It's almost so stupid that it's funny..

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

The READ ME FIRST is not always going to fix all problems but it does remove many things and gets systems into a known state to work from thus making our jobs easier.

Complete the steps in my instructions.

 

Don't worry about it! Just finish the other steps.

 

Hijackthis logs must be from normal boot mode.

Note: HSremove and about:buster are only to be run for HSA and about:blank hijack problems which you do not have. You would know if you did.

 

Okay! Now you see why I wanted the log from normal boot mode. Now I do see why you were running HSremove. You do have an HSA hijack problem. It just was not showing before in safe mode.

After we fix your current problems you must get your Windows updates. You are way out of date and that represents a major security risk to you.

Make sure you have System Restore disable and you have viewing of hidden and system files enabled per the READ ME FIRST.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:

regsvr32 /u C:\WINDOWS\syssd32.dll

then click OK. If a dialog box confirming this action appears, click OK. If you get an error message, just OK out of it and continue.


Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\mfctg.exe
C:\WINDOWS\system32\msvj.exe

After killing those processes click the Back button and just leave HijackThis running while you do the next steps (we will come back to it).

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Network Security Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now back in the HijackThis window, click the button that labeled 'Delete an NT Service" . Now copy/paste the following into the box that opens, and press "OK":

Network Security Service

Okay now exit out of HijackThis.

Now restart HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (I'm double checking to make sure they have not restarted which they do sometimes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\mfctg.exe
C:\WINDOWS\system32\msvj.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\htgyi.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\htgyi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\htgyi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\htgyi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qyqad.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\htgyi.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\htgyi.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {EE624C92-92FD-079F-E433-D27DEE7419AF} - C:\WINDOWS\syssd32.dll
O4 - HKLM\..\Run: [netbt.exe] C:\WINDOWS\netbt.exe
O4 - HKLM\..\Run: [msvj.exe] C:\WINDOWS\system32\msvj.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\d3jr32.exe (file missing)

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete the below files:
C:\WINDOWS\mfctg.exe
C:\WINDOWS\system32\msvj.exe
C:\WINDOWS\system32\htgyi.dll
C:\WINDOWS\syssd32.dll
C:\WINDOWS\netbt.exe
C:\WINDOWS\system32\d3jr32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Now use the same procedure as above to try to delete any files that would not delete in the above step. Note any that still do not delete and continue.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

It maybe that Regfreeze and/or Microsoft Antispyware are blocking the changes. You must either figure out how to disable their protection or you may need to uninstall them to do the final fixes. Uninstalling may be the best thing to do. You can reinstall them after making the fixes.

The below lines need to be fixed:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qyqad.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qyqad.dll/sp.html#55135
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)

For the O23 line you will probably need to do the below:

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Security Agent (or you may need to look for the short name scagent ) Now right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now back in the HijackThis window, click the button that labeled 'Delete an NT Service" . Now copy/paste the following into the box that opens, and press "OK":

Security Agent

If that does not work, try the short name: scagent

Okay now exit out of HijackThis. And let me know where things stand now.

 

You're welcome! Now to help keep you clean you should perform the steps in the below thread:

How to Protect yourself from malware!