Startpage.AO.19 / about:blank

Please do not post HJT logs inline and also please install HJT properly per the directions in step 7 of READ & RUN ME FIRST Before Asking for Support

You will also note that we request msconfig to not be used for controlling startups. Otherwise we cannot see everything they may be a potential problem.

 

Also do you use MySQL? The below does not look to be valid:

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

This is definitely not the correct place for any program to be installed.

 

Okay! You have an HSA hijacker. We need to stop and disable the hijacker service and then eventually get it deleted. The service I'm talking about is the below line.

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcgy.exe

You should see one of special removal procedures mention in the sticky thread.

about:Blank and HSA Hijacker - Simplified Removal

Since you have already complete what is in Part 1 start at the below Part but it would be a good idea to read all of it.

Part 2: Download the below special tools

 

You need to stop and disable the NSS service per the directions in the link I gave you. You cannot fix the line in HJT until the service itself has been stopped and disabled.

At the same time, you may also need to kill another process that is part of the hijacker. If not killed, it could restart the service almost as soon as you stop it. This process is C:\WINDOWS\crea32.exe

Let's try the procedure below.

Start by downloading the following tool: Pocket KillBox

Extract Pocket Killbox to its own folder but do not run it yet. We will need it later.


Now run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\crea32.exe

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Network Security Service (NSS) (or if you cannot find that name, try the short name 11Fßä#·ºÄÖ`I ) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Network Security Service (NSS)

If that does not work, copy and paste in the short name: 11Fßä#·ºÄÖ`I

You have to copy and paste because these characters are not easily entered. Also important NOTE. There is a space in front of the 11F so add the space too or HJT will not find the service.

After doing that exit HijackThis but do not reboot if it asks you to do so. We will be restarting HJT to run some additional steps.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis again and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (They may or may not be there again. We are double checking.)
C:\WINDOWS\crea32.exe
C:\WINDOWS\mfcgy.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: Class - {429FBB28-3707-7D9B-0B87-0864569E4286} - C:\WINDOWS\system32\iprs32.dll
O4 - HKLM\..\Run: [crea32.exe] C:\WINDOWS\crea32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcgy.exe

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run Pocket Killbox.

Now, Copy and Paste C:\WINDOWS\crea32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\iprs32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and also check the box to Unregister DLL before deleting (if it is active) and Click the RedX and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\mfcgy.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself but either way please boot into safe mode. And while in safe mode do nothing but the below:
- Run Windows Explorer and double check for the below files and delete if found:
C:\WINDOWS\crea32.exe
C:\WINDOWS\system32\iprs32.dll
C:\WINDOWS\mfcgy.exe

Now reboot (whether you find them or not) into normal mode.

Now get a new HJT log and post it here. And tell us how these steps went and how things are working.

 

Did you Reset Web Settings as requested? And did you allow the change to occur? Programs like the ones you have installed (MS Antispyware, Trend Micro Antispyware, and SpyWareGuard) could block the changes unless you approve them.

Your HSA hijacker appears to be gone.

 

And also you have a service from Spy Sweeper still running which could interfere with changes too. Do you still have SpySweeper installed? If so, it must be an old version.

 

You're welcome! Make sure you now check out the below to help keep you clean:

How to Protect yourself from malware!