should look in each of them:
c:\windows
c:\windows\system
c:\windows\system32
c:\windows\prefetch

If you do need to use Windows Search, it needs to be setup properly or it will not search for hidden or system files.

How to use windows XP search mechanism to look for hidden files:
If you use Search, you need to do the following:
Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.


You must provide feedback on steps so I know what is happening on your end.

Please run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:

Network Security Service (NSS)

If that does not work try cutting and pasing in the following short name: 11Fßä#·ºÄÖ`I
You must use cut and paste since the characters cannot be easily typed.

Tell me what happens while doing the above. If you are told that the service must be stopped. You need to go back on stop and disable this service as mentioned previously. The repeat the above steps.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\amhhw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\amhhw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\amhhw.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\amhhw.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javaxl32.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\WINDOWS\system32\amhhw.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Now you see why in message # 6 I was asking you to do this! Did you find the C:\WINDOWS\system32\javaxl32.exe file and can you delete it? Also yes, delete the apixb32 file you mentioned.

Other than that your log is clean. How are things working?

 

I see no problems in your HJT log. Is you system working improperly? Do you get any hijacks?

Now here is an unusal request:
- open one Internet Explorer session and leave it open (do not do anything else - do not kill any processes)
- run HijackThis and save a new log.

Now come back and post the log.

 

Your log is clean! I guess your right.... all this malware stuff has made you paranoid.

 

You're welcome Kittee! Happy I could help! And thanks I need lot's of sunshine to get all my baseball games in.