Please help - "Only The Best Pop Ups" and homepage always at about:blank for IE

Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments. You have an HSA hijacker. Make sure you follow the steps in the READ ME FIRST that talk about this. Make sure you stop and disable the Service mentioned in step 2.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Just ignore that optional step for now and make sure you complete all the other steps in the READ ME FIRST as requested. Then follow my steps for posting a proper HJT log.

 

See messages # 2 and 4!

 

You must install HijackThis properly as indicated in my message. You are running it from the ZIP file (using WinRar) which is what I specifically requested that you not do. You will not get any backups running HJT this way. You must fix this now.

You should also uninstall SpyFighter. It is on a list of rogue/suspect removal tools. See:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

 

You also did not complete step 2 of the READ ME FIRST. The below service is should be stopped and disabled.

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlhi.exe

 

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 26.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

We need to stop and disable the service indicated below. You should have already done this during the execution of the READ ME FIRST in step 2.
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlhi.exe


Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Workstation NetLogon Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Workstation NetLogon Service

If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
You will need to cut and paste the short name since the characters are not easily typed.

Now exit HijackThis.

Now restart HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\atlhi.exe
C:\WINDOWS\system32\appvp32.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lqwqh.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lqwqh.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lqwqh.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lqwqh.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lqwqh.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lqwqh.dll/sp.html#55135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0155F0FD-B763-E202-7DD5-FD3E8D258B75} - C:\WINDOWS\system32\crpb32.dll
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [appvp32.exe] C:\WINDOWS\system32\appvp32.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/meninblackII/install.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlhi.exe

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete the below files (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others. If not sure, if they are bad or good, do nothing except write the filenames down and tell me what they are later.):
C:\WINDOWS\atlhi.exe
C:\WINDOWS\system32\lqwqh.dll
C:\WINDOWS\system32\crpb32.dll
C:\WINDOWS\system32\appvp32.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

It would be a good idea to sort the file listing in windows explorer by Modification dates and to look for possibly other similarly name files from the same date - let me know what you find. Do not delete anything on your own.

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Now use the same procedure as above to try to delete any files that would not delete in the above step. Note any that still do not delete and continue.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot into normal mode.)

- Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

You still have SpyFighter installed.

You did not install HJT properly! You now have it on your Desktop
C:\Documents and Settings\Irfan\Desktop\hijackthis\HijackThis.exe

This is not what was requested and is a bad idea. It is too easy to loose backups this way and no other user accounts will have access to it because it is only on your desktop.

You still have the Workstation NetLogon Service and because of that, you still have the hijacker. You must get that service stopped and disable using the directions previously provided. Try killing the below three processes first before trying to stop and disable the service:
C:\WINDOWS\system32\appvp32.exe
C:\WINDOWS\system32\mfchp.exe
C:\WINDOWS\system32\sysyc.exe


Here are the items from your curren log that need to be fix using the same procedure as last time.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\otndq.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\otndq.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\otndq.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\otndq.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\otndq.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\otndq.dll/sp.html#55135
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [appvp32.exe] C:\WINDOWS\system32\appvp32.exe
O4 - HKLM\..\Run: [mfchp.exe] C:\WINDOWS\system32\mfchp.exe
O4 - HKLM\..\RunOnce: [sysyc.exe] C:\WINDOWS\system32\sysyc.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlhi.exe (file missing)


Post a new HJT log when finished, but make sure you do not reboot or power down after posting your log. This hijacker can mutate and spread at power down.

 

Almost! Use what I gave in my first message: C:\Program Files\HJT

 

You never posted the follow up HijackThis log. So please post one from normal boot mode and after doing that, DO NOT reboot or power down your PC. You must leave it running until I can get back to you on what to do. You can unplug your cable to the internet to be safe but if you power down or reboot, your problem could mutate making my instructions not useful.

 

You really should get rid or Ares and Limewire especially since you have an older version of Limewire. They are know to contain malware and more than like are the source of some of your problems.

I hope you left your PC running after posting your log. If not, what I'm posting may be a waste of time.

You still have the Workstation NetLogon Service on your PC. I'm not sure why you are having problems fixing this. I have literally used the sames steps on hundreds of these and they ALWAYS work. It is very important to follow steps exactly and you must locate this running service and then stop it and disable it. If that is not done, it can be impossible to fix the problem. So here we go again one more time with the same procedure. Please make sure you follow the steps exactly. Do not say that you cannot find the Workstation NetLogon Service it is there and you must find it. Look thru every service name if you have to. When you finally locate it, you will see in the Path to executable box the file: C:\WINDOWS\atlhi.exe

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

We need to stop and disable the service indicated below. You should have already done this during the execution of the READ ME FIRST in step 2.

23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlhi.exe (file missing)



Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Workstation NetLogon Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Workstation NetLogon Service

If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
You will need to cut and paste the short name since the characters are not easily typed.

Now exit HijackThis. If the above does not work the first time you try, go back and do it again. You must get this to work.

Now restart HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\netdh.exe
C:\WINDOWS\system32\javavc32.exe

After killing all the above processes, click "Back". And leave HijackThis running. Now we are going to repeat the above step with the service again to make sure it is still disable or to possible get it to disable now if you could not do it earlier.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Workstation NetLogon Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now go back to HijackThis and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Workstation NetLogon Service

If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
You will need to cut and paste the short name since the characters are not easily typed.

Now Back in HijackThis to get back to the Scan screen.

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\otndq.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\otndq.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\otndq.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\otndq.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\otndq.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\otndq.dll/sp.html#55135
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D824B254-597D-9A93-F4CB-A00EA3F77B89} - C:\WINDOWS\netzo.dll
O4 - HKLM\..\Run: [javavc32.exe] C:\WINDOWS\system32\javavc32.exe
O4 - HKLM\..\RunOnce: [netdh.exe] C:\WINDOWS\netdh.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlhi.exe (file missing)



Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete the below files (make sure you tell me later the results for each of these):
C:\WINDOWS\otndq.dll
C:\WINDOWS\netzo.dll
C:\WINDOWS\system32\javavc32.exe
C:\WINDOWS\netdh.exe
C:\WINDOWS\atlhi.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Now use the same procedure as above to try to delete any files that would not delete in the above step. Note any that still do not delete and continue.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot into normal mode.)

- Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

Did you do what I asked last time and not shut your PC down after posting your log? It looks like you may have shut down or rebooted because the problem has mutated. Notice the new service is now:


O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syska.exe" /s (file missing)

 

Well according to your last log you still had problems that mutated. Probably due to the reboot like I indicated. You had all the below baddies. I do not think you are clean yet:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fhnpg.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fhnpg.dll/sp.html#55135
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {C5CE4E09-A52A-BF74-65E3-D9D479283259} - C:\WINDOWS\system32\syslq.dll (file missing)
O4 - HKLM\..\Run: [syslq.exe] C:\WINDOWS\system32\syslq.exe
O4 - HKLM\..\Run: [d3oq32.exe] C:\WINDOWS\d3oq32.exe
O4 - HKLM\..\Run: [atluh.exe] C:\WINDOWS\atluh.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syska.exe" /s (file missing)