about:blank Hijacker

Welcome to Majorgeeks!

You do not have an about:blank hijacker but you do have other issues. To name a couple, you have Virtumonde and Winlogonhook/conhook.

However you need to follow the instructions in the READ ME properly.

You did not attach the 5 logs as requested, you did not install HijackThis properly and you did not rename HijackThis.exe and requested. This is very important especially since you have one of the infections which is the main reason for renaming it.

So you must install HijackThis properly (see step 7) and you must rename it. You also must attach the below logs:

runkeys.txt - the log from GetRunKey.bat
newfiles.txt - the log from ShowNew.bat
Bitdefender - from step 6
Panda Scan - from step 6
HijackThis <---- after installing it properly and renaming it

 

I see you are still logged in! Hang on for awhile and I will be posting a fix for you.

 

Okay you had a load of problems as the below will show you!!!!!


Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of win32hp.dll once and then click the kill button. After you have killed all of the win32hp.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below two DLLs:
fusstub.dll

Next double click on explorer.exe and again click once on each instance of win32hp.dlland kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below two DLLs:
fusstub.dll

Now just exit Process Explorer.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\system32\smartdrv.exe
C:\WINDOWS\system32\officescan.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {87185E78-A61B-4DB3-965A-3235BBD7A622} - C:\WINDOWS\system32\win32hp.dll
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: office_pnl.office_panel - {B53455DB-5527-4041-AC41-F86E6947AA47} - C:\WINDOWS\system32\office_pnl.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\fusstub.dll


NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\R1TUDWF7\ctxad-309[1].0000
C:\WINDOWS\alexaie.dll
C:\WINDOWS\alxie328.dll
C:\WINDOWS\alxtb1.dll
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\dlmax.dll
C:\WINDOWS\Pynix.dll
C:\WINDOWS\susp.exe
C:\WINDOWS\system32fab.exe
C:\WINDOWS\ZServ.dll
C:\WINDOWS\system32\0.1810114.exe
C:\WINDOWS\system32\1310.exe
C:\WINDOWS\system32\a.exe
c:\windows\system32\alxres.dll
c:\windows\system32\bridge.dll
C:\WINDOWS\system32\cisluiun.exe
C:\WINDOWS\system32\dakar.exe
c:\windows\system32\dailytoolbar.dll
C:\WINDOWS\SYSTEM32\fusstub.dll
c:\windows\system32\jao.dll
C:\WINDOWS\system32\officescan.exe
c:\windows\system32\office_pnl.dll
c:\windows\system32\questmod.dll
C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\runsrv32.dll
C:\WINDOWS\system32\smartdrv.exe
c:\windows\system32\smaexp32.dll
C:\WINDOWS\system32\susp.exe
C:\WINDOWS\system32\tcpservice2.exe
c:\windows\system32\txfdb32.dll
c:\windows\system32\udpmod.dll
c:\windows\system32\win32hp.dll
c:\windows\system32\winblsrv.dll
c:\windows\system32\wstart.dll
C:\WINDOWS\system32\xidzdqdu.exe
C:\WINDOWS\system32\xvkzpulu.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach a new HJT log and tell me how the steps went.
Also attach new logs from GetRunKey and ShowNew.
Make sure you tell me how things are working now!

 

Also after completing the fix in my previous message, let's get your Sun Java version updated. You are running J2SE Runtime Environment 5.0 Update 5 which is out of date.

Get the new version from here: Sun Java Runtime Environment and install it. Afterwards goto Add/Remove programs and uninstall the above mentioned old version.

 

Do it correctly now!

Did you read what the instructions said! I quote

 

LOL! But what does

mean to you!

 

No it does not sound ridiculous. It is just something that we can easily overlook in putting together fix procedures. What may seem perfectly clear to us, just may not be to others. Especially when they are PC novices. This is part of the reason the READ & RUN ME looks so big. There is a ton of explanatory text in there just to make it clean for everyone! The key is that we need to have a happy medium for all. If we explain everything in great detail it prevents us from being able to answer as many threads in the same time frame. Also in boilerplate type messages, too many people who see a massive post just quit before trying instead of just taking it one step at a time. In short, I will modify my message for using Process Explorer to make sure it is more clear for everyone to continue if the DLLs are not found.

Also the Pending Operations message text needs to be modified. This is not something that is supposed to be seen. It is an unexpected message that could happen and we just want you to continue by clicking OK. And then to tell us if it did occur because it could impact the fix. Thus I will be changing this:

Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

into this

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

Hopefully this is more clear!

 

Now back to your malware removal!


Now install the current version of Sun Java from: Sun Java Runtime Environment

Then uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 5


If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely......your boss too!