Help me with about:home hijack

Hello,

First off, I consider myself an intermediate level pc user so I do apologize for any ignorant comments in this post but I am trying my best to follow all rules, etc.

Background: I have symantec antivirus (corp edition) running on my computer with constant monitoring in the background. I also have the Google toolbar and popup blocker. Early this morning I clicked a link and was warned by symantec that I had a virus -- I assumed that it would be cleaned, but that soon turned out to not be the case.

Virus: This seems to be the "homesearch" virus. When I open IE it takes me to the about:blank page and wherever I go it gives me a bunch of popups (mostly offering virus removal programs!). I soon found this forum and followed the instructions in the "DO NOT POST UNTIL YOU HAVE READ THIS..." post. i.e. I found the "Remote Procedure Call (RPC) Helper" in my services registry (the other services were not there) and shut if off and disabled it. I downloaded and ran all of the spyware removal programs.

Here is what each found (approximately -- sorry, but I did not record the exact logs):

Adaware -- about 220 objects, programs, keys, etc - wiped them all out
Spybot SD -- a few more objects (~6) - wiped them out
*HSRemove -- found 8 items and removed them*
All the other standalone removal programs -- nothing

So, I came out of safe mode, opened IE and found it took me to the HS remove page that told me I had safely removed the virus. I changed my start page back to my usual settings and I continued a little bit of surfing but pretty soon shut IE down.

I thought everything was good until I tried opening IE again. Yes, you guessed it -- back to about:blank! I ran the HSRemoval exe again and went through the exact same process several times (removed 8 items, opened to HSRemoval page when IE opened but when closed down and reopened it was back to about:blank).

Now perhaps my next move was a big mistake, but I decided to go to Microsoft and downloaded all of the critical patches (about eight -- I know I should have done this earlier).

When I then restarted the computer as prompted all kinds of weird things happened. First my touchpad was disabled. I restarted and that was fixed. Next, when I opened IE it went back to the about:blank page, but would not let me open ANY other pages.

I did the HSRemove trick again, but this time it did not work. I then performed an adaware scan (in safe mode again) and it found four items that were labelled 'coolworld'. I guess this is a different, but related virus.

So, I removed them and tried IE again. In safemode I opened IE several times, was able to reset my home page and everthing seemed fine.

Next I restarted in regular mode. IE seemed normal at first, but yet again when I closed and reopened IE I got to the about:blank page.

I decided that before I did anything else I would come back here and post this message. As it stands the bug is not too bad -- there don't seem to be any popups, only the about:blank home page that I cannot change. Of course I realize however that this means the computer is still infected somehow so I would really like to fix it.

I hope that was all quite clear. I realize that there is another thread that discusses how to clean this virus by editing the registry but that seems very complicated and I am afraid to screw up my computer even farther. Any advice or suggestions would be very much appreciated. I did download the 'hijackthis' progam and will run it and post the log if that is requested (if that is OK according to the forum policies).

Please help
Thanks

Sorry, one more thing that might help: I have gone into the services registry several times and found that the RPC helper is sometimes disabled, sometimes enabled, sometimes stopped and sometimes not. The pattern doesn't seem to follow anything that I do though!

 

You need to read this sticky thread about hijack this.

http://forums.majorgeeks.com/showthread.php?t=38752

Once you've read that, you need to download Hijack This at the following link ad wait for someone to ask you for a Hijack This log. While I am familiar with Hijack This, Chaslang our resident expert would be better equipped to help you. Here's the link.

http://majorgeeks.com/download3155.html

Please be patient, Chaslang is a very busy person, but when he gets the chance he or one of our other experts will come and give you a hand.

 

Hello,

Sorry for not posting this earlier. I was under the impression that someone had to specifically ask me to do so.

In any case, I spent a couple of hours last night trying to figure out the steps listed in the Generic HSA solution. For the most part I think it worked (i.e. I now have my desired homepage back and it has stuck for several reboots). The main concern I have now is the 015 lines (crazy winnings). I tried to fix them but they came back. They don't seem to be causing a problem, but since they are there I assume they must be some kind of problem.

If you don't mind still taking a look at the log to see if I am free of this virus I would be most grateful.

Thank you so much for being willing to look at these. I know that yesterday I was in complete despair for a while. The realization that someone would be willing to help me fix the problem made everything seem OK again. I am sure that there are thousands of others who feel the same.

Thanks again!

 

Hello,

I'm sorry -- I looked at my log and I must have left an IE window open when I did the original HJT scan. I made sure everything was closed this time and performed another one. It is attached.

Thanks

 

I followed all the instructions and attached is my most recent HJT log. Just a couple of notes:

1. When I performed the HJT scan after the merge the two trusted zone lines
"O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)"
were already gone. The rest remained and I fixed them.

2. When I look at the most recent scan I am concerned about a few of the processes that appear to be running. They were not there on the previous scans. They are:
basfipm.exe, DefWatch.exe, gearsec.exe.
From the 023 lines on the log they are purported to be security processes, but I just wanted to be sure.

If this does all look clean then once again thanks so much. I am amazed that people are willing to spend their valuable time helping out like this.