HELP needed, hijacked by 'Search for...'

Did you try HSRemove?

 

I hope its not a new variant. A new tool is out called About:Buster in our spyware section. The download page has specific instructions on removing it as well Try that.

 

Please post a complete HijaakThis log. I gotta see this one. I agree Major....I hope we do not have a new one on our hands.

 

1) go here and download Registrar lite and install it: http://www.resplendence.com/reglite
2) Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls tell me exactly what you see in the Value.

If you see a path to a file in step file above do the step 6 to 10 otherwise skip to 11.
(An example path may be something like c:\windows\system32.xxxxx.dll where xxxxx is any random characters)

6) Now click in the left pane of Reglite and rename the folder Windows to NotWindows.
This folder should be hilited as a light blue (some people call it light purple)
7) Now double Click "AppInit_DLLs" and clear the data value:
C:\WINDOWS\System32\xxxxx.dll < delete this line , 'Apply' and 'ok' to set.
8) Rename the NotWindows folder back to its original name Windows
9) Restart computer
10) This should make the file visible. Use Windows Explorer and see if you can find it in:
C:\WINDOWS\System32\xxxxx.dll

If you can't find it, make sure your have enable viewing of hidden
files by doing this: http://www.xtra.co.nz/help/0,,4155-1916458,00.html


11) Please download this about:buster again it changed today even though the version number is still 1.25.
Get it here: http://www.majorgeeks.com/download4289.html

But do not run yet.

12) Double check to make sure your Ad-aware reference file is up to date. It should be 01R330 07.07.2004 at
the time I wrote this. By double check again, they update frequently.

13) You should print the remaining instructions because in the next step I am going to have you totally disconnect from the internet.

14) This step is very important! Disconnect from the Internet completely (i.e., drop analog modem connections, unplugged ethernet cables,...etc).

15) reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

16) Make sure at this point all Internet Explorer and Win Explorer sessions are shutdown. Do not open them again until instructed to.

17) Now start Hijack this and have it fix ONLY the following lines:

O2 - BHO: (no name) - {5E997197-9239-4B6E-83C7-658BFE672D40} - C:\WINDOWS\System32\edicbaa.dll
O18 - Filter: text/html - {206E25BD-D98D-4092-BEDB-C5C1C40AFE9E} - C:\WINDOWS\System32\edicbaa.dll
O18 - Filter: text/plain - {206E25BD-D98D-4092-BEDB-C5C1C40AFE9E} - C:\WINDOWS\System32\edicbaa.dll
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)

Exit HijaakThis.

18) Run about:buster and click start. Be patient, it takes awhile for this to go through all the files it has to look at.

Save the log from about:buster.

19) Run HijaakThis again and fix the following (if they still exist):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MATTHI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MATTHI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MATTHI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MATTHI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


20) Go C:\DOCUME~1\MATTHI~1\LOCALS~1\Temp directory and delete sp.html if you find it.

21) Reset Web Settings by right clicking on your desktop Internet Explorer icon. Then click Tools, Internet Options, Programs, and click the Reset Web Settings button. Then go back to the General tab and set you home page back to what you prefer (like www.majorgeeks.com).


22) Run a full scan with Ad-aware. Since I have you disconnected from the Internet, the following instructions explain how to set Ad-aware's settings to perform a "Full Scan."

In Ad-aware click the Gear to go to the Settings area. The following items should be on a green check, not on a red X.

Under the Scanning button:

- Scan within archives
- Under Memory & Registry, Check EVERYTHING
- In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:

- Unload recognized processes during scanning
- Include info about ignored objects in logfile, if detected in scan
- Include basic Ad-aware settings in logfile
- Include additional Ad-aware settings in logfile
- Include used command line parameters in logfile

In Cleaning Engine:
- XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
- Let Windows remove files in use at next reboot
- UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.

23) Restart your computer in normal mode.

24) Now go try to delete the file we found in steps 5 & 10 (if you did find one)
This was the C:\WINDOWS\System32\xxxxx.dll file (replace xxxx by what you found).

25) Reconnect to the internet now.
26) Post a both the about:Buster log and a new HijaakThis log and let me know how things are working.

 

Okay! Get back in touch when you can!

 

It must be due to places you are surfing and you may need to get better protection on you PC.

Are the symptoms exactly like last time and does a new HijackThis log look similar to last time?

 

Okay first, there is a new procedure. HijackThis logs should only be posted when requested and they must be a .txt file attachment. See this thread for more info: http://forums.majorgeeks.com/showthread.php?t=38752

- Shut down browsers before running! Notice:
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

- Please download the latest about:Buster: http://www.majorgeeks.com/download4289.html Do not run yet.

- Make sure you have downloaded and installed Ad-aware SE Version 1.04 with a reference file of SE1R1 06.09.2004. Get it installed on your system now. You need it later below. Get it here: http://www.majorgeeks.com/download506.html (Make sure you update ).

- Make sure you have viewing of hidden files and folders enabled: http://forums.majorgeeks.com/showthread.php?t=37650
- Make sure you know how to boot in safe mode (don't do it yet, wait till I tell you):
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

- You should print all of this (or save locally) since when I have you exit all browser sessions below, I do not want you to reconnect or open any browsers again until I tell you to do so.

- Exit all browser sessions and disconnect from the internet now!

Now to your log:

1) Run HijackThis and put checks on the following items BUT DO NOT CLICK FIX until make sure (as I said above) you have exited all browser sessions including the one you are reading right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {48649E5C-B688-41A0-9AED-5580D8E81DFF} - C:\WINDOWS\System32\jjo.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Filter: text/html - {27EAF512-265F-46C5-947C-200433CE3683} - C:\WINDOWS\System32\jjo.dll
O18 - Filter: text/plain - {27EAF512-265F-46C5-947C-200433CE3683} - C:\WINDOWS\System32\jjo.dll

After fixing those in HijackThis, exit HijackThis.
2) Now run About:Buster and save the log to ab1.txt

3) Reboot in safe mode

4) Use Windows Explorer (not IE) to locate and delete:
C:\WINDOWS\System32\jjo.dll

5) Reset your web settings by doing the following:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
Remember do not reconnect to the Internet or run any browsers yet.

6) Run about:Buster again and save the log to ablog2.txt.

7) Now run Ad-aware SE and under the scan option select Full System Scan and run it.

8) Now reboot in normal mode and connect back here and post your two about:Buster logs.

9) Then exit Internet Explorer and start it up it again. Try that a few times to see if
about:blank returns. If it does return, post a new HijackThis log attachment and DO NOT
shutdown or reboot your PC. You can disconnect from the Internet to remain safe but do not reboot.

 

Cool! Sounds like success! Let me know if it comes back. Thanks for posting those two AB logs. They helped confirm my suspicions that this was NOT an about:blank or HSA related hijack (not that you said it was). I was worried for a second about a new breed.

 

You're welcome!