Did " READ & RUN ME FIRST Before Asking for Support" but still having problems

I did all that was suggested in " READ & RUN ME FIRST Before Asking for Support" (although I could only use Trend Micro's Java version due to problems with IE). McAfee, however, still is finding new trojans (e.g. "malware.j") randomly, especially around startup. Can someone take a quick look at my HijackThis log?

Thanks...

 

First, please follow this site to rid you of this hijacker, about:Blank and HSA Hijacker - Simplified Removal

After you complete this attach reboot and attach a fresh HJT log from normal mode.

 

I followed the directions, and when I rebooted, I did not have the normal slew of trojans. Here is my new HijackThis log.

 

Click Start > Run > type services.msc and Click OK

Locate Network Security Service ( 11Fßä#·ºÄÖ`I) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

11Fßä#·ºÄÖ`I

You may be told to reboot at this point, go ahead and reboot.

After you complete the above, attach a fresh HJT log.

 

I pasted this "11Fßä#·ºÄÖ`I" but it said not found in the registry...

 

Was you able to stop and disable the service? If so, this is good enough for now, attach a fresh HJT log.

 

It said something about an "internal error" occuring, although it did show stopped and then disabled. Attached is the new log. (And just in case my browser isn't reading it right, "11Fßä#·ºÄÖ`I" shows up and copies as gibberish (11-f-greek beta # etc...)

 

Copy the contents of the quote below and paste into notepad. Click SAVE AS and type, fix.bat

Tell me if any errors pop up, after you do this go into services.msc from START > RUN and locate the service "Network Security Service ( 11Fßä#·ºÄÖ`I)" and set it to disabled.

After you complete this, reboot and attach a fresh HJT log.

 

All that comes up is "Network Security Service" alone. When I click on propetries, and then stop, the Microsoft Management Console comes up and says "Configuration Manager: A general internal error occured."

 

Check that, the error comes up when I click on properties, or when I click on stop. Also, I see where you grabbed the "11Fßä#·ºÄÖ`I" from now...not that it helps or anything...

 

We really need to get this service stopped as it will keep this infection here as long as it's running.

Do this for me, click Start > Run > type in regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Right click on SERVICE and select EXPORT. Save this file to your desktop, compress it to a ZIP file and attach it to your next post.

 

here it is

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

After you complete this, reboot and attach a fresh HJT log.

 

Here's the newest log.

 

Unfortunatley, I really need to leave. (I promised my girlfriend we'd leave 3 hours ago on our trip.) I will check back on the thread as soon as I'm home later this weekend - hopefully everything is clear. Thank you VERY MUCH for your help and your time tonight. -Robert

 

Download Pocket KillBox
(Don't run it yet)

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [netky.exe] C:\WINDOWS\netky.exe
O4 - HKLM\..\Run: [129.tmp] C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\129.tmp.exe
O4 - HKLM\..\Run: [129.tmp.exe] C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\129.tmp.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O23 - Service: QTask Management - Unknown owner - C:\WINNT\system32\srvany.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

11Fßä#·ºÄÖ`I

You may be told to reboot at this point. Do not reboot just exit HijackThis as we will be restarting it with different options in a moment.


Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

C:\WINDOWS\netky.exe

C:\WINDOWS\system32\netmi.exe

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, attach a fresh HJT log.

 

I did all that was listed and attached is the new HJT log. Here are the only problems I came across:

1. I rebooted in Safe Mode as directed. Of all the items listed to fix with HJT, only this one did not show up: R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

It did show up when I just ran HJT in normal Windows. I'm not sure if this is a problem.

2. When I attempted to "Delete an NT Service" with HJT, I pasted the name and received a message that it was not found in registry. Spybot had just removed a couple of things under WWWCoolSearch (or some name close to that) with that name, although I'm not sure if this would have anything to do with it.

Thank you once again for your ongoing help.

 

Your HJT log is clean, are you having any further problems?

 

Nope. Everything looks clear and it's running fine. I really appreciate all of your help.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!

 

I will do each of these things. Thanks again!

 

Your Welcome!