Houdini I Need You AGAIN!!!

UGH....It's not Howard this time. I don't know all of the specifics, because I think I have multiple trojans, but one of them is the about:blank trojan. I have done EVERYTHING in the Do Before Posting (been there, done that!) and nothing! I have run the HJT in safe mode and deleted the about:blank entry only to have it show up again. I keep getting all kinds of different virus notices pop up in my tray...etc etc etc. I could go on, but I figure I will save my fingers since I know you will ask for my logs anyway and be able to see my huge mess.

Save me Houdini!!

~Dawn

 

After doing ALL of the steps in the READ ME FIRST make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

 

Hey! I'm sure that some of the things in my post made little sense to you. Some of it was directed to Phillie Phan who helped me get rid of a wicked horrible trojan a couple of months ago...

Anyway, I have already done everything in the READ ME FIRST, in both normal and safe mode. Based on your post, I am assuming that you want to see my HJT log, so I am attaching it.

Let me know what you think....

Thanks!

~Dawn

 

Do the following:

about:Blank and HSA Hijacker - Simplified Removal DO NOT update about:Buster the site is down and will erase the catalog.


Running Ewido Security Suite

After you have finished post the logs from the first procedure and post the Ewido log and a fresh HijackThis log.

 

Chaslang...you are SO right! I was so EXCITED to finally be rid of that horrible trojan that I didnt completely read his last post. NEVER going to make that mistake again!! So, if you and Shadow would be nice enough to help me (although at this point I feel pretty stupid asking since I obviously didnt do what I should have) I will promise to read every word you both write!

Onward....I am having some trouble with some of the directions in Shadows last post. When I run the about:Buster it does the scan and removal (at least it says it is) but when I try to get a log it tells me that I have a run error because part of the file is missing. I did NOT download the updates, and I did NOT download the additional file that was mentioned because I was not getting the missing MSCOMCTL.OCX file message. If I need to download this anyway, please let me know. So, as of now I have no log for this.

I do have a HJT log which I am attaching.

Also, I know it said NOT to reboot or powerdown my PC, however when I tried to run the Ewido it froze at 18.4%....this is a problem I have everytime I try and run this program. Ctrl Alt Del does nothing...the entire PC is completly stuck. I have to hold the power button on my tower to even be able to shut down.

How screwed am I??

~Dawn

 

about:Buster has been updated download this version http://majorgeeks.com/download4289.html update it and run the tool. Then post a fresh HojackThis log as an attachment.

Also make sure you run the Ewido Surity Suite and post its log when you reply.

 

Ok so good news, bad news. I downloaded the version of about:Buster that you listed below, updated it and ran it. It scans and cleans, but when I try to save a log file I get the same message I got with the other version:

Run time error '339':
Component 'Comctl32.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.

BUT, I FINALLY got the Ewido to run without freezing at 18.4%. Don't know how that happened, because this is the first time it's ever NOT frozen.

Anyway, the Ewido and the new HJT log are both attached.

~Dawn

 

Download and Run CWShedder to clean the CoolWebSearch stuff from your system. Then post a fresh HijackThis log.

 

Ok the about:Buster worked and the log is attached, as well as a new HJT log. I already had CWShredder, and I have run it numerous times (I did it just now also, because you requested that I do it) and everytime I run it, the entire list says Not Found. I know I have some CoolWebSearch stuff, because other scans pick it up....is there a reason why the CWShredder isnt? I thought that was pretty odd.

Now what?

~Dawn

 

Ok here are my follow up logs. What should I do now?

~Dawn

 

I also need a fresh HijackThis log from Normal Mode.

 

Ok here ya go.

~Dawn

 

You must follow directions immediately, this will keep mutating if you don't.

Are you following the directions exactly as shown below:

It doesn't seem like it, because this keeps mutating.

 

Yes I did this exactly the way you told me to. The ONLY thing I forgot to give you before I reconnected was the HJT log. I redid all of the steps just now, and have attached all of the logs. Obviously I have reconnected to the internet in order to post these, but I have not rebooted or powered down my PC.

 

And the HJT log.

It says the about:blank isnt there, but when I went from Safe Mode back to Normal, I still have the about:blank virus, as well as a bunch of other popups and virus notifications.

 

Download
- Pocket Killbox

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Network Security Service or NSS or 11Fßä#·ºÄÖ`I ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Network Security Service or NSS or 11Fßä#·ºÄÖ`I (Whatever it was from above)

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Run HijackThis and post a fresh log.

 

Ok I did EVERYTHING you said, although I did hit a few snags.

The name of the service came up for me as Network Security Service (NSS). I disabled it, but when I tried to complete the steps listed for deleting it through HJT, it kept telling me that I did not have the correct name or short name. I checked and double checked to make sure I was spelling it exactly as it appeared. I tried Network Security Service, NSS, (NSS) Network Security Service (NSS). Nothing worked.

The next step:
In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:
Quote:
C:\WINDOWS\system32\nthx32.exe
Choose Kill Process

I tried to do this, but I got this message:
The selected process could not be killed. It may have already closed, or it may be protected by Windows.
This process might be a service, which you can stop from the Services Applet in Admin Tools.

I did NOT do this only because I wasnt sure if doing it that way would accomplish what you were looking for.

I did the next step, but found that several of the things you asked me to delete were not there.

I could NOT find and delete:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\atifk.dll/sp.html#10001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\atifk.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\atifk.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\atifk.dll/sp.html#10001
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\nthx32.exe" /s (file missing)

I did delete the other 8 entries (although I noticed at least one of them come up in the HJT scan I did as the last part of the directions in your post)

I ran the PocketKill, and rebooted to safe mode once I had entered all of the filenames you listed.

I did not find ANY of the files you listed to look for in Windows Explorer.

I ran CCleaner, and deleted the Prefetch files, and ran the cleanmgr.

Attached is my HJT log.

Let me know what you think.

~Dawn

 

Download Registrar Lite and install it.

Run Registrar Lite and copy and paste the below line into its address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Click the "go" tab

Find: "AppInit_Dlls" value on the right side panel.

DoubleClick on AppInit_Dlls tell me exactly what you see in the Value.

 

What if AppInit_Dlls does not come up on the right panel? I have a list of 7 things and none of the remotely resemble that.

 

If it's not there, then it's not there. Which is a good thing. I'll post a new fix for you shortly, in the mean time do not restart your computer.

 

Please follow the instructions in the following threads:
How to view hidden, system files & folders!
Searching for Hidden Files on WinXP

Please make sure System Restore is OFF.

Please print these instructions out for use while not connected with the internet.

Now we are going to use notepad to erase the contents of the DLL file shown in the R0 & R1 lines of your HijaakThis log. To do this click Start, Run, and enter the following command "notepad C:\WINDOWS\system32\gyzib.dll" (without the quotes) and click OK.

Now in the notepad window, hit CTRL-A to select all contents of the file then hit the Delete key to delete all lines of the file. Now save the file (yes as an empty file). Now using Windows Explorer, locate the file gyzib.dll and right click on it and select Properties and change the attributes to Read Only and click OK.

Shutdown (not minimize) all applications (especially IE and Windows explorer) and run HijaakThis.

Now reboot in safe mode

Open Windows Explorer and navigate to and DELETE the following:

If you have a problem deleting any of these files (like it is denied because it is in use), run ProcessExplorer and try to locate the running process and kill it. Then try to delete the file.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now while still in safe mode, run only Hijaak This and have it fix the following:

Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now click on Start, Run, type regedit, click OK. When regedit opens click on Edit, select Find, gyzib.dll and delete every instance. Do the same for ntyu.dll, atifk.dll, nthx32.exe, msbw.dll, atlvw32.dll, ntuv32.exe, eaqzc.dll, fgqwb.dll, pxutn.dat, jrixu.dll, wjrix.dat, kjnre.dll, heytp.dll.

Now click on Start, Search, select All files and folder, in the top box search for the follwoing:

Delete each instance.

Once again delete the contents of C:\WINDOWS\Prefetch.

Delete Memory.dmp if found in either C:\WINDOWS or C:\WINDOWS\System32

Now run CCleaner.

Run HSRemover.

Run about:Buster (copy the output to a file ablog1.txt)

Also while still in Safe Mode to finish the cleanup process, please do the following:
Go to Start --> Run and type Regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:
__NS_Service
__NS_Service_2
__NS_Service_3
If any are listed, right-click that entry in the right pane and choose Delete.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
and highlight Root in the Left Pane. In the right pane, look for these entries:
LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3
If you find it, right-click it in the right-pane and choose delete.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Workstation NetLogon Service

If Workstation NetLogon Service exists , right click on it and choose delete from the menu.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Workstation NetLogon Service

If LEGACY_Workstation NetLogon Service exists then right click on it and choose delete from the menu.

Now navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Procedure Call (RPC) Helper

If Remote Procedure Call (RPC) Helper exists, right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Remote Procedure Call (RPC) Helper

If LEGACY_Remote Procedure Call (RPC) Helper exists, right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Now (still in safe mode) run Ad-aware SE and under scan select Perform Full System Scan and then SpyBot S&D and clean what they find.

Now click Start, Run, and in the Open box enter "regedit" (without the quotes). Now navigate thru the registry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Click the [+] next to uninstall. Scroll down until you see the NAMES of programs (skip past the lines with numbers in {,} ). See if you can find any of the following listed:

HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of
assistant is wrong)
SA = Search Assistant
SE = Search Extender
SW = Shopping Wizzard

If you find any of them, select one at a time, and hit your delete key. Once you delete all three, you can exit the registry editor.

Now reboot normal mode. And run about:Buster one more time saving the output again (ablog2.txt do not overwrite the first log)

Before running anything else run HijaakThis and save a log.

Reconnect your internet connection, run your browser, and connect here to MG's and post the new HijackThis and about:Buster logs as attachments. Then continue running and let's see how everything is working.