only the best

Welcome to MGs!

Try one of the special procedures mentioned in the READ ME.

about:Blank and HSA Hijacker - Simplified Removal

 

Hmmm! You seem to have very similar problems to the ones in:

http://forums.majorgeeks.com/showthread.php?t=79942

We will have to use a similar fix for you, but obviously your filenames are different. I wonder where you guys are going to pickup this somewhat new form and also those strange tmp files.

Also NOTE: you did not follow the directions for installing HJT properly. See step 7 of the READ & RUN ME.
You have it here: C:\Documents and Settings\C\Desktop\Spyware Tools\HijackThis.exe which is exactly one of the places we ask that it not be installed. Please fix this.

 

Here is a complete fix (make sure HJT is installed properly before continuing).

Start by downloading the following tool: Pocket KillBox

Extract Pocket Killbox to its own folder but do not run it yet. We will need it later.

Now run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\apigw.exe
C:\DOCUME~1\C\LOCALS~1\Temp\12F.tmp.exe
C:\DOCUME~1\C\LOCALS~1\Temp\130.tmp.exe
C:\WINDOWS\system32\d3bw32.exe


Now just under the white window in HJT click the Back button (the one just to the right of the Run.. button). Now just leave HJT runnning.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Workstation NetLogon Service (or if you cannot find that name, look for the short name: 11Fßä#·ºÄÖ`I ) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.


Now return to your HijackThis window and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Workstation NetLogon Service

If that does not work, copy and paste in the short name: 11Fßä#·ºÄÖ`I

You have to copy and paste because these characters are not easily entered. Also important NOTE. There is a space in front of the 11F so add the space too or HJT will not find the service.

After doing that exit HijackThis but do not reboot if it asks you to do so. We will be restarting HJT to run some additional steps.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis again and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (They may or may not be there again. We are double checking.)
C:\WINDOWS\system32\apigw.exe
C:\DOCUME~1\C\LOCALS~1\Temp\12F.tmp.exe
C:\DOCUME~1\C\LOCALS~1\Temp\130.tmp.exe
C:\WINDOWS\system32\d3bw32.exe



After killing all the above processes, click "Back" (the button all the way to the lower right).
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qsjxk.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qsjxk.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qsjxk.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qsjxk.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yojlz.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qsjxk.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {66EE1F3E-08C7-DBFA-3708-AE8E0E66FA5B} - C:\WINDOWS\system32\appal.dll
O4 - HKLM\..\Run: [apigw.exe] C:\WINDOWS\system32\apigw.exe
O4 - HKLM\..\Run: [12F.tmp] C:\DOCUME~1\C\LOCALS~1\Temp\12F.tmp.exe
O4 - HKLM\..\Run: [130.tmp] C:\DOCUME~1\C\LOCALS~1\Temp\130.tmp.exe
O4 - HKLM\..\Run: [12F.tmp.exe] C:\DOCUME~1\C\LOCALS~1\Temp\12F.tmp.exe
O4 - HKLM\..\Run: [130.tmp.exe] C:\DOCUME~1\C\LOCALS~1\Temp\130.tmp.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\d3bw32.exe



After clicking Fix, exit HJT.
Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run Pocket Killbox.

Now, Copy and Paste C:\WINDOWS\system32\apigw.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\Documents and Settings\C\Local Settings\Temp\12F.tmp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\Documents and Settings\C\Local Settings\Temp\130.tmp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\appal.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and also check the box to Unregister DLL before deleting (if it is active) and Click the RedX and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\d3bw32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself but either way please boot into safe mode. And while in safe mode do nothing but the below:

- Run Windows Explorer and double check for the below files and delete if found (some of these are double checks to make sure they are gone):
C:\WINDOWS\system32\apigw.exe
C:\WINDOWS\system32\appal.dll
C:\WINDOWS\system32\d3bw32.exe

C:\Documents and Settings\C\Local Settings\Temp <--- delete all files in this folder that it allows you to delete (make sure you do delet 12F.tmp.exe and 130.tmp.exe)


Now reboot (whether you find them or not) into normal mode.

Now get a new HJT log and attach it here. And tell us how these steps went and how things are working.

 

Okay! We did get some problems fixed.

It is not unusual for HSA hijackers to be difficult to remove and to rename themselves and spawn new services and processes as yours did. Howevver, it is very important that directions be followed exactly. If you made a mistake part way thru it could totally make the fix useless especially if any borwsers were opened and closed at any point and also if there were any other points where the PC was shutdown or restarted. This infections can mutate and spread at shutdown and reboots. So a few key things to remember:

• during the whole cleaning procedure, never have any browsers opened at anytime.
• Do not reboot your PC unless requested. Also after running the cleaning steps and posting a new HJT log, DO NOT power down or reboot. Wait for follow up directions.

Print the instructions or save them locally in a text file to view with notepad if necessary (but print would be best because we would prefer that nothing be run except necessary processes to fix the problem.)

​

So if you have shutdown or rebooted since posting your last HJT log, post a new one and leave your PC running so it does not change symptoms.

I do not have time right now to post a complete fix. I will try to get to this later today. But the problems are (notice how everything changed names, even the service executable):

C:\WINDOWS\mslf32.exe
C:\WINDOWS\system32\appvb32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mfvbv.dll/sp.html#93256%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mfvbv.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mfvbv.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mfvbv.dll/sp.html#93256%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mfvbv.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mfvbv.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {AEC47B7A-3BD5-1DD5-83D5-3166C98819AD} - C:\WINDOWS\crma.dll
O4 - HKLM\..\Run: [appvb32.exe] C:\WINDOWS\system32\appvb32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mslf32.exe

 

You're welcome! Make sure you do not reboot afterwards. Also I would suggest reading thru the procedure first before starting to actually run it. Ask any questions before starting it. You must run thru the full procedure with no deviation from the steps that are written and they must be run in a continuous fashion without interruption (like don't start if you need to eat dinner or go out for awhile). And remain disconnected from the internet (physically unplugging cable is the best) with no browsers ever opened while running the steps.

It is also important that you provide feedback on the steps. If anything does not seem to work properly (like deleting a file or stopping a process... etc) just write down what happens continue on with the steps and then tell me about any problems when you come back.

 

READ THRU STEPS FIRST AND ASK QUESTIONS BEFORE EXECUTING!
Print or save the below instructions locally to a notepad file (a text file) and then before continuing to execute them, physically unplug your cable to the internet and exit ALL browsers and any other running applications.

Run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (The may or may not restart almost immediately. Just continue on with the steps. But let me know later.)
C:\WINDOWS\mslf32.exe
C:\WINDOWS\system32\appvb32.exe


Now just under the white window in HJT click the Back button (the one just to the right of the Run.. button). Now just leave HJT runnning.

If you have trouble finding this Service you must let me know later.
Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Workstation NetLogon Service (or if you cannot find that name, look for the short name: 11Fßä#·ºÄÖ`I ) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.


Now return to your HijackThis window and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Workstation NetLogon Service

If that does not work, copy and paste in the short name: 11Fßä#·ºÄÖ`I

You have to copy and paste because these characters are not easily entered. Also important NOTE. There is a space in front of the 11F so add the space too or HJT will not find the service.

After doing that exit HijackThis but do not reboot if it asks you to do so. We will be restarting HJT to run some additional steps.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis again and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (They may or may not be there again. We are double checking.)
C:\WINDOWS\mslf32.exe
C:\WINDOWS\system32\appvb32.exe

After killing all the above processes, click "Back" (the button all the way to the lower right).
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mfvbv.dll/sp.html#93256%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mfvbv.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mfvbv.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mfvbv.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mfvbv.dll/sp.html#93256%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mfvbv.dll/sp.html#93256%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mfvbv.dll/sp.html#93256%everything4find.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {AEC47B7A-3BD5-1DD5-83D5-3166C98819AD} - C:\WINDOWS\crma.dll
O4 - HKLM\..\Run: [appvb32.exe] C:\WINDOWS\system32\appvb32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mslf32.exe



After clicking Fix, exit HJT.
Now we need to Reset Web Settings (use www.majorgeeks.com for now)
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run Pocket Killbox.

Now, Copy and Paste C:\WINDOWS\system32\appvb32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\crma.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and also check the box to Unregister DLL before deleting (if it is active) and Click the RedX and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\mslf32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself but either way please boot into safe mode. And while in safe mode do nothing but the below:

- Run Windows Explorer and double check for the below files and delete if found (some of these are double checks to make sure they are gone):
C:\WINDOWS\system32\appvb32.exe
C:\WINDOWS\crma.dll
C:\WINDOWS\mslf32.exe



Now reboot into normal mode.

Now get a new HJT log and attach it here. And tell us how these steps went and how things are working.

 

Ypu're welcome! Looks good! Before enabling system restore, I would suggest another reboot and then just open and close Internet Explorer a few times and make sure none of the hijacker lines reappear in your log. Then you can enable system restore and move on to the next steps which are in the below link:

How to Protect yourself from malware!