Help with OTB Pop Ups and HSA Please!

I think HSremove has new steps, requiring you run it twice, you should run Hijack This and remove the lines. If your not sure which lines, post your log file and I, or one of us, will look at it.

 

http://majorgeeks.com/download4289.htmlWhen you first started following the steps, did you actually find the NSS running? If so, did you write down the Path to Executable? And what was it?

Check right now to make sure it has not enabled itself again? If it has then disable it again.

Download about:Buster and read the directions on using it on the download page. Do not run it yet.

Download ProcessExplorer and run it. Have it kill the following processes (if found). Tell me which ones you find running:
ntxc32.exe
ippa32.exe
addpj32.exe
apidu.exe
winit.exe
mscx.exe
sdkpx32.exe
msxp.exe
ntis32.exe
ipnn.exe

Now shut down all applications (especially Internet Explorer) and disconnect your analog modem or ethernet cable (for ADSL or Cable modems) from your PC to physically remove connectivity to the internet. Do not run Internet Explorer again until told to.

Now run about:Buster, Hit start and then Ok. The program should start scanning. Copy and Paste the results of the scan into a file. Then hit exit and reboot.
Once rebooted run about:Buster once more to make sure everything is ok. Again copy & paste the results of the scan into a file. Run HijackThis right and if you see any lines indicating the presence of the hijacker in your log file, have HijackThis fix them. I have attached copies of the lines from your previous log that were related to the hijack.

Reconnect your physical connection to the internet and post the results of the two about:Buster scans back here. Also post a new HijackThis log. You can combine all these logs into one text file attachment.

If you are still having a problem with the hijacker do not shut your PC down or reboot at this point. Just wait for a response from me. You can shutoff your monitor and drop your connection to the internet but do not reboot. This hijacker mutates when you reboot and when you start Internet Explorer.

You have some other problems we will need to clean up too (later). WeatherBug and msopt.dll (msopt.dll is from the Winshow Trojan).



Edit: I forgot the attachment.

 

Yes, it is useful to know the path to executable. When you just checked now. You said it was not running but was it still there?

 

Before starting make sure you know how to view hidden and system files: http://forums.majorgeeks.com/showthread.php?t=37650
Run ProcessExplorer again and kill any of the below if found (look for multiple occurrences too):
apidu.exe
addpj32.exe
ntxc32.exe
ippa32.exe
winit.exe
mscx.exe
sdkpx32.exe
msxp.exe
ntis32.exe
ipnn.exe


Then disconnect from the internet (physically) and boot into safe mode.
Now run About:Buster twice (that should result in 4 scans. Save the results.

Now while still in safe mode fix the following lines with HijackThis if still there:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rgczx.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rgczx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rgczx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rgczx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rgczx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rgczx.dll/index.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {58A9849D-12E0-4CBB-4B4C-84249CEA038D} - C:\WINDOWS\mskj32.dll
O4 - HKLM\..\Run: [ntxc32.exe] C:\WINDOWS\system32\ntxc32.exe
O4 - HKLM\..\Run: [ippa32.exe] C:\WINDOWS\system32\ippa32.exe
O4 - HKLM\..\Run: [addpj32.exe] C:\WINDOWS\system32\addpj32.exe
O4 - HKLM\..\RunOnce: [winit.exe] C:\WINDOWS\winit.exe
O4 - HKLM\..\RunOnce: [mscx.exe] C:\WINDOWS\system32\mscx.exe
O4 - HKLM\..\RunOnce: [sdkpx32.exe] C:\WINDOWS\sdkpx32.exe
O4 - HKLM\..\RunOnce: [msxp.exe] C:\WINDOWS\msxp.exe
O4 - HKLM\..\RunOnce: [ntis32.exe] C:\WINDOWS\system32\ntis32.exe
O4 - HKLM\..\RunOnce: [ipnn.exe] C:\WINDOWS\system32\ipnn.exe

Now make sure you can view hidden and system files and delete the following. Let me know which ones you find and if you have any problems deleting any of the ones you do find:

C:\WINDOWS\system32\rgczx.dll
C:\WINDOWS\mskj32.dll
C:\WINDOWS\system32\ntxc32.exe
C:\WINDOWS\system32\ippa32.exe
C:\WINDOWS\system32\apidu.exe
C:\WINDOWS\system32\addpj32.exe
C:\WINDOWS\winit.exe
C:\WINDOWS\system32\mscx.exe
C:\WINDOWS\sdkpx32.exe
C:\WINDOWS\msxp.exe
C:\WINDOWS\system32\ntis32.exe
C:\WINDOWS\system32\ipnn.exe

Now reboot in normal mode and still while disconnect from the Internet run About:Buster one more time (save this log too).
Check you HijackThis log again and delete any of the above items if they reappeared.

Now connect to internet again and send me your AB logs also attach a new HJT log after connecting to the internet.

 

You just use Windows Explorer (not Internet Explorer) and navigate your way thru the directory structure to located them. The left pane shows you the directory tree and the right pane the files and directories within each directory. Just click on a plus sign to expand the view. Experiment a little with it before you start. I'm sure you will see it is pretty easy.

 

If you do not know how to bring up Windows Explorer, click Start, All Programs, Accessories, and Windows Explorer.

 

First question: why didn't you download About:Buster from the link I gave you a while back. You are not using the proper version of About:Buster. The current version is 2.0. You know we put information in our messages for a reason and we have to assume that the directions we give are followed. If they are not followed properly you waste my time and yours.

With all the spyware scanners and virus scanners etc. that are out there, it never hurts to double check to make sure you have the current version. Some of these programs change quite freqently.

 

You need to get those two exe files deleted when in safe mode. You cannot just say, it will not delete and go on. That will just allow it to come back. While in safe mode you may need to run ProcessExplorer again and kill any of these unknown 5 to 8 character random processes and then try to delete the file. If it still does not delete you need to try to take ownership of the files by right clicking on it select Properties. Then click the Security tab and take ownership.
Change the 'everyone special' to 'you > with Admin rights-> FULL control

These two had to be killed and deleted:
C:\WINDOWS\SYSTEM32\ntxc32.exe
C:\WINDOWS\javasf32.exe

And now there is a new DLL to fix and delete (I would assume your hijack has now returned)
O2 - BHO: (no name) - {33AFF50D-3DBF-7B1A-9ED9-47706F9F1C8D} - C:\WINDOWS\system32\atlll.dll

 

Version 2.0 came out 2 days ago (look at the link, the date is 7/29/04)

Did you download the correct version now?

You may have to click refresh in your browser to clear out old cache data.

 

Okay, did you see my message below about killing those new processes and trying to delete those files.

Has your problem actually come back yet?

 

Those are all files from the hijacker. Something is trying to run them. And that is what we are trying to kill.

Please run ProcessExplorer and click File and then Save As. And save the process list. Post it back here as an attachment along with a current HijackThis log (attachment).

 

Select these processes (one at a time) and kill them. Tell me what happens:

javasf32.exe
NTXC32.EXE

 

Two things:
1) see if you can delete those two files now:
C:\WINDOWS\javasf32.exe
C:\WINDOWS\SYSTEM32\ntxc32.exe
Tell me exactly what happens when trying to delete these.
2) check the ProcessExplorer list again and see if anything new has popped up.

 

Shutdown all Internet Explorer and Windows Explorer sessions and save a a ProcessExplorer list.

The open a Command Prompt window by click Start, All Programs, Accessories, Command Prompt. The type into that window,
cd c:\windows
then type
delete javasf32.exe
then type
cd system32
now type
delete ntxc32.exe

Now reopen Internet Explorer and give me that ProcessList and tell me what happens at each step from above.

 

Yes! Your browser is Internet Explorer.

 

Ooop! I typed what the command does not what the command is.

Use 'del' not 'delete'

Sorry.

 

Okay! the javasf32.exe file was delete previously as we wanted.

Now at that command prompt in the c:\windows\system32 directory type this:

attrib -r -h -s ntxc32.exe

tell me what happens.

 

Okay now type:
attrib ntxc32.exe

and tell me what you get. Then try:
del ntxc32.exe

and tell me what you get.

 

Please run About:Buster and show copy its output back here.
Then run HSremove and copy the output from it back here.

Then try to delete the file in the command prompt window again (unless the outputs from AB or HSremove show them deleting it).

 

No! Do them right now!

 

Next do this:

1) First, go here and download Registrar Lite and install it: http://www.resplendence.com/reglite
2) Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls tell me exactly what you see in the Value field.

 

Also try this:

Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_3

If any are listed, right-click that entry in the right pane and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3

If you find it, right-click it in the right-pane and choose delete.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Tell me if any of those were found and if so did you get them delete okay?

 

Okay! As you can see AB keeps finding more problems each time we run it.

Do as I asked in my other two messages.

 

Do you mean you cannot even find AppInit_DLLs or do you mean the value was blank?