Hi, new here

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Oraflora, Dec 22, 2004.

  1. Oraflora

    Oraflora Private E-2

    I have aquired the about:blank hijacker and would like to remove it.
    I know that answer is here somewhere, but a search didn't turn up any results. Any help will be appreciated.

    Thanks,
    D
    Oraflora
     
    Oraflora, Dec 22, 2004
    #1
  2. tagged

    tagged Private E-2

    Hi Oraflora,

    Go through the steps on this sticky, Sticky: READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    Major Attitude, located above on the forum page. If it doesn't cure you, you'll at least be ready for help!

    Good Luck!
     
    tagged, Dec 22, 2004
    #2
  3. Oraflora

    Oraflora Private E-2

    I am unable to run the Trend Micro Online Scan - Windows closes everytime the page tries to load?
     
    Oraflora, Dec 22, 2004
    #3
  4. PhilliePhan

    PhilliePhan Guest

    Hi Oraflora,

    Try to do as much of the Cleanup Tutorial as possible. Then, send us a HijackThis Log. Please be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

    If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    I’ve been pretty busy with work lately, but somebody will try to take a look when they get a chance.

    Best :)
    PP
     
    PhilliePhan, Dec 22, 2004
    #4
  5. Oraflora

    Oraflora Private E-2

    Edit by chaslang: Old version, Inline log deleted.
     
    Last edited by a moderator: Dec 22, 2004
    Oraflora, Dec 22, 2004
    #5
  6. tagged

    tagged Private E-2

    Oraflora,

    Like Phillie said "Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post."

    They don't like them in-line! They can check them quicker if you put them in by clicking on Manage Attachments below the reply window and browsing to your log file and double clicking the file and clicking upload. That gives them a file they can sort in notepad, which gives you a quicker response! ;)

    Good Luck!
     
    tagged, Dec 22, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow directions! Get the correct version of HJT, install it to the correct directory, exit ALL Browsers and then ATTACH your log.
     
    chaslang, Dec 22, 2004
    #7
  8. Oraflora

    Oraflora Private E-2

    I think this is the txt version....
     

    Attached Files:

    Oraflora, Dec 28, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still seem to be ignoring our directions on where to install HijackThis to and that ALL browsers must be shut down before using HijackThis. You have the following in your log:

    C:\Documents and Settings\Atlas\Desktop\Hijack\HijackThis.exe <--- wrong folder - follow directions and put it in C:\Program Files\HJT
    D:\WinRAR\WinRAR.exe ................<---- should not be running
    C:\Documents and Settings\Atlas\Desktop\Hijack\hijackthis1.99\HijackThis.exe <---- Why are you running HJT twice & still the wrong folder
    C:\Program Files\Internet Explorer\iexplore.exe <--- browsers must be shut down, they interfere with proper ability of HJT to fix problems

    FIX ALL OF THE ABOVE BEFORE CONTINUING!!!

    Did you run HSremove yet? If not, please do so!

    Did you run About:Buster yet? If not, please do so and save the output to a file and post it here as an attachment. Call it ablog1.txt.

    Now run About:Buster again! Save the output to ablog2.txt and post it here as an attachment.
     
    Last edited: Dec 28, 2004
    chaslang, Dec 28, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After complete the steps in my previous message, continue with below.

    Save the following bold print lines in the quote box to a file called hsafix.reg Save it where you can locate it later when I ask you to use it.

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    ntxd32.exe
    shpc32.exe
    winpm.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lylsz.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lylsz.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\lylsz.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lylsz.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lylsz.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lylsz.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lylsz.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {98544E37-CBA8-1E65-61D4-5D9DB07D81BB} - C:\WINNT\system32\ipxd32.dll
    O4 - HKLM\..\Run: [6C5.tmp] C:\DOCUME~1\Atlas\LOCALS~1\Temp\6C5.tmp.exe 0 28129
    O4 - HKLM\..\Run: [ienm32.exe] C:\WINNT\system32\ienm32.exe
    O4 - HKLM\..\Run: [SHPC32] shpc32.exe
    O4 - HKLM\..\Run: [winpm.exe] C:\WINNT\winpm.exe
    O4 - HKLM\..\RunOnce: [ntxd32.exe] C:\WINNT\system32\ntxd32.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.05p.com (HKLM)
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.clickspring.net (HKLM)
    O15 - Trusted Zone: *.flingstone.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.scoobidoo.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.124.130 (HKLM)
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
    O23 - Service: Workstation NetLogon Service - Unknown - C:\WINNT\system32\d3gq32.exe (file missing)

    After clicking FIX, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINNT\system32\ntxd32.exe
    C:\WINNT\System32\shpc32.exe
    C:\WINNT\winpm.exe
    C:\WINNT\system32\lylsz.dll
    C:\WINNT\system32\ipxd32.dll
    C:\Documents and Settings\Atlas\Local Settings\Temp\6C5.tmp.exe <--- it would be even better to delete all items in the Temp folder.
    C:\WINNT\system32\ienm32.exe
    C:\WINNT\web\related.htm

    Using windows explorer double click on the hsafix.reg file a merge the fix into the registry. Click Yes when prompted.
    Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    and highlight Services in the left pane. In the right pane, look for any of these entries:
    __NS_Service
    __NS_Service_2
    __NS_Service_3

    If any are listed, right-click that entry in the right pane and choose Delete.

    Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):
    LEGACY___NS_Service
    LEGACY___NS_Service_2
    LEGACY___NS_Service_3

    If you find it, right-click it in the right-pane and choose delete.
    If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 28, 2004
    #10
  11. Oraflora

    Oraflora Private E-2

    It seems like it worked....I didn't find a couple of the items you showed, but so far, no pop-ups! Thanks.
    Now do I turn on System Restore again?
     

    Attached Files:

    Oraflora, Dec 28, 2004
    #11
  12. tagged

    tagged Private E-2

    Oraflora,

    You've still got your HJT running from your deskstop! If you don't have it in C:\Program Files\HJT, you're not going to get proper, accessable, backups in case you fix something you shouldn't have! (And you're going to get another lecture from Chaslang about not following directions!) You should go to your program files folder, create a new folder called HJT, and either download a new copy of HJT into it or move your desktop copy to it. Then, when you close all browers and run HJT, you'll see the backup file right next to it in the HJT folder!

    Then resubmit your log. ;)
     
    tagged, Dec 28, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Absolutely correct! You have been asked to do this multiple times. Are you having a problem understanding what I'm saying or in actually doing this. You need to fix this now and post a new log before we continue. You still have problems that need to be fixed.

    And when we are done with those problems, you need to get your OS and IE updated since you are severely out ot date.
     
    chaslang, Dec 28, 2004
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds