HSA, About:Blank, nameshifter Help please!

TucsonBlonde · Jun 24, 2005

I am having some serious issues with this computer. We seem to have acquired every computer cootie known to man, including the HSA/Only the Best hijacker, About:Blank and Trojan.Startup.Nameshifter. I have followed all steps (two seperate times!) in the "Read me first before..." Tutorial with no success. If anyone can please help me I would be eternally gratefull, I am at wits end!

TucsonBlonde · Jun 24, 2005

To provide more info, I have downloaded all tools listed. I have run them as directed in safe mode and have found the following: coolwwwsearch.alt.winshow
Treckblue error nuker
startpage
msks32.exe
system32\cnpmr.dll Adware iefeats
Trojandownloader: win32/agent.LR
About:blank
I have windows XP running. I am also getting a popup window from norton with a nonspecific trojan found but not able to clean it and access to file is denied. It has a different name every time. I have had some problems with the internet crashing outside of safe mode when I tried the Trend micro scan (I forgot to go into safe mode first time). I have also scanned with Microsoft antivirus beta and ravantivirus. they find things, delete them, but they come right back.
My hijack this file had entries with sp#37049 in the R1 lines which I fixed with Hijack this. I do not know what else to do at this point short of a sledgehammer.

chaslang · Jun 24, 2005

Please follow the steps below exactly:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

TucsonBlonde · Jun 24, 2005

Here is the current HJT log. Thank you!

chaslang · Jun 24, 2005

It is very important to remember to exit ALL browsers ( C:\Program Files\Internet Explorer\IEXPLORE.EXE ) before using HijackThis to get a scan and especially when fixing items. I'm looking at your log now. In the mean time please download the following tool: Pocket KillBox

Extract Pocket Killbox to its own folder but do not run it yet. We may need it later. I just getting ahead start.

chaslang · Jun 24, 2005

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\atlyo.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cnpmr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cnpmr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cnpmr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cnpmr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cnpmr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cnpmr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cnpmr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {C39B6C73-E0BA-E376-6EEC-681BABFA427A} - C:\WINDOWS\netbs.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [atlyo.exe] C:\WINDOWS\system32\atlyo.exe

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run Pocket Killbox.

Now, Copy and Paste C:\WINDOWS\netbs.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\atlyo.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself.

Now get a new HJT log and post it here. And tell us how these steps went and how things are working.

PLEASE DO NOT REBOOT after posting your log. If you are still infected, it could mutate making the next steps I would post ineffective.

TucsonBlonde · Jun 24, 2005

Ran everything as instructed. Home page is where it is supposed to be. No more pop-ups and computer is running much faster. Here is my new HJT log. Thank you again for all of your help.

chaslang · Jun 24, 2005

You're welcome but your not completely fixed yet. Hopefully this is just some left over stuff and not the beginning of it re-creating itself.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cnpmr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cnpmr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cnpmr.dll/sp.html#37049
R3 - Default URLSearchHook is missing

After clicking Fix, exit HJT.

Now we need to Reset Web Settings (please use the settings to majorgeeks.com for now, you can always change it later) :
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now get a new HJT log and post it here.

TucsonBlonde · Jun 24, 2005

Hello again!! Here's the new HJT log.

chaslang · Jun 24, 2005

Okay now your log is clean. It's time for you to work thru the steps of the below thread to help keep you clean:

How to Protect yourself from malware!

TucsonBlonde · Jun 25, 2005

I completed all of the final steps that you mentioned. Thank you again for your help - you've made my life much easier!! Have a great day

chaslang · Jun 25, 2005

You're welcome! Surf safely.

Log in or Sign up

HSA, About:Blank, nameshifter Help please!

TucsonBlonde Private E-2

TucsonBlonde Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

TucsonBlonde Private E-2

Attached Files:

hijackthis.log new.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

TucsonBlonde Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

TucsonBlonde Private E-2

Attached Files:

hijackthis.log2.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

TucsonBlonde Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member