At a loss. New at this, but did all the basics and generic HSA removal

Sounds like you are saying you ran ALL of the steps in the READ ME FIRST so follow the steps below. After posting you HJT log, do not reboot or shut down your PC. The hijacker can mutate and spread during reboots and that would make what you post obsolete before I could even suggest a fix. Make sure your follow the below steps EXACTLY to avoid any delay in providing a fix.


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

First step: per step 2 of the READ ME FIRST, see if you can stop and disable the below service. Then check to see if it actually stays disabled or does it restart with in a few minutes:

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ipwp.exe

Let me know the results of doing this.

If it restarts, try killing the below process first with Task Manager and then stopping and disabling the service. Now what happens:
C:\WINDOWS\d3pl32.exe

 

You first need to uninstall Spyblocs as it is on a list of rogue/suspect removal tools.
See: http://www.spywarewarrior.com/rogue_anti-spyware.htm

I'm working up a fix for you now. Do not reboot or power down your PC!

 

Okay first double check to make sure that the C:\WINDOWS\d3pl32.exe process is still stopped and the NSS is still stopped and disabled.

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 26.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (Note I assume they should already be stopped do to the first step above but I want to double check.)
C:\WINDOWS\system32\ipwp.exe
C:\WINDOWS\d3pl32.exe


After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\swugl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\swugl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\swugl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\swugl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\swugl.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\swugl.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3C78A0E1-DB33-64D6-9E06-B93774618E8C} - C:\WINDOWS\system32\sdkwl32.dll
O4 - HKLM\..\Run: [d3pl32.exe] C:\WINDOWS\d3pl32.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ipwp.exe

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others):
C:\WINDOWS\swugl.dll
C:\WINDOWS\system32\sdkwl32.dll
C:\WINDOWS\system32\ipwp.exe
C:\WINDOWS\d3pl32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Run Windows Explorer again and double check for the below files and delete if found:
C:\WINDOWS\swugl.dll
C:\WINDOWS\system32\sdkwl32.dll
C:\WINDOWS\system32\ipwp.exe
C:\WINDOWS\d3pl32.exe

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

- Run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:
Network Security Service (NSS)
If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
You will need to cut and paste the short name since the characters are not easily typed.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

If you think you can identify the morphed items, go ahead and substitute them into the procedure. Otherwise post a new log. If it is easy for you to pop the battery and then pull the plug, then do so. If not, try just holding in the power button until it shuts down but that does not usually work as well. It gives the bad process time to spread during a semi-graceful shutdown.

 

If it is not in your HJT log (which it is not) then it should not be showing when you run services.msc either. Are you sure you still saw it there?

You should have HJT fix the below entries. Note: Nothing belongs in the Trusted Zone unless it is abosolutely required for something you need to do. And in every case I have seen thus far, there was no need or justification.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O15 - Trusted Zone: http://www.atomfilms.com
O15 - Trusted Zone: http://atomfilms.shockwave.com
O15 - Trusted Zone: http://vnfm.verizon.com

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixhsa.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixhsa.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add the changes into your registry say yes.

Is that service still list in the service.msc list?

 

Yes! You can delete the registry keys ! Unless you are real comfortable with manual registry editing, maybe you should do a registry backup first. You can use Erunt to do that.