About:Blank and HSA Hijacker - Simplified Removal

Discussion in 'Malware Removal FAQ' started by chaslang, Oct 9, 2005.

Thread Status:
Not open for further replies.
  1. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    about:Blank and/or HSA Hijacker Problems



    Only do these steps if you have the about:blank or home search assistant (HSA) hijack. (if not sure - see the below link for an idea of what they look like.) The procedure in this current thread attempts to use a simplified method of removing certain forms of about:Blank and HSA hijacker problems. It is a much shorter method then given in:


    about:Blank and HSA (aka Only the Best) Hijackers - Generic Solution


    but it may not have the same success rate in fixing the malware as the more detail procedure does. These infections can be very insidious and can often require repetition of steps and also some tweaking of the order or insertion of new steps.

    Part 1: Standard Cleaning Procedure
    The first step is to run thru standard cleaning procedure to get your system into a known state and to remove any miscellaneous malware that may be present and that could make removal of the hijackers more difficult.

    Run steps 1 thru 6 in this first:

    READ & RUN ME FIRST Before Asking for Support

    Now if you did not install HijackThis during the READ ME FIRST (it was step 7), you must follow the steps in:

    Downloading, Installing, and Running HijackThis

    Do not post your log though! Just get it downloaded and installed properly for use later on.


    Part 2: Download the below special tools

    Do not run scans with them until specified!

    about:Buster......No installation required! Just unzip it to a folder. Click Update and download any updates before scanning. If you receive an error message about a missing MSCOMCTL.OCX file when you run about:Buster, download the file in the link below and run it. It will give you the necessary file. There is also a help file that come with about:Buster that explains some common errors and how to fix.

    http://www.javacoolsoftware.net/downloads/missingfilesetup.exe

    HSRemove........No installation required! Ready to run as is. (Only run this below if you have WinNT, 2K, XP. Otherwise skip that step.)

    Okay now that we have the tools downloaded, it is very important with these infections to be physically disconnected (unplug your cable) from the internet and that NO BROWSERS be running while doing the below steps. So print or save these instuctions locally before you continue. Remain disconnect with browsers closed until specified otherwise.

    OK! Unplug your cable and exit browsers now!


    Part 3: Stopping and Disabling Bad Services

    Now you must check to see if any of the following three malware services are running:
    • Network Security Service
    • Workstation Netlogon Service
    • Remote Procedure Call (RPC) Helper
    To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now, in the Services window that pops up look for exactly the following service names (no others) "Network Security Service (NSS)" or "Workstation Netlogon Service" or "Remote Procedure Call (RPC) Helper". (NOTE: DO NOT DISABLE: Remote Procedure Call (RPC)or Remote Procedure Call (RPC) Locator. They are both required services and are unrelated to the hijacker.). You could have more than one of the 3 mentioned bad services, so look for all of them. If you find these services, you must right click on it to bring up the service Properties window and do the following (refer to the Figure too):

    Step 1: Stop the service by click the Stop button.
    Step 2: Now, disable it by changing the Startup type to Disabled and click Apply

    [​IMG]

    If you do not find these exact services, do not worry and just skip this step. DO NOT DISABLE ANYTHING UNLESS THE EXACT WORDING OF THE SERVICE NAMES IS MATCHED.



    Part 4: Cleaning Procedure

    - Run HSremove
    - Run about:Buster and save the log to ab1.txt.
    - Immediately reboot into safe mode and run about:Buster again in safe mode and save another log (ab2.txt) Newer versions of about:Buster will probably append to the previous log file. That's ok.
    - Now immediately reboot in normal mode and post the results of these steps and your about:buster log.
    - Also you should now run HijackThis and save a log. Follow the instructions given in HJT's link to properly attached your log.
    - Do not reboot or power down your PC or the malware could mutate if still infected.
    - Make sure you indicate you ran these steps!
     
    Last edited by a moderator: Mar 21, 2006
    chaslang, Oct 9, 2005
    #1
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds