Help with OTB Pop Ups and HSA Please!

Please run this online scan and tell me if it finds anything:
http://housecall.trendmicro.com/housecall/start_corp.asp <--- Select Auto Clean.

Then download DelLater from here: http://www.diamondcs.com.au/index.php?page=dellater
And lets try to use it to delete the stubborn C:\windows\system32\ntxc32.exe at reboot.

To DelLater A File...

1. Run dellater.exe <filename> <---- from the command prompt

so you will use dellater C:\windows\system32\ntxc32.exe

2. Reboot (whenever you like).
That's all that's required. After rebooting and logging in you'll be able to see that the file you specified is no longer there.

See if the file is gone now after you reboot.
Now post a new HJT log attachment.

That's it for me tonight. I have an early morning tomorrow. Catch you later tomorrow.

 

From the command prompt, in the directory where you extracted dellater.exe to, just enter the command I gave you in my last message:

dellater C:\windows\system32\ntxc32.exe

If it accepts that command, reboot. And check to see if the file gets deleted.

 

You should also make sure you have all the Critical Updates for your PC installed.

Goto Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
and have it scan your PC. Download and install at a minimum, all the Critical Updates.
Let me know what you were missing.

 

Don't save items like this to your desktop unless they specifically ask to be put there (but even then it is normally totally not necessary). To make it easy on yourself. Just extract the file to c:\

Then when you go to the command prompt. You have to first change directories (that's the CD command). So you enter cd c:\ Now at the c:\> prompt enter the following:

dellater C:\windows\system32\ntxc32.exe

If that is accepted, reboot. And let me know if it worked.

 

First thing please get new HijackThis program (just came out): http://www.majorgeeks.com/download3155.html
and use it from now on.

It is still in your log (along with a new file):
O4 - HKLM\..\Run: [ntxc32.exe] C:\WINDOWS\SYSTEM32\ntxc32.exe
O4 - HKLM\..\Run: [atlll.exe] C:\WINDOWS\system32\atlll.exe

But also if you look at the running processes that javasf32.exe file is back:
C:\WINDOWS\javasf32.exe
C:\WINDOWS\system32\atlll.exe

Did you actuall check to see if ntxc32.exe was actually deleted or not? Go to the directory and look for it.

Please look in Add/Remove programs for WeatherBug or something with Weather (maybe WeathCast) and uninstall it. This is a big adware problem especially if you do not have the version that you buy. Let me know if you found it and were able to uninstall it. These lines in HijackThis should go away if it is uninstalled:
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)

Try killing the three bad processes (see below) with ProcessExplorer and then run about:Buster (in normal mode). Save the log.
ntxc32.exe
atlll.exe
javasf32.exe

Fix these lines with HijackThis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hpeus.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hpeus.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hpeus.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hpeus.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hpeus.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hpeus.dll/index.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {33AFF50D-3DBF-7B1A-9ED9-47706F9F1C8D} - C:\WINDOWS\system32\atlll.dll
O4 - HKLM\..\Run: [ntxc32.exe] C:\WINDOWS\SYSTEM32\ntxc32.exe
O4 - HKLM\..\Run: [atlll.exe] C:\WINDOWS\system32\atlll.exe
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/254d4e8798a8779d6e14/netzip/RdxIE601.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

Now reboot in safe mode and make sure you can view hidden files and delete (keep track of what you can find and delete for me). When deleting these also look for the same filenames but with different extension types (like .DAT, .EXE , .DLL). So for example, look for atlll.dll, atlll.exe, and atlll.dat. Delete all of them.
C:\WINDOWS\msopt.dll
C:\WINDOWS\system32\hpeus.dll
C:\WINDOWS\system32\atlll.dll
C:\WINDOWS\javasf32.exe
C:\WINDOWS\SYSTEM32\ntxc32.exe
C:\WINDOWS\system32\atlll.exe

Then run About:Buster again in safe mode and save log.

Now reboot normal come back and tell me all the results (post logs from AB) also a new HijackThis log.

 

Okay Sandi. We are going to have to go back to a step by step approach on your system. I have modified an older Generic Solution that I had written up awhile ago. What I am putting below is mostly tailored for your information based on the last HijackThis log you gave me. Hopefully it will not have mutated when you come back. This is a long procedure and there may be some duplication of things you have done before. Do not be tempted to skip anything. Do all the steps and do them as written and in the order written. Read thru all of this first to see if you understand everything before starting. Ask questions before starting. This step by step approach has worked everytime tried (sometimes a little manipulation is even needed here too).

The difficult area is steps 7 and 8 below. Before starting the steps below, I want you to make sure you have several applications already installed and updated. Click on each of the links and make sure that is the version you are using. Then quickly run the programs just to verify that you have the current updates already installed. It is well worth the time to check this first. Don't just assume you have the correct versions. There have been many instances where we have found that users are not using current versions of applications. We may not use everyone of these programs in all cases, but they may be necessary sometimes.

- Ad-aware
- SpyBot S&D
- HSRemover
- about:Buster
- HijackThis (just updated to 1.98.1 8/1/2004)
- Ccleaner
- ProcessExplorer for Win 9x/Me
- ProcessExplorer for Win NT/2K/XP
- Setup Ad-ware to do a full scan (do not scan yet just learn how to do it for later)
http://www.lavahelp.com/howto/fullscan/index.html

Okay, below are the steps we are going to use. Make sure you print these or save them to a file on your PC because I am going to have you disconnect your PC from the internet at a certain point (Not Yet!). Once disconnected, do not connect again until I tell you to do
so. In many cases this step had been one of the most important steps. Do not ignore it!!!

1) If running WinMe or WinXP, disable system restore and reboot! Here's how
to disable system restore: http://www.majorgeeks.com/vb/showthread.php?t=31668
2) Make sure you have enabled viewing of Hidden Files and Folders with
Windows Explorer. To see how to do that, see this: http://forums.majorgeeks.com/showthread.php?t=37650
While doing this, also verify that you do NOT have a check on the option to Hide extensions for known file types.
3) Make sure you know how to boot in safe mode too (but don't do it yet!):
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
4) Physically disconnect from the internet (pull your ethernet cable if you have DSL or cable modem. If you have an analog modem, drop your connection and unplug the telephone line to the modem.)
5) Now we are going to use notepad to erase the contents of the DLL file shown in the R0 & R1 lines of your HijaakThis log. To do this click Start, Run, and enter the following command "notepad C:\WINDOWS\system32\oibuw.dll" (without the quotes) and click OK.
Now in the notepad window, hit CTRL-A to select all contents of the file then hit the Delete key to delete all lines of the file. Now save the file (yes as an empty file). Now using Windows Explorer, locate the file C:\WINDOWS\system32\oibuw.dll and right click on it and select Properties and change the attributes to Read Only and click OK.
6) This step only applies to Win2K or WinXP systems. For Win9x and Me based systems you will most likely see additional lines in the O4 section of HijaakThis (typically O4 - HKLM\..\RunServices). Check to see if a Windows service name "Network Security Service" is running. To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now in the Services window that pops up look for Network Security Service. If you find that service, you must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, make note of the information in the "Path to executable" box. You are going to use this later.
If you do not find this service running, just continue with the next steps.
7) This is where things become difficult. You need to determine the BHO (Browser Helper Object) line added by the hijacker. Normally you will see the hijacker add only one BHO line, however, there have been cases with many these BHO lines added. Be careful not to confuse the hijacker BHO with valid BHO lines. In your case the current 02 BHO is:
O2 - BHO: (no name) - {33AFF50D-3DBF-7B1A-9ED9-47706F9F1C8D} - C:\WINDOWS\system32\atlll.dll
8) You also need to determine all the executable (EXE) files that are loading during Startup. These EXE files can be loaded many different ways. Most of them will show in one of many types of O4 lines that HijaakThis can display. From your current log these are your EXE files:
O4 - HKLM\..\Run: [atlll.exe] C:\WINDOWS\system32\atlll.exe
O4 - HKLM\..\RunOnce: [crfh32.exe] C:\WINDOWS\system32\crfh32.exe

Some of these EXE files may only show in the processes list of HijackThis, and some may show in both the process list and the O4 section
of HijaakThis. This is the hardest part, you need to identify these files good or bad. Try excite.com or google.com (I find excite.com
to come up with more useful hits than google.com). Use PacMan's Startup List ( http://www.sysinfo.org/startuplist.php ) to find the entry
and see if it's good or bad. You can also use http://www.liutilities.com/products/wintaskspro/processlibrary/ to compare against. My
experience is that typically these bad EXE file names will be 4 to 7 characters long + .exe Sometimes (as shown above) the have a 32 just
before the .exe. In addition, when performing all the possible searches listed, you typically do not get any hits describing a valid EXE
or even a known other type of bad EXE. You either get no hits or the only hits will be other peoples HijaakThis logs with the same type
of hijack going on. Sometimes you can locate all of these EXE files in c:\windows, c:windows\system, or c:\windows\system32 easily by
using Windows Explorer and sorting on modification date. Look for a date to be anywhere between the time you first got the problem to
the current date.

9) Shutdown (not minimize) all applications (especially IE and Windows explorer) and run HijaakThis. Have it fix all the lines determined
to be part of the hijacker in steps 7 & 8. So in your case these 3 lines:
O2 - BHO: (no name) - {33AFF50D-3DBF-7B1A-9ED9-47706F9F1C8D} - C:\WINDOWS\system32\atlll.dll
O4 - HKLM\..\Run: [atlll.exe] C:\WINDOWS\system32\atlll.exe
O4 - HKLM\..\RunOnce: [crfh32.exe] C:\WINDOWS\system32\crfh32.exe

10) Now reboot in safe mode (via method given in step 3) and then delete all the DLL and EXE file names found in steps 7 and 8. And also
if you found the Network Security Service runnning in step 6, delete the file indicated in the Path to executable! Be careful here the
Path to the executable always contains a trailing /s. The /s is not part of the filename. For example the Path to executable could be C
:Windows\system32\javajt32.exe /s but the filename (with path) is C:Windows\system32\javajt32.exe
11) This step is for WinXP only. Now also look in c:\windows\Prefetch for all of the above files deleted in steps 7 to 10. If found,
delete them too. After deleting all of the items from the steps above, empty your Recycle bin.
12) Now while still in safe mode, run only Hijaak This and have it fix all the R0 and R1 lines that have the typical symptom information.
Here are your lines to fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\oibuw.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://oibuw.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://oibuw.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\oibuw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\oibuw.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://oibuw.dll/index.html#37049

13a) Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web
Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply.
Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
13b) Search the registry for every instance of oibuw.dll (the file from step 5).
13c) Search the registry for every instance of the suspicious exe files found by Hijack This from step 8. Delete every instance.
13d) Search your computer for atlll.dll. Delete each instance. Also, look for files with the same name but having an extension of .DAT
or .EXE. For example, if looking for atlll.dll, also look for atlll.dat and atlll.exe.
13e) Search your computer for the suspicious exe files. Delete each instance. Also, look for files with the same name but having an
extension of .DAT or .DLL. For example, if looking for crfh32.exe, also look for crfh32.dat and crfh32.dll.
13f) For WinXP, delete everything in the Prefetch folder in C:\WINDOWS\Prefetch
13g) Delete Memory.dmp if found in either C:\WINDOWS or C:\WINDOWS\System32
13h) Run CCleaner and on the Windows tab (you'll see when you run it) leave the defaults and click Run Cleaner.
13i) For Win NT/2K/XP, run HSRemover (does not support Win9x/Me)
13j) Run about:Buster (copy the output to a file)

13k) Also while still in Safe Mode to finish the cleanup process, please do the following:
Go to Start --> Run and type Regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:
__NS_Service
__NS_Service_2
__NS_Service_3
If any are listed, right-click that entry in the right pane and choose Delete.

13l) Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
and highlight Root in the Left Pane. In the right pane, look for these entries:
LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3
If you find it, right-click it in the right-pane and choose delete.
If you have trouble deleting a key from steps 13k or 13l. Then click once on the key name (LEGACY__NS_SERVICE_ or another name that
starts with LEGACY__NS_SERVICE) to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

14) Now (still in safe mode) run Ad-aware Fullscan and then SpyBot S&D and clean what they find.
15) Now click Start, Run, and in the Open box enter "regedit" (without the quotes). Now navigate thru the registry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Click the [+] next to uninstall. Scroll down until you see the NAMES of programs (skip past the lines with numbers in {,} ). See if you
can find any of the following listed:
HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of
assistant is wrong)
SA = Search Assistant
SE = Search Extender
SW = Shopping Wizzard
If you find any of them, select one at a time, and hit your delete key. Once you delete all three, you can exit the registry editor.
As an alternate approach save the following 4 lines to a file called hsafix.reg, then using windows explorer double click on the hsafix.
reg file a merge the fix into the registry.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

16) Now reboot normal mode. And run about:Buster one more time saving the output again.
17) Before running anything else run HijaakThis and save a log.
18) Reconnect your internet connection and connect here to MG's and post the new log. Then continue running and let's see how everything
is working.
19) After you have gone thru a few reboots and performed some typical surfing and if everything is working okay, re-enable your system
restore (again only applies for WinMe and WinXP).

 

Sandi, I see you logged in again. Make sure you refresh and look at the long procedure again. I was still editing it.

You may want to check your HJT log (a new one) to make sure nothing has changed.

 

Hmmm! They changed their address. Use this for fullscan setup: http://www.lavahelp.net/howto/fullscan/index.html

 

For step 5 are you saying you found it and edited it to a blank file with notepad?
But when you look for it with Win Explorer you cannot find it?
Do you still have viewing of hidden files/folders enabled?

Edit: Oh I see you said you did not edit the file yet. Edit it to make it blank! Yes it should go right back into that directory and yu should be able to see it.

 

As I said, it is okay if the NSS is not running. Just continue.
For steps 7 & 8, only some of the file this hijacker has created will be shown in your HJT log. Obviously those I can easily see but the other ones on your system I cannot see. And you absolutely cannot go back on line during these steps. The reason I said to read thru the procedure to begin with is to identify everything that you need to do ahead of time. I'll have to clarify that because steps 7 & 8 due imply you should go back on line and I do not want that to happen. You can try to find these files ahead of time and make note of them or you can come back later after rebooting and reconnecting to the Internet and look for them and delete them.

Sure post me a new HJT log and I'll take a quick look.

 

You need to be able to locate this file!!! Make sure viewing hidden files and folders is still enabled (also make sure you do not have a check on the option to Hide extensions for known file types.

 

Good! Continue with the steps unless you have more questions. Your log looks the same as previously. By the way I update the precedure to fix the Lavasoft fullscan link and I moved the info the confused you in step 8 up to the beginning area.

Edit: that is I edited the Generic Link. If you want I can update the procedure I gave you below. The Generic Procedure link is: http://forums.majorgeeks.com/showthread.php?t=38772

 

Start your own thread and see the Generic Procedure thread: http://forums.majorgeeks.com/showthread.php?t=38772

 

Anything in Prefetch is deleteable (you don't need them, good programs will come back anyway) but you do not have to delete the Paint Shop Pro stuff.

Yes you can use Search to find things (including Memory.dmp which may not even exist) but if you use Search you have to enable Advance options so it will find hidden and system files. This is not the same as what we did before to see hidden files and folders with Win Explorer.

 

Yes! In reality with Win Explorer you are doing the search but click and scrolling. The other way you have the computer do it for you but that can take a lot longer since you have to search for files one at a time and it will have to search your whole PC each time. Could take you forever. If you just navigate to C:\windows or c:\windows\system or c:\windows\system32 with Win Explorer you can sort the files by Modififcation date and probably locate loads of bad .DAT, .DLL, and .EXE files real fast.

 

Yes delete all occurrences of oibuw.dll from the registry (make note of where you find it).

In step 10 you cannot delete the DLL referred to by the R0 & R1 lines yet. Delete the oibuw.dll file in step 13b (I have to edit that step).

 

No! the registry is edited by using the Windows registry editor called regedit. You bring it up by clicking Start, Run, and then in the Open box type in "regedit" without the quotes and click OK.
Then to start at the beginning of the registry for each seach click on the MyComputer icon in regedit. The click Edit and then Find. Enter what you are looking for and click Find next. At that point, if you find a match click F3 to continue the same search until you hit the end of the registry. Then start the procedure over again for the next item you are looking for. There could be multiple occurrence of items that is why you use F3 to continue the search. Be careful using regedit. Make sure you only delete these bad items nothing else.

Now I am going to be disconnecting real soon. Anything else?

 

You can fix that too. We would have caught that later but now is okay too.

 

Some tips on using regedit:
How To Use the Windows XP and Windows Server 2003 Registry Editor Features:
http://support.microsoft.com/default.aspx?scid=kb;en-us;310426


How to Modify the Windows Registry: http://support.microsoft.com/default.aspx?scid=kb;en-us;136393

 

Logs looked good! Usually if you have rebooted a couple times and have open and closed Internet Explorer a couple of times with no problems and no signs of the hijacker in the HJT log, you are okay. So let's hope we have eliminated the pestilence!

 

Yes delete the C:\windows\system32\oibuw.dll file ASAP!

I believe I had you cleanup the other items along the way. There was msopt.dll and WeatherBug that I had you fix already. I believe everything else is gone.

What other questions do you have?

 

Keep all the programs you downloaded and keep them up to date. You never know when you will need them. Several have no install programs anyway they are just click and run like HSremove, AB, and HijackThis.

I like SpySweeper myself and have a registered version I keep up to date. It appears to work well in blocking problems (even the free version does).

SpywareBlaster and SpywareGuard are two other good (and they are free) programs to use.

Do you have a firewall installed?

 

You could use Mozilla Firefox instead of Internet Explorer to help avoid problems like this.

I would not use programs like WeatherBug or WeatherCast. They are the cause of way to many problems. Loosing the ability to see the temperature in you system tray is a small price to pay inorder to have a better running PC without spy/ad -ware.

Some people say the non-freeware version of WeatherBug does not have the same baggage that comes with the free version. But after seeing what they have done with the free version, I would not trust them.

You could go here and put in your city or zipcode and get temperature (the example is for my town). It is more benign but it has a popup or two.

 

The WinXP firewall is okay. But one of the other free software firewalls here on MG's is probably better. Like Sygate Personal or ZoneAlarmFree. If your router is providing a hardware firewall in front of the software firewall that is even better (the two together are very good but nothing is perfect).