Hsa

I thought you said the SM version works! So why are you still infected?

I'm not offended by any of the comments about the SM version working and being faster. Mine is longer for a reason. There were many different variations of the HSA & about:blank hijackers and I was trying to cover all of them and for ALL OS types.

If you want to fix this problem, you have to remember (this has been mentioned many many times) that NO browsers should be running when using HijackThis. You had IE running:
C:\Program Files\Internet Explorer\iexplore.exe

And you have HijackThis installed where we specifically request that it not be installed.
C:\Documents and Settings\Andrew\Desktop\Virus Stuff\HijackThis.exe

 

Use the Generic Procedure here are your problem files (one of which - DeskAd Service - is not HSA related).

Here are the processes:
C:\WINDOWS\sdkqx.exe
C:\WINDOWS\system32\sdksz.exe <--- this is the Network Security Service

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B043489C-6BF0-01EB-E5BD-CE306F545707} - C:\WINDOWS\system32\iehe.dll
O2 - BHO: (no name) - {EF1C5F19-D800-F30A-ADD5-7E618D29C88F} - C:\WINDOWS\d3gk32.dll
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [sdkqx.exe] C:\WINDOWS\sdkqx.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\sdksz.exe

 

If you want to try a brute force procedure that sometimes works and is fast. Make sure you have both HSremove and About:Buster and that About:Buster is version 4 and the database has been updated. Try this:
- You MUST be physically disconnected (unplug cables) from the internet
- You MUST exit ALL applications especially browsers like IE
- stop and then disable the Network Sercurity Service per the Read ME or Generic Solution step
- Kill these two processes (if still running)

C:\WINDOWS\sdkqx.exe
C:\WINDOWS\system32\sdksz.exe
​

- Run HijackThis and have if fix
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wupvq.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B043489C-6BF0-01EB-E5BD-CE306F545707} - C:\WINDOWS\system32\iehe.dll
O2 - BHO: (no name) - {EF1C5F19-D800-F30A-ADD5-7E618D29C88F} - C:\WINDOWS\d3gk32.dll
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [sdkqx.exe] C:\WINDOWS\sdkqx.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\sdksz.exe

- Pull the power plug (or shut off the power if on a power strip) to your computer. The key here is that you do not want a graceful shutdown of Windows where the malware can respawn itself.
- Wait a minute and reboot with no internet connection yet and no browsers open
- run HSremove and then About:Buster after About:Buster completes, immediately reboot
- no reconnect your internet connection and open and then close a single IE browser session.
- get a HJT log. If clean, we are doing good (and we are lucky). If not clean, start the Generic Procedure .

 

The best thing to do in cases like that is to continue. In some cases the files do not exist (they may have renamed themselves). In other cases they do exist but something blocks you from seeing them. That is one reason we want to make sure you have the following set (always double check - malware can change it on you). So check all of these again right now:
Click Start and then Explore
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

The above options are for using Windows Explorer. If you are going to use Windows XP's search capability, you must also configure it to properly search for all files as follows:

Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box, so enter res.dll
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

There are many cases of files that cannot be seen with Windows Explorer but they do exist. They are sometimes referred to as "Super Hidden". A good example is the c:\Windows\Downloaded Program Files folder. If you look at it with Win Explorer, is will only show a few items, but there can be many more files there. Malware sometimes hides itself there too. You can see the files in Downloaded Program Files by going to the command prompt or use a program like ExplorerXP

 

Is this after opening and closing your IE? How does it look now after coming here?

Note: You still have HJT installed where we ask not to put it.
C:\Documents and Settings\Andrew\Desktop\Virus Stuff\HijackThis.exe

Also you must exit all browsers and have HJT fix the below line.
O2 - BHO: (no name) - {24C88EC4-0FC2-9C0F-A5FD-F3DA397E615C} - C:\WINDOWS\mfcdj32.dll (file missing)

FInal note: You need to update About:Buster as I requested in that procedure. You are only using Reference list 19.

 

Oh by the way, go look for some of those files now and tell what you find.

 

Yes you downloaded version 4 but you did not update. You need to click the Update button everytime you go to use it. Many programs work like this now. For example Ad-Aware SE still says 1.05 but the reference file is always changing. You should ALWAYS check for updates with ALL programs like this before running. With programs that don't use these database references you have to periodically check to make sure you have the correct version. That is why we ask in the READ ME that you click on the links to veryify against what you have. Things can change quickly.

 

Did you check for an update with About:Buster? Do it now. You don't need to scan just do the update. What do you get?

Have you checked around for more of those files? Which ones had you found using the methods I told you?

 

Okay! Get the update for AB later.