About:Blank

OK!

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINNT\system32\ipin32.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINNT\system32\ipec32.exe
C:\Program Files\Web_Rebates\WebRebates1.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\wmhpv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wmhpv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\wmhpv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\wmhpv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wmhpv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\wmhpv.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\wmhpv.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B8392868-66F4-2587-FD0D-0AC72FFCD1EA} - C:\WINNT\atlko32.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [v7nW3qV] tapavi32.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [javavy.exe] C:\WINNT\system32\javavy.exe
O4 - HKLM\..\Run: [ipec32.exe] C:\WINNT\system32\ipec32.exe
O4 - HKCU\..\Run: [ew46RkZ3j] synma12n.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

After clicking Fix, exit HJT.

Tell me when you finish this while I work on the next steps! Let me know if you have any problems with any of those steps.

 

Download this ExplorerXP and get it installed on the infected computer. Let me know when finished.

DO NOT RUN Windows Explorer or IE anymore. They are spreading your infection!

 

Okay! Fix this line again with HJT:
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

Do not open any Windows Explorer sessions to delete anything? DO NOT RUN ANYTHING UNLESS I REQUEST IT. Some of your problems are spreading each time you run IE or Windows Explorer?


- NOW PULL THE POWER PLUG TO YOUR PC! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Run ExplorerXP that I had you download. It is pretty straight forward using it and navigating around. I want you to use it to delete the below (if you can find them):
C:\Program Files\ISTsvc <--- the whole folder
C:\Program Files\AutoUpdate <--- the whole folder
C:\Program Files\Internet Optimizer <--- the whole folder
C:\program files\180solutions <--- the whole folder
C:\Program Files\Web_Rebates <--- the whole folder
C:\WINNT\wmhpv.dll
C:\WINNT\atlko32.dll
C:\WINNT\system32\tapavi32.exe or C:\WINNT\tapavi32.exe
C:\WINNT\system32\javavy.exe
C:\WINNT\system32\ipec32.exe
C:\WINNT\system32\synma12n.exe or C:\WINNT\synma12n.exe

- Empty your Recycle Bin. In fact as an additional measure do the following:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

 

Let me know when you finish those steps! Stay in safe more when completed. And get a HijackThis log from safe mode and post it here. Don't forget to tell me the results of those steps.

 

You don't have a c:\windows\Prefetch folder to delete files in because you are running Win2K. That was in my original instructions before I edited it to remove that step.

 

Do you have viewing of hidden file enabled? Those items should have been there.

I added a message below awhile ago when I noticed that I still had the prefetch instruction in there and had deleted it.

 

Can you bring up Add/Remove programs now while in safe mode?

Do you have the software to reinstall your Symantec stuff? The reason I ask is because I want to uninstall it while in safe mode because I think it may be conflicting with Kaspersky which we need to run.

 

Never mind! ExploreXP shows all by default.

Just give me an answer to the Symantec question below!

 

Third time I'm asking this:

Just give me an answer to the Symantec question below!

Also what are the names of the dat files?

 

That's not what I'm referring to! Read message # 60 again.

What are the filenames that end in .dat what are the file dates too. You may want to click on the column labled Date Modified and see what else you find for the same date. There could be more of those bad .exe files from the HSA infection.

 

Delete all of the below:
atlxw.exe
evyel.txt
jvafl.txt
kfrcw.dat
ofzrm.dat
qgzpu.dat
sfxsw.dat
skpog.txt
xzzuy.dat
klkh.dat

I don't follow the below:

Not PC Anywhere. Do you have the Symantec Antivirus disks to reinstall? I know we cannot uninstall. I would just use HJT to remove the registry entries to stop some of it from loading. We may need to reinstall later to fix (if the HJT backups do not work out for us).

 

Did you see my previous message? You have to alway remember to look for more messages in between posting your own.

 

What is winit do you mean winnt?

Delete these: syszh32.exe and xzzvy.dat

Do not reboot this PC. Will talk with you later when you and I are both back.
Did you delete the other list of files I told you to delete?

You must always remember to look back for new unanswered messages each time you post. You could miss important info. Also always answer questions ASAP.

I don't remember seeing and lines in your HJT log with {677....}

 

Do you mean you see filenames like the CLSIDs from the O2 BHO lines. CLSIDs look something like:
{B8392868-66F4-2587-FD0D-0AC72FFCD1EA}

with the braces included.

 

By all means if you need to get stuff off this computer for business, do what you need to do. Just avoid, if possible, connecting it to the internet. Do not run anything you do not need to run. If you need to boot in normal mode to do this then go ahead. Just let me know what you had to do.

Yes, it can be easier sometimes to reformat a PC. However that would mean you must have the ability to backup all necessary data and programs first. And you must have the knowledge to reinstall everything and setup everything to get you back to where you were. Sounds like you may have problems getting a Win 2000 install to work for you again since it will not have all the drivers you may need.

Let me know what you decide to do.

If you decide to keep working on this PC, please post a current HijackThis log back here after you complete doing whatever you need to do to get your Dental package transferred.

 

Let's see a current HJT log on this baby.

 

Here are a few things I want you to try:

Do you have your Win 2000 Pro CD?
Is the CD already at SP4 level?

Run ExplorerXP and navigate to c:\winnt and locate explorer.exe. Right click on it and select Properties. What is the Size of the file? I don't care about Size on disk. Just the line that says Size: It will show two numbers. One in KB and the other in bytes. I want the one in bytes.
Also now click on the Version tab and give me the file version.

Also look on your harddisk for a folder named i386 . It may be c:\i386 or c:\winnt\i386
Look for explorer.exe in there two. It may appear as explorer.ex_
Let me know if you find the i386 folder and an explorer.exe or an explorer.ex_ in the folder. If you find both, tell me that too.

 

What is the version number of the one in c:\winnt\SERVICEPACKFILES\i386

You should also look for explorer.exe in c:\winnt\system32\dllcache

And go back and get the Created and Modified dates and time for:
c:\winnt\explorer.exe
c:\winnt\SERVICEPACKFILES\i386\explorer.exe

You should also look for explorer.exe in c:\winnt\system32\dllcache
and get me size, version, and Created & Modified dates for it too.

 

I cannot find anything really wrong with those files. That does not mean that they are clean though. Malware could make changes and maintain sizes and dates just to throw you off. See if you can get the Kaspersky Anti-Virus to run right now in safe mode.

 

See my previous message and also download and run this:

http://securityresponse.symantec.com/avcenter/FxIstbar.exe


Then boot into normal mode and post a new HJT log.

Drivers you may need could be scattered all around. It would more than likely be much easier to go to XP rather than try to get Win 2000 running again. Let's see what normal boot shows. If clean we will connect to the internet. That will be the deciding point. If the infections come right back, you would get your PC back faster by formatting and load XP.

 

OK! See my below message for what's next. Go home! That's where I have to go now too. And it is snowing very hard. May take awhile to get there (35 miles).

Talk with you later.

 

Please note exactly what is found by name (virus name) and also the file and path if given.

Path is something like: c:\winnt\system32 just an example
File is: explorer.exe just an example

I'm outta here!

 

That log is clean. Is that from normal boot mode?

Since you can get into Add/Remove programs now, have you looked for all those things we were trying to uninstall? If still there, uninstall.

For recommendations on which software to use see: How to Protect yourself from malware!
AVG and Avast are preferred over Norton or McAfee. You can use them for free but they have pay versions with more advanced features too.

When you boot into safe mode make sure viewing of hidden files is enabled. Can you find:
c:winnit\system32\winls32.exe

Go to the below link and run ONLY steps 13l (that's a lower case L) thru 17.
When all else fails - Generic Solution to HSA (Only the Best) & About:Blank hijack

Make sure the HJT log from step 17 is for normal boot mode.

After that see if that NSS service is still around.

 

Jim,

Notice how I used the quote boxes above to distinguish your text from mine! You should try to use them. It makes it easier to read messages that way. You can interlace more as you can see in this message.

Are you asking me which is better? TrendMicro is very good too. If you don't mind paying for the software, any of the three versions (AVG, Avast, or PC Cillin from Trend) are good. If you want to sample one for awhile to see how you like it. Try the free versions of either Avast or AVG . I have given the free version of Avast to several people who are bad about doing updates. Once you install it and set it up, it updates automatically (set it and forget it). This is great for many users.

I'm looking forward to seeing the results.

 

Re: CL About:Blank

Has this PC been connected to the Internet yet?

Please download GetService.zip from here: Getservice.zip

Extract the file to a folder where you can find it, then go to the folder and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad file as an attachment too. Call it service.txt.