about:blank and/or hsa problem

Your first problem is that your OS and IE versions are severely out of date and present a major security risk. After fixing your current problems you must visit Windows Update and update your PC. You must at a minimum get you PC updated to WinXP SP1a.
You have a bunch of other issues that we must address before trying to fix the about:blank & HSA hijack problem. So the following procedure is going to work on those issues. We will begin working on the HSA hijack later.

But I have one question though. You said you ran the steps of the READ ME FIRST but I still see the Network Security Service related to the hijacker running. Did you or did you not complete step 2 of Getting Prepared? This step should have stopped and disabled this service from running.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.


Make sure you have system restore disabled and viewing of hidden files enabled.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (Note: There could be more than one instance of some of these running. Kill each instance.):
C:\windows\system32\Jae.exe
C:\windows\system32\myrG.exe
C:\Documents and Settings\Carl Heuckendorf\Application Data\ucrr.exe
C:\WINDOWS\System32\n?svc32.exe
C:\WINDOWS\system32\myrG.exe
C:\WINDOWS\System32\Mobr9V35.exe
C:\WINDOWS\System32\NjqM9Y44.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [rZJCz.exe] C:\documents and settings\carl heuckendorf\local settings\temp\rZJCz.exe
O4 - HKLM\..\Run: [Jae.exe] C:\windows\system32\Jae.exe
O4 - HKLM\..\Run: [myrG.exe] c:\windows\system32\myrG.exe
O4 - HKLM\..\Run: [4S6WZ4W5AHGT5Y] C:\WINDOWS\System32\Boi5X.exe
O4 - HKCU\..\Run: [Osrr] C:\Documents and Settings\Carl Heuckendorf\Application Data\ucrr.exe
O4 - HKCU\..\Run: [Kddyco] C:\WINDOWS\System32\n?svc32.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\System32\ezPopStub.exe /UninstPOP2 C:\Program Files\Web Offer
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\windows\system32\Jae.exe
C:\windows\system32\myrG.exe
C:\Documents and Settings\Carl Heuckendorf\Application Data\ucrr.exe
C:\documents and settings\carl heuckendorf\local settings\temp\rZJCz.exe
C:\WINDOWS\System32\Mobr9V35.exe
C:\WINDOWS\System32\NjqM9Y44.exe
C:\WINDOWS\System32\Boi5X.exe
C:\WINDOWS\System32\ezPopStub.exe
C:\Program Files\Web Offer <--- the whole folder

Now reboot in normal mode and post a new HJT log.
Again note that I skipped all the HSA related lines. After you come back and post your follow up HJT log DO NOT REBOOT. That could cause the hijacker to mutate making any changes I suggest useless.

 

Try kiiling them in a different order. If you still have a problem, continue the rest of the steps and let's see where you get to.

 

YOU MUST REMEMBER TO EXIT

C:\Program Files\Internet Explorer\iexplore.exe

BEFORE RUNNING HJT! This is very important especially when fixing items.

You still need to get the below service stopped and disabled per the tutorial:
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\winvl.exe

 

Carl,

Make sure you have download About:Buster and HSremove per the tutorial. And then run About:Buster and only do the update. You must get the current database. Then exit AB.

Read this and print it so you can run it with no browsers opened at anytime (until I tell you to come back here and post logs) and all physically disconnect (unplug your cable to the internet - this is important - do not skip it).

- OK before continuing with below you must now have browsers closed and the cable physically unplugged.

- Run HSremove! Then run About:Buster (make sure you run the second scan) and save the log to ab1.log

- As soon as that completes, reboot into safe mode.

- In safe mode repeat: Run HSremove! Then run About:Buster (make sure you run the second scan) and save the log to ab2.log

- As soon as that completes, reboot into normal mode.

- And get a HJT log, save it to hjt1.log
- Now reconnect your internet connection and open two browser windows. And then close the browser windows.
- And get another HJT log, save it to hjt2.log

Now run your browser and come back here and post both AB logs and both HJT logs. That will require two messages since you can only have two attachments per message.

 

Yes! I see it is still there! You got some nasty ADS infected files too that About:Buster seems unable to fix.

Download GetService.zip from here: Getservice.zip

Extract the file to a folder where you can find it, then go to the folder and double-click on the getservices.bat file. A notepad will open up when it finishes. Please paste the contents of that notepad file as an attachment. Call it service.txt.

 

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST.

Run About:Buster! And select the update button to get the database updated. Then exit About:Buster.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Okay part of the problem is the service I was mentioning. Here is what it shows in the log I had you post:
SERVICE_NAME: ?%AF夶À¨
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\winvl.exe /s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Security Service (NSS)
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem


Go to Start>Run and type regedit. Press enter.

Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?%AF夶À¨

If ?%AF夶À¨¨ exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_?%AF夶À¨

If LEGACY_?%AF夶À¨ exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Copy the contents of the Quote Box below to Notepad. Name the file as fix.reg
Change the Save as Type to All Files Save this file on the desktop

Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINDOWS\winvl.exe
C:\WINDOWS\crda32.exe
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ksang.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksang.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ksang.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ksang.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksang.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ksang.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {61704EFB-2CB9-E208-6F53-085E40335F62} - C:\WINDOWS\crfy.dll
O4 - HKLM\..\Run: [crda32.exe] C:\WINDOWS\crda32.exe
O4 - HKLM\..\Run: [4S6WZ4W5AHGT5Y] C:\WINDOWS\System32\Boi5X.exe
O4 - HKLM\..\Run: [myrG.exe] C:\WINDOWS\system32\myrG.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\winvl.exe

After clicking Fix, exit HJT.
Use Windows Explorer to delete(if you cannot find these or delete them just continue):
C:\WINDOWS\system32\ksang.dll
C:\WINDOWS\crfy.dll
C:\WINDOWS\winvl.exe
C:\WINDOWS\crda32.exe
C:\WINDOWS\System32\Boi5X.exe
C:\WINDOWS\system32\myrG.exe

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately reboot in normal mode. (you do not need to pull the power plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

Yes you were supposed to delete those registry keys. I did not say look under ?%AF夶À for ?%AF夶À

I said look for:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?%AF夶À¨

and if it exists delete it.

It is one of the keys to cleaning this problem. You must fix the registry entries.

Note: I cannot continue with any fixes if you don't complete my instructions. Please read the last 10 lines again! And also delete the above Services entry.

 

Okay Your problem has mutated. Now you have Remote Procedure Call (RPC) Helper as the hidden service.

You also have picked up an Adult content dialer:
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe

Where have you been going?

Do you have a firewall installed?

Do not shutdown or reboot your PC now or it could mutate again.

I think it is time for you to try running the steps in: When all else fails - Generic Solution to HSA (Only the Best) & about:Blank hijack

 

Here are the lines of concern that you will need when doing the Generic Procedure

C:\WINDOWS\mfcsb.exe
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\crda32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kdfik.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kdfik.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kdfik.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kdfik.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kdfik.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kdfik.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {658C71E5-532A-5C37-E08E-EB815DC98550} - C:\WINDOWS\iesn32.dll
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [crda32.exe] C:\WINDOWS\crda32.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\mfcsb.exe

 

You're welcome.

The Generic Solution seems to have done its job again! You look clean!
I've been trying to avoid using it lately because it is long and complicated but it almost always works (I say almost because new strains appear all the time and it may require tweaking to fix them.)

Read and do the stuff here: How to Protect yourself from malware!

See step 8 in reference to FireFox.

Earlier you asked about your hardware firewall being good enough. No it isn't, get one of the software ones I list.