Having major issues.. please HELP / HijackThis log as Requested - About:Blank - HSA

Having major issues.. please HELP

Because there is so much information I have for you I will try to make this as short as possible. First of all, I want you to know that although I know my way around a computer, I am NOT computer literate I play the game City of Heroes (I'm sure your familiar with it), and have had it installed on my laptop for almost two months. Yesterday when I tried to log on I received a microsoft error: "cohupdate.exe has encounetered a problem and needs to close", which of course gives me the option to obtain an error report; which i havent done, cuz it would make no sense to me The same day that this began i noticed that the homepage on my internet had changed to about:blank. So, i assumed i had gotten some sort of spyware or virus. unfortunatley i followed all directions as to the tee as i could on your "do this before sending a thread" page. the only things i could not do were boot in safe mode, and run the symantec scan. other than that i ran the trend scan, mcaffee, spybot s&d, adaware, kill2me, about:buster, ccsweep, etc. at first it seemed to have eliminated the problem, because my page was not at about:blank anymore, but city of heroes still sent same message, and then the homepage went back to about:blank. i'm at a loss. i did download hijack this, so if that report can help i will certainly send it to you. or if you have any other suggestions i would be soooo grateful! oh and by the way, i did uninstall and reinstall city of heroes, to no avail. please help! thanks! kittykat66 kcauser1@mscd.edu

 

Re: Having major issues.. please HELP

Hi Kittykat66,

I'm not familiar with City of Heroes - My online game is killing Malware!

If you are certain that you've exhausted the Tutorial's options, then go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been tied up with work these days and am not here too often, but somebody will try to take a look at your log when they get a chance.

Best
PP

 

HijackThis log as Requested

Here is my hijackthis log as requested by philliphan. thank you sooo much for your quick reply! hopefully this helps, anything you can do would be greatly appreciated. having very bad city of heroes withdrawel Thanks so much! kittykat66

 

Re: HijackThis log as Requested

Please stay in this thread so I don't get too confused

You have a nasty about:blank/HSA problem.

Before we can attack it, I need you to extract HijackThis from the ZipFile to a safe folder:
To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, RightClick your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next.

Now run HJT from there and attach that log.

Note that you must not reboot after submitting the log. We may run into difficulties due to my inability to check in here on a regular basis these days, but we can give it a go! With that in mind, I am going to use a different method that the other fixes on this site - please attach the fresh HJT log and I'll try to check back as often as I can.

PP

 

Sorry for confusing you with the multiple threads, and of course for being such a dumb-a** when it comes to computers hopefully this attachment will be more helpful, and thank you again so much for your help! kittykat66

 

As I mentioned in my first thread, I already ran all those programs and they did not help. But I ran about:buster and HSRemove again after your last post, and still cannot run my game. Because about:buster says not to open internet explorer after scan without a reboot, I had to reboot, so if you need a new copy of my hijackthis log, let me know. thanks again for your help, but I have ran each program in the tutorial more than once now, and still am having problems. what next? kittykat66

 

Hi KittyKat,

Please download this tool: Pocket KillBox

Then, give me a fresh HijackThis log. I'll try to check back in a timely manner.

PP

 

Thank you again PhilliePhan. I downloaded the program you told me to, but I wasn't sure if you wanted me to do anything with it, so all I did was unzip it to a safe file. I also have just another quick question, another user on this laptop contacted the internet service provider (at&t) and they had him download spy sweeper, which now asks us everytime we log on whether we want the home page to be about:blank, or our normal homepage. but now that message is popping up constantly when we are online or off. is spy sweeper a bad program? let me know. here is my hijackthis log again. thanks! kittykat66

 

Hi KittyKat66,

Sorry I couldn’t get back sooner!

Spy Sweeper is a good and respected tool. How many active User Accounts are on this machine?

The nature of this baddie is such that it mutates seemingly at will! So, your bad entries may be different. I am going to try a fix that is a bit different from what our resident genius Chaslang does, since I am not around often enough to check back regularly.


Please print out these instructions.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial. Also, after reading this and copying the below to Notepad, you must physically unplug your Internet connection and Exit ALL Browsers!



FIRST:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it cwfix.reg


REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000004

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]
"*"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]
"*"=dword:00000004

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000004

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]
"*"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]
"*"=dword:00000004


Now:
DoubleClick on the cwfix.reg file you made and allow it to merge the registry entries into the registry.


NEXT:
Click Start > Run > type services.msc and Click OK

Locate Network Security Service and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NOW:
With ALL BROWSER WINDOWS CLOSED, Run Pocket KillBox . Also, at same time, open Task Manager (ctrl-alt-del). You will need to do the following fairly quickly.

Now, enter C:\WINDOWS\ipfl.exe into Pocket KillBox and select Standard File Kill (but DO NOT do anything else).
Then, RightClick on ipfl.exe in Task Manager and select “End Process Tree”
Next, Click the Red X in KillBox to DELETE C:\WINDOWS\ipfl.exe and Click YES to confirm the DELETE and then OK


Now, enter C:\WINDOWS\System32\Gwhdrv.exe into Pocket KillBox and select Standard File Kill (but DO NOT do anything else).
Then, RightClick on Gwhdrv.exe in Task Manager and select “End Process Tree”
Next, Click the Red X in KillBox to DELETE C:\WINDOWS\System32\Gwhdrv.exe and Click YES to confirm the DELETE and then OK


Now, enter C:\WINDOWS\system32\ipsb32.exe into Pocket KillBox and select Standard File Kill (but DO NOT do anything else).
Then, RightClick on ipsb32.exe in Task Manager and select “End Process Tree”
Next, Click the Red X in KillBox to DELETE C:\WINDOWS\system32\ipsb32.exe and Click YES to confirm the DELETE and then OK


After this last entry, please close Pocket KillBox.

Now, via Task Manager, end all IEXPLORE.EXE processes as well. Then, Close Task Manager.

NEXT:
Please scan with HijackThis and Check the Boxes for the following if they are there:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jxstg.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jxstg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jxstg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jxstg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jxstg.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jxstg.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jxstg.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {C964E137-AC20-F832-469A-869B7E738F46} - C:\WINDOWS\system32\apijb32.dll

O4 - HKLM\..\Run: [ipfl.exe] C:\WINDOWS\ipfl.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Gwhdrv.exe

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\ipsb32.exe
Again, make sure All Browser Windows are Closed when you Click FIX.

Then, Close HijackThis. Wait a few seconds and then open it again and rescan. If you see similar entries to what you just removed, try the deletion process again until successful.


FINALLY, After the HJT Log is clean, I want you to PHYSICALLY UNPLUG YOUR MACHINE – DO NOT USE POWER BUTTON, JUST YANK THE CORD!! Do not allow your machine to shut down gracefully.

Wait a few minutes and then restart your machine. Reconnect your Internet Connection and open and close a few IE sessions. Then, scan with HijackThis and attach a fresh Log and we’ll see how things did or did not work. If we failed, we will have to try a different and longer procedure. I’ll keep my fingers crossed!

Best Luck
PP

 

Alright philliephan, we seem to have had a bit of success but not total. first let me tell you about a few things i encountered (oh and by the way there are two of us that use this computer, but we use the same accounts for everything). In the first part of the instructions where I used pocket killbox, the first part ipfl.exe was not present on the tast manager, so i skipped the step; i did not erase it with killbox. Also, there were no iexplore.exe processes to end. on the hijackthis log everything went very well, and it only took one time to delete the necessary items. when it came to shutting down, im sorry but i had to use power button, because this is a laptop, therefore i couldnt pull the cord. yet by using the power button this way, it is still very ungraceful for shut down So, all went semi-well, yet, unfortunatley, i still get about:blank when signing on to the internet. Good news CITY OF HEROES no longer gives me the error message!!!! and i've begun to download the patch! too bad i uninstalled it THANK YOU SO MUCH!!!! but i still would like to fix whatever problems still exist. here is my new hijackthis log thank you for your help! kittykat66

 

Hi Kittykat66,

Your HijackThis log looks Ok.

Please fix the following in HijackThis:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

THEN:
Reset your Web Settings.
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com OR www.phillies.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Let me know how things are working now. If problems remain, submit a fresh HJT Log and we'll have another go at it!

PP