help win-eto, about:blank

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\sysbho.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.295.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?product=ssearch&src_id=312&it=1107294948&client_id=110729495900000001143738300220&version=g_4.4.2
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O4 - HKLM\..\Run: [System Helper] syshlp.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - AppInit_DLLs: sysmain.dll


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\sysbho.exe
C:\WINDOWS\System32\syshlp.exe
C:\WINDOWS\System32\sysmain.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Can you provide more feedback on the steps and deleting files? I still see some items I asked you to fix last time in your log:


O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O4 - HKLM\..\Run: [System Helper] syshlp.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - AppInit_DLLs: sysmain.dll

Did you FIx these with HJT? Did you find and delete the files in safe mode?

 

Well some of those lines are gone now! What did you do? Did you run the steps again?

Please download this tool: Pocket KillBox Just extract it to its own folder for later use. Do not run it yet.

Please print out or save these instructions locally so that you can operate with All Browser Windows CLOSED. Do not open a browser until instructed to do so.

OKAY! CLOSE ALL BROWSERS NOW BEFORE CONTINUING!!!

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=0
O20 - AppInit_DLLs: sysmain.dll

After clicking Fix, exit HJT.


Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note certain files in the list below may not exist but we need to check for them anyway.

C:\windows\sysmain.dll
C:\windows\system32\sysmain.dll

If Killbox does not reboot after entering the second file name or if you get a Pending Operations type error message just reboot your PC yourself.

You may receive an error message after rebooting that says Windows could not find the file you told it to delete. Just click OKAY and DO NOT REBOOT AGAIN.

Now Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Now we need to Reset Web SettingsPlease use www.majorgeeks.com for your home page for now until we get things fixed.)
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot again into normal mode and get a new HJT log. Open your browser and come here and post the new log. And tell us how things are working and how these steps went.

 

Not fixed yet! I still see one of the processes we have deleted before and some other lines in HJT are still there:

Kill the below process with HJT.
C:\WINDOWS\system32\sysbho.exe

Then have HJT fix the below:
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\system32\sysbho.exe
O20 - AppInit_DLLs: sysmain.dll

Then use Pocket Killbox to delete on reboot the below:
C:\windows\sysmain.dll
C:\windows\system32\sysmain.dll
C:\WINDOWS\system32\sysbho.exe

After allow Killbox to reboot! Post a new HJT log. Also tell provide feedback on the above steps!

You may need to search you system for the sysmain.dll file! But first you need to configure search as indicate here: Searching for Hidden Files on WinXP Tell me if and where you find the sysmain.dll file.

 

It seems to be gone now. Hopefully it stays that way after another reboot.

How are things working now? If everything is back to normal, it is time to work thru the below:

How to Protect yourself from malware!


I will not be around until about 11/15 but one of our other capable Malware Fighters can continue to help you if it is necessary.