about:blank and Trojan.Downloader

Question did you find any of the bad services (step 2 of the READ ME) running? Are they still running? Quite often they will respawn and even change to one of the other service names. This may happen after each reboot.

Please follow the steps below exactly as written:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

IMPORTANT: DO NOT REBOOT OR POWER DOWN AFTER POSTING THE ABOVE LOG! WAIT FOR INSTRUCTIONS TO BE POSTED. You can disconnect your cable to the internet for security or lock the internet with a firewall if desired.

 

The service does not look stopped and disabled in your log. I would bet one of the other process is restarting it. Probably D:\WINDOWS\system32\mfcyr.exe is causing it to restart. Let's try the below.

You need to disable SpybotSD TeaTimer because it will get in our way.

To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
Now quit Spybot!

Please download the following tool: Pocket KillBox

Extract Pocket Killbox to its own folder but do not run it yet. We will need it later.

You're OS and IE versions are way out of date and represent a major security risk. After we fix your current problems, you must get updated. We will cover this later.

Let's try a simple approach to fixing you HSA infection. This may or may not work. Depends on whether there are other hidden processes that we are not seeing right now.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

D:\WINDOWS\system32\mfcyr.exe
D:\WINDOWS\system32\javazk32.exe

After killing all the above processes, click the "Back" that is right under the Process window. And just leave HijackThis running for now.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Network Security Service (or if not found loook for 11Fßä#·ºÄÖ`I) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Network Security Service

If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
NOTE: There is a space in front of the 11F so make sure you start with a space.
You will need to cut and paste the short name since the characters are not easily typed.

Now click the back button on the lower right side of the HJT window.

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\srbpy.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\srbpy.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\system32\srbpy.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\srbpy.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\srbpy.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\srbpy.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\srbpy.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2FD6FA5C-0926-8DFD-5D77-4533A2EF1BD2} - D:\WINDOWS\apirz32.dll
O2 - BHO: Class - {D197DBF5-A960-6CAE-20A1-FFCAF4879290} - D:\WINDOWS\system32\addux32.dll
O2 - BHO: Class - {F8BC1A45-7B4A-22E4-33E9-C2F9AB913A1B} - D:\WINDOWS\system32\msaa.dll
O4 - HKLM\..\Run: [mfcyr.exe] D:\WINDOWS\system32\mfcyr.exe
O4 - Startup: PowerReg SchedulerV2.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - D:\WINDOWS\system32\javazk32.exe

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run Pocket Killbox.

Now, Copy and Paste D:\WINDOWS\system32\srbpy.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste D:\WINDOWS\apirz32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.


Now, Copy and Paste D:\WINDOWS\system32\addux32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste D:\WINDOWS\system32\msaa.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.


Now, Copy and Paste D:\WINDOWS\system32\javazk32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste D:\WINDOWS\system32\mfcyr.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself.

Now get a new HJT log and post it here. And tell us how these steps went and how things are working.

PLEASE DO NOT REBOOT after posting your log. If you are still infected, it could mutate making the next steps I would post ineffective.

 

My instructions did say to Delete the Service.

Opening your browser in the middle of the process was not a good idea. It is best to stay totally disconnected with all browers closed when fixing these things.

Your old OS and no firewall are making this more difficult. What type of internet connection do you have (dial-up, cable, DSL)? We really need to get some Windows Updates installed since you are so out of date. I don't like doing them while there is still an infection but we sometimes have no choice. They will be quite large. We will not do this yet, but we may have to.

We are going to need to get some other protection installed on your PC first. Let's start with a firewall.

Goto this thread: How to Protect yourself from malware!
And see step 3 and install one of the two free firewalls. After installing it make note of anything that you get popups on trying to get in or out of your PC. If you do not recognize it, do not allow it any access.

Follow the steps below.

- First run CCleaner before doing the below.


- Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report. And tell me if you are still having any problems. This log could get quite large and you may need to compress it into a ZIP file to upload it.

Post this Ewido log and then go back and run the Ewido steps again and post the second log in a new message.

 

Windows XP is up to SP2 level. You are still on just plain old WinXP from the last log you posted. Even WinXP SP1 or SP1a would be very useful. With dial-up speeds, that will take a long time.

I'll be waiting for the other logs.

 

I really did not want you to do a WinXP SP2 upgrade. Sorry if that was not stated very clearly. I wanted to see the results of the two Ewido scans before deciding what to do next.


Please post a current HJT log if you can. Also post the Ewido logs.

 

Okay! You are still infected but we got rid of a load of hidden file related to the infection.

We have some more work to do. Do not power down or reboot. Give me some time to work up another fix.

The bad service is now:

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - D:\WINDOWS\system32\winxo32.exe (file missing)

See if you can locate it and stop and disable it now. Make sure it stays stopped and disabled. Let me know. Also see if you can see the file: D:\WINDOWS\system32\winxo32.exe

 

Okay I don't know if you found the service to stop and disable so I'll include the instructions here.

You MUST now copy (do it right now) the steps below locally to your PC so you can run them while offline with NO BROWERS opened during the whole time. Also you will need to be able to copy and paste in a strange set of characters so you must have copied this locally.

OK! Exit all browsers and physically unplug your cable to the internet now. Do this before continuing.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Workstation NetLogon Service (or if not found loook for 11Fßä#·ºÄÖ`I) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Workstation NetLogon Service

If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
NOTE: There is a space in front of the 11F so make sure you start with a space.
You will need to cut and paste the short name since the characters are not easily typed.

Now exit HJT but do not reboot if it tells you one is needed.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Now restart HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\urvgy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\urvgy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\urvgy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Class - {6537283D-964A-CBD4-C67B-7091E7AC8979} - D:\WINDOWS\msbn32.dll (file missing)
O2 - BHO: Class - {6D02CB4B-4013-E595-ADFC-13B9C08788F9} - D:\WINDOWS\system32\ipgu32.dll (file missing)
O2 - BHO: Class - {FD55E8C7-3546-B25A-6A5D-99EFC7458DF8} - D:\WINDOWS\system32\mfcli.dll (file missing)
O4 - HKLM\..\Run: [sysit32.exe] D:\WINDOWS\system32\sysit32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - D:\WINDOWS\system32\winxo32.exe (file missing)

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run Pocket Killbox. (note: if pocket killbox does not find any of the below files, just keep on going to the next steps).


Now, Copy and Paste D:\WINDOWS\msbn32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.



Now, Copy and Paste D:\WINDOWS\system32\ipgu32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.


Now, Copy and Paste D:\WINDOWS\system32\mfcli.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.



Now, Copy and Paste D:\WINDOWS\system32\winxo32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.


Now, Copy and Paste D:\WINDOWS\system32\sysit32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.


At this point I want you to physically pull the power plug (yes that's what I said) to your PC. We need to do this to prevent a graceful shutdown which is where the problem can respawn. After shut down, wait a minute and then plug your cable back in.


Now reconnect your cable to the internet and open and close your browser a couple times (don't surf - just open and close).

Now with all browsers closed, get a new HJT log.
Now come back here and post your log.
And tell us how these steps went and how things are working.


PLEASE DO NOT REBOOT after posting your log. If you are still infected, it could mutate making the next steps I would post ineffective.

 

You HJT log is clean now.

Are you still having malware problems?

I would not disable Norton's autoprotect. You still need it or anothe antivirus application. Don't forget that Ewido is also just a 15 day trial too and it works together with your AV to provide greater protection.

 

You should now check out the below to help keep you clean:

How to Protect yourself from malware!