Help Needed! It's a Mess

If you have completed ALL the steps in the READ ME FIRST sticky, then follow the below guidelines and post your HJT log.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Your problems lines are:

C:\WINDOWS\system32\iewt.exe
C:\WINDOWS\system32\sysgk32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jlyxt.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jlyxt.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jlyxt.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jlyxt.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jlyxt.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jlyxt.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jlyxt.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B249DC94-2E17-7065-F181-A8A240375B89} - C:\WINDOWS\system32\netvx32.dll
O4 - HKLM\..\Run: [sysgk32.exe] C:\WINDOWS\system32\sysgk32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto <--- you should not be using this. It will mask the loading of potential problems that we may need to see.
O4 - HKLM\..\RunOnce: [iewt.exe] C:\WINDOWS\system32\iewt.exe

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\addtz32.exe (file missing)

You have an HSA hijack along with another O15 Trusted host problem that has been a big problem removing lately.

Follow the steps in: When all else fails - Generic Solution to HSA (Only the Best) & About:Blank hijack

 

A direct fix using HJT will not work! You can correct msconfig now or later by running it and select Normal Startup

Beaware of something. Reboots can cause the HSA hijacker files to spread and mutate into other names. So you will need to make sure what your status is just prior to starting the procedure.

Also note the procedure I mentioned was for the HSA hijack. It will not fix the O15 Trusted Zone problems. For that you can try the below. But if your infection is the new type, they will come back.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

 

In message number 3 you had HJT installed properly. Why are you running it again from the ZIP file instead where directed in my first message.

Also please go back to the link for HJT give in my first post and redownload it now. A new version just came out. Version 1.99.1. Install it properly and use it from now on.

 

First problem: Your OS and IE versions are severely out of date an represent a major security risk. When we finish fixing up your current problems, you must get updated.

Second problems:

Make sure you et the latest virus definitions 4429 from McAfee release today or you will not be able to download and run HijackThis 1.99.1 , McAfee had a bug and detect HijackThis as having a virus in it.

Observations from your last HJT log:

Why are you running Hijackthis.exe twice? Once from the the ZIP file using RAR to run it and once from the proper location. You need to stop and think a little bit about what it is that you are doing. This is getting frustrating.

C:\DOCUME~1\Avalon\LOCALS~1\Temp\Rar$EX01.275\HijackThis.exe
C:\Program Files\Hijack This\HijackThis.exe

Why is notepad running?
C:\WINDOWS\SYSTEM32\notepad.exe

Why is Soulseek running?
C:\Program Files\Soulseek\slsk.exe


Fixing the about:blank hijacker

Hopefully things have not mutated since you posted your log. If you have problems finding the stuff I indicated below, you will need to post a new log and then DO NOT REBOOT. These infections spread and mutate during reboots.

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 23.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

C:\WINDOWS\system32\atlye32.exe
C:\WINDOWS\atlwu32.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zdiwd.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zdiwd.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zdiwd.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zdiwd.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zdiwd.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zdiwd.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zdiwd.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {389AC733-601B-3D02-177D-935C2D7CD68D} - C:\WINDOWS\system32\ntil.dll
O4 - HKLM\..\Run: [atlwu32.exe] C:\WINDOWS\atlwu32.exe
O4 - HKLM\..\RunOnce: [atlye32.exe] C:\WINDOWS\system32\atlye32.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\addtz32.exe (file missing)
Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others):
C:\WINDOWS\zdiwd.dll
C:\WINDOWS\system32\ntil.dll
C:\WINDOWS\atlwu32.exe
C:\WINDOWS\system32\atlye32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.


Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice. It is possible that Ad-Aware or another utility can make it difficult to fix this problem. If that becomes the case we may need to disable them or uninstall them before fixing. But let's see what happens with the above first.

 

Is you current log still clean of the hijacker problems? If yes, try a reboot and see if it is still clean.

How did you get the HJT and About:Buster file version you have on here if you cannot download?

 

Please open Internet Explorer and click Tools, Internet Options. Then select the Security tab and then the Custom Level button towards the bottom. On the next screen in the box at the bottom labeled Reset to: change it to Medium (even if alread selected) and then click the Rest button. Click OK .

Can you download now? What about javascript problems?