help needed with spyware

Have you been able to do anytthing from safe mode?

 

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

After fixing the below problems, you need to go to Windows Update and get the updates for your PC. At a minimum your Internet Explorer is out of date. Who knows what other updates you may be missing.

Is there a reason why you skipped the Symantec online scan while from the READ ME FIRST? It is stated in the READ ME that both online scans must be run. They are not optional steps.

Did you skip anything else?

DO you know what this next process is for?
C:\PROGRAM FILES\ENERGYPLUGIN\ENERGYPLUGIN.EXE

Download this http://www.wilderssecurity.net/downloads/rbkiller.exe
to its own folder and run it (name the folder c:\RBkiller)

This will create a log file named "scanlog.txt" in the same folder as "rbkiller.exe" if RapidBlaster is detected, and will notify the user of the file path/location (plus any other actions that took place during optional clean up). Post that scanlog.txt file back here later.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side.
Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\MSQDEVL.EXE
C:\WINDOWS\SVSHOST.EXE
C:\WINDOWS\MSERVICE.EXE

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abosearch.com/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F1576B83-7B3D-11D9-B9AA-FB09AA42F20A} - C:\WINDOWS\SYSTEM\IIDDIE.DLL
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [taskmngr] C:\WINDOWS\taskmngr.exe
O15 - Trusted IP range: (HKLM)
O16 - DPF: {FFFF0001-0001-101A-A3C9-08002B2F49FC} - http://download.energyfactor.com/dialer/it/activex_261_it.exe
O18 - Filter: text/html - {7CDA52E3-7B60-11D9-B9AA-F7DAE7142A88} - C:\WINDOWS\SYSTEM\IIDDIE.DLL
O18 - Filter: text/plain - {7CDA52E3-7B60-11D9-B9AA-F7DAE7142A88} - C:\WINDOWS\SYSTEM\IIDDIE.DLL
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\MSQDEVL.EXE
C:\WINDOWS\SVSHOST.EXE
C:\WINDOWS\MSERVICE.EXE
C:\WINDOWS\SYSTEM\IIDDIE.DLL
C:\WINDOWS\TEMP\SE.DLL

The below three file are most likely in c:\Windows or C:\Windows\system. If not found there, look in c:\
iau.exe
stisvsq.exe
lssas.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Let me know if you have any problems finding or deleting any of these files.


Now reboot in normal mode and post a new HJT log. Also post the scanlog.txt file from above. And tell us how things are working.

 

You must remember to exit ALL browsers before running HJT. You had it running again when you made your log.

Well we need to determine what to do with:
C:\PROGRAM FILES\ENERGYPLUGIN\ENERGYPLUGIN.EXE

Does it appear in Add/Remove Progams? If you don't know what this is, I would be suspcious of it.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:

regsvr32 /u C:\WINDOWS\TEMP\SE.DLL

then click OK. If a dialog box confirming this action appears, click OK.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O15 - Trusted IP range: (HKLM)

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\TEMP\SE.DLL

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.
If you do not find the file this way. Reboot to a command prompt window (similar to how you boot in safe mode but choose command prompt)
Then at the C:\ prompt type the following commands each follow by the enter key:
cd c:\windows\temp
attrib -r -h -s *.*
del se.dll
win

That last command should startup Windows for you.

Post a new HJT log now!

 

Well not really! Now you show more of the problem. Possibly another form of an about:blank hijack.

Were you able to do what I asked last time from the command prompt? This is very important. Did you boot to a command prompt? I don't mean open a command prompt window while Windows is running. You must reboot and select the option for command prompt only.

If you did that correctly, were you able to delete the se.dll file as requested.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).

For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {506277C3-7D26-11D9-B9AA-44450EDB4EBD} - C:\WINDOWS\SYSTEM\MBDF.DLL
O4 - HKLM\..\Run: [EnergyPlugIn] C:\Program Files\EnergyPlugIn\EnergyPlugin.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O15 - Trusted IP range: (HKLM)
O18 - Filter: text/html - {506277C2-7D26-11D9-B9AA-44456197EB26} - C:\WINDOWS\SYSTEM\MBDF.DLL
O18 - Filter: text/plain - {506277C2-7D26-11D9-B9AA-44456197EB26} - C:\WINDOWS\SYSTEM\MBDF.DLL

After clicking Fix, exit HJT.

Boot into reboot to the COMMAND prompt and then at the C:\ prompt type the following commands each follow by the enter key:
cd c:\windows\temp
attrib -r -h -s *.*
del se.dll
cd C:\WINDOWS\SYSTEM
attrib -r -h -s MBDF.DLL
del MBDF.DLL

Now Power down your PC. Wait a minute and reboot in normal mode.

And come back here and tell l me if you have any problems or get any error messages deleting any of these. And post a new HJT log.

 

Okay! But it is back! What about my new directions? Did you do them?

 

Everything seems to be cleaned up but these two:


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://
O15 - Trusted IP range: (HKLM)

Try fixing them again!

Tell me if they come back!

 

Please download: http://www.atribune.org/downloads/HSFix.zip

Extract the tool from the ZIP File to a folder you can easily find (preferably in its own folder - like c:\HSFix). It should have a ReadME included with instructions on how to run it and how to collect the log it produces.

Please run the tool as directed and attach the log it produces.

 

Just extract the files from the ZIP file as indicated and do the below:

Boot to Safe Mode</B>, open the HSFix Tool folder and DoubleClick hsfix.bat and let it run. It will produce a log here - C:\hslog.txt
Boot back to normal mode and post the hslog.txt file as an attachment.

 

Okay! That did not find any problems. What spyware removal/detections programs are installed on you PC right now? Provide me a full list. I have seen many cases lately were the spyware removal/detectors were preventing changes from being made because the changes appear to be just like that of a malware program so they block it or reset it after you make the change. In some instances just removing these programs (sometimes disabling them is good enough) and then making the changes helps. I have had several cases where it was all the Symantec/Norton tools that was making it difficult to fix the problems.

 

Please download the latest HijackThis 1.99.1 and with all browsers closed have it fix the below lines. Let's see what that does.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://
O15 - Trusted IP range: (HKLM)

Now run the following items (run them in normal boot mode):

Symantec Security Check
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

a-squared (a²) Free edition free but requires an email address to register
avast! Virus Cleaner Tool

Do a windows file search for 124530.exe . Do you find it this way?

 

I do not see that se.dll file in your log.

What I do see is:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone

All of those should be fixed. I think we may need to remove the one on the R1 line manually. With Internet Explorer open, click Tools, Internet Options, Connections, Lan Settings, Advanced and go to the bottom part of the form where it says "Do not use proxy server for addresses beginning with:"
and look in the box below for https:// and highlight it and delete it . The OK your way out.

Afterwards post a new HJT log.

 

Before trying to click the Advanced button select the Use Proxy server button first. Then see if you can select Advanced and look for that info.

When you come back out, uncheck the use proxy server selection.

 

Okay! I want you to install the latest version of MS Antispyware from here:

Microsoft® Windows AntiSpyware 1.0.509 (Beta 1)

And then exit ALL applications especially browsers and run it and lets see what it finds.

 

Sorry! I forgot the MS Antispyware does not work on Win9x.

I have never used Adware Away. I know their pages indicate that they remove something like 8 variants of about:blank. I guess there are three questions:
1) does it really work
2) does it work for the type you have
3) do you have to buy it to find out the answer to the above two questions. Or is there a trial version that will actually work.

I have other procedures that have worked many times on Win9x platforms. Let me know if you want to continue!

 

Okay so I assume you tried Adaware Away and it did not work. If you did install it, uninstall it now since it did not work anyway and is only a trial. I don't want it to be in our way.

I want to try using one more spyware removal tool that has help in some cases with these hijacks. Please download and install Spy Sweeper This is a trial version and it allows you to update upon install to the current reference/detections. Make sure you do that. But do not start the scan yet. It also has a load of protection features but some of them we are going to disable at one point to reconfigure system defaults. Make sure you use the settings I request (even for home page for now).

I want you to click the Shields icon in the left column. And then select IE Home Page Shield
Make sure that only the following check boxes and no others are checked.
- IE Favorites
- IE Tracking Cookies Shield
- IE Hijack Shield
- Edit IE Hijack Shield Settings
- IE Home Page Shield (maintains the following)
- IE Search Page Shield (maintains the following)

Uncheck all others.

Then click the button that says Reset IE Page Settings to Defaults and click Yes on the popup window. Now under the IE Home Page Shield (maintains the following) selection set your home page to http://www.majorgeeks.com and then click the Save button

Okay almost ready to Sweep but not yet!

First print these instructions or save locally because you must be physically disconnected (unplug cable from your dial-up, cable, or ADSL modem or router that goes to your PC so that physical connectivity is impossible) and exit all browsers before continuing. Also exit any other programs you are running.

OK! Now click the Sweep Now and then click Start button. Now go take a break and let this run to completion (undisturbed - don't do anything else).

Edit added the below:
Save the log from Spy Sweeper and post it back here when you come back later.
Now exit SpySweeper and run HijackThis and fix any of those lines we have been fixing.
(Too bad you did not post a current log before). Here is what you last had, so fix these lines if still present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: (no name) - {D761A6B8-8178-11D9-B9AA-A277B9ABC5EC} - C:\WINDOWS\SYSTEM\OPLEA.DLL
O18 - Filter: text/html - {D761A6B7-8178-11D9-B9AA-A277C834519E} - C:\WINDOWS\SYSTEM\OPLEA.DLL
O18 - Filter: text/plain - {D761A6B7-8178-11D9-B9AA-A277C834519E} - C:\WINDOWS\SYSTEM\OPLEA.DLL

Now reboot in safe mode and delete if found:
C:\WINDOWS\TEMP\se.dll <--- in fact delete all files and folder here that it lets you delete
C:\WINDOWS\SYSTEM\OPLEA.DLL

Empty your Recycle Bin

Reboot in normal mode (do not connect cable or open a brower yet). Note if Spy Sweeper detects anything (write it down) and allow it to fix it. Run HijackThis and see if any of those lines came back. If so, fix them again.

Now reconnect your cable and open one browser session and then close it. Did SpySweeper detect anything now? If not, skip down to Point3. If so, DO NOT fix it YET. Just don't answer the prompt yet. Just tell me at point number 2 Spy Sweeper detected changes. Get a current HijackThis log and save it. Call it point2.log . Now from this point forward including the below steps, anything SpySweeper detects fix. So fix the already detect problem from point 2 if there was one. Now skip to FINISH

Point3
Get a new HijackThis log and call it point3.log

Now run your browser again and come back here and post your Spy Sweeper log and any HijackThis log from the above procedure.

If this does not work, we will need to identify a possible hidden Streaming DLL and then use another procedure I call the Power Plug Pull method.

 

If you see this, do not start the procedure yet. I'm making some edits to add some steps. I'll tell you when done and you will see a red edit note.

 

OKAY! Procedure updated! Give it a go!

 

Please clarify. Do you mean you launched IE while not internet connection was possible and the https:// line was gone? And then you actually went on line and used IE and the line came back then?

I did not even have it in the list to fix?

 

How do you connect to the internet (dial-up, cable, or DSL)? If cable or DSL, do you have a router?

 

If you use DSL, you are always connected as soon as you PC is up! Whether you are running a browser or not, you PC is connected.

You need to install a firewall!

See this thread and take all the steps: How to Protect yourself from malware!

 

ADSL provides a permanent connection to the DSL modem and the DSL modem provides a permanent Ethernet connection to your PC. You are always connected physically whether browsing or not.

Get a firewall now!

 

You already should have had Spybot since your first post!
Did you install this: Spybot - Search and Destroy DSO Exploit Fix
Also try using a different server for the updates to work. If that does not work try the below:
Spybot Search and Destroy Detection Update

Could you be more specific on the below statement:

What file?

 

Post a new HJT log too!

 

Are you choosing the Destination folder where you install Spybot too?
If you run Spybot, what version does it indicate?

Is the SpywareBlaster error occurring at installation or at run time?

 

Please go to the folder where you downloaded SpywareBlaster to (use Windows Explorer) and right click on the spywareblastersetup.exe file. Tell me what you get for the file size in bytes.