Elveon
03-14-2009, 04:14 AM
Introduction:
This article reflects countless hours of experience removing spyware, trojans and viruses. If you can take the time to do all of these steps, there's a good chance your problem will be solved by following this article. While all of these steps are not required for each case, they should be beneficial to all. In general, these steps will work on all versions of Windows XP, but some may not apply to older operating systems like Windows 95, 98 or ME.
* Section 1: Makes sure your computer is not at risk for hard to remove viruses.
* Section 2: Covers cleaning and removal.
* Section 3: Makes suggestions on securing your machine after clean up.
Getting Prepared; Steps to be sure your system is ready to be scanned:
1: Disable System Restore temporarily (WinXP & WinME only) if you are infected; any trojans, spyware, etc. you may have picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools cannot access it to delete files, trapping viruses inside. Please follow these instructions:
For Windows XP:
1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes when you are prompted to restart the computer
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.
For Windows Millennium:
1: Right-click My Computer, and then click Properties.
2: On the Performance tab, click File System, or press ALT+F.
3: On the Troubleshooting tab, click to select the Disable System Restore check box.
4: Click OK twice, and then click Yes when you are prompted to restart the computer.
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.
2: Network Security, Workstation Netlogon Services & Remote Procedure Call (RPC) Helper (Windows XP, 2K, NT); If you have the about: blank or home search hijack you need to check to see if a Windows service name "Network Security Service" or "Workstation Netlogon Service" are running. To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now, in the Services window that pops up look for exactly the following service names (no others) "Network Security Service" or "Workstation Netlogon Service" or "Remote Procedure Call (RPC) Helper". If you find these services, you must right click on it to bring up the service Properties window and do the following (refer to the Figure too):
Step 1: Stop the service by click the Stop button.
Step 2: Now, disable it by changing the Startup type to Disabled and click Apply
If you do not find these exact services, do not worry and just skip this step.
3: Enable viewing of hidden files and folders and extensions; Some programs can hide this way by not being visible in Windows. Start Windows Explorer and click on your main hard drive, usually c:\. Then select Tool from the top of Windows Explorer and then Folder Options. Go to the View tab. Scroll down to the folder icon that says Hidden files and folders and check show hidden files and folders. Optionally, right below it, uncheck the hide file extensions for known types. Not doing this could allow file extensions commonly used by trojans and spyware to be hidden, for example a file ending in .exe or dll making manually finding it, if needed, difficult to impossible
4: Downloading Tools; Download the following tools and save in your favorite download folder or create one, for example C:\Temp or C:\Downloads. And then install, update, and configure as indicated below.
McAfee Quickclean (not free)
Webroot SpySweeper (not free)
Pareto Logic XoftSpy (not free)
Install, click Check for Updates now and get any updates, then exit.
ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe
http://anonym.to/?http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe .....Install only
http://anonym.to/?http://public.planetmirror.com/pub/majorgeeks/drives/ccsetup114.exe.............Install only, then exit
ftp://ftp.download.com/pub/win95/utilities/spybotsd13.exe................Install, do the search for updates now and get any updates, then exit.
http://anonym.to/?http://files.webattack.com/localdl834/spywareblastersetup.exe...Install, click Download Latest Protection Updates, Check for Updates, and then Enable All Protection, then exit. It does a great job of blocking known vulnerabilities as well as known malicious websites
http://anonym.to/?http://vil.nai.com/vil/stinger....No installation required! Ready to run as is.
http://anonym.to/?http://www.majorgeeks.com/download4086.html......No installation required! Just unzip it to a folder.
Your system is now ready to be properly scanned for spyware, trojans and viruses.
Scanning And Cleaning Steps:
1: Virus And Trojan Scanning;
a) Win9x (Windows 95, 98, 98SE) users boot normal mode.
do an online scan at: http://anonym.to/?http://housecall.trendmicro.com/housecall/start_corp.asp
do an online scan at: http://anonym.to/?http://security.norton.com/sscv6/default.asp?langid=ie&venid=sym
now boot in safe mode (and remain there) and run McAfee AVERT Stinger. See how to boot in safe mode below.
b) And Windows XP, 2000, NT, ME, users boot in "safe mode with networking support" (and remain in there). See how to boot in safe mode below.
do an online scan at: http://anonym.to/?http://housecall.trendmicro.com/housecall/start_corp.asp
do an online scan at: http://anonym.to/?http://security.norton.com/sscv6/default.asp?langid=ie&venid=sym
Run McAfee AVERT Stinger...
How to boot in safe mode: To boot into safe mode, restart your computer and tap the f8 key (after first black and white screen, but before the Windows splash screen) until you get to a black and white screen asking you what to do. With Windows XP, 2000, NT, ME: Use your arrow keys and select "safe mode with networking support".
Booting in safe mode is important because best results are achieved since safe mode disables most drivers and running programs. If you have a problem for any reason trying to run these scans in safe mode, do them in normal boot mode but make sure you tell us that in any subsequent message you may need to post about your problem,
2: Clean Your Hard Drive; Remove temporary internet and other files not needed with CCleaner. Run CCleaner with the default options to clean out temporary files. Optionally, check the clean "Delete Index.dat" checkbox.
3: Main Spyware Scan And Removal; Scan your machine with Ad-Aware SE (remember to install the Ad-Aware VX2 Cleaner Plug-In for it) and Spybot. Look for the Immunize feature in Spybot and use it.
4: Secondary Spyware Scan And Removal: Other Removal Tools; Run the other programs you downloaded; CWShredder (make sure you select Fix), Kill2me, about:Buster and HSRemove. They are free, standalone and easy to use. Note: about:Buster and HSRemove need only be run if you are having about:blank or HomeSearchAssistent hijacks. Also, note that HSRemove is not compatible with Win9x or WinMe systems.
These final 2 OPTIONAL steps require you reboot back to normal mode.
5: OPTIONAL: If you can not remove the stubborn "Only the Best" aka "HSA" HIJACKER please follow the outline below:
Below is an almost generic solution to use in attempting to fix the now infamous "Only the Best" aka "HomeSearchAssistent" aka "HSA" hijacker. I say almost generic because it is impossible to predict what DLL and EXE filenames everyone having this problem will see on their computer. In addition, it is also impossible to determine how many of these files will be found running. It appears that the more times an incorrect or incomplete fix is attempted the more EXE file names will be spawned. The difficult area is steps 7 and 8 below.
I have now added about:blank to the title since some form of the about:blank hijack can also be fixed using this procedure. The form I'm referring to is one the has R0, R1, and O2 type lines in a HijackThis log that are similar to those of an HSA hijack. The syntax of those lines are mentioned below in the section titled HOW TO IDENTIFY HIJACKER LINES: AN EXAMPLE. The kind of about:blank hijack that CANNOT be fixed with this procedure is of the following form:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {3DF009ED-54BF-4A31-AADC-679997254A74} - C:\WINDOWS\SYSTEM\AIGHKH.DLL
O18 - Filter: text/plain - {7CC1DA6A-B893-4E55-997E-8046D9F77D8B} - C:\WINDOWS\SYSTEM\AIGHKH.DLL
ADDITIONAL THINGS TO KNOW
If you do not know how to use the Windows Registry Editor please see this.
http://support.microsoft.com/default.aspx?scid=kb;en-us;136393
If using WinXP, setup search to locate hidden/system files: click Start, Search, All Files and folders, select More advanced options. Make sure you have checks on:
1) Search system folders
2) Search hidden files and folders
3) Search subfolders
HOW TO IDENTIFY HIJACKER LINES: AN EXAMPLE
Okay, below are the steps we are going to use. Make sure you print these or save them to a file on your PC because I am going to have you disconnect your PC from the internet at a certain point (Not Yet!). Once disconnected, do not connect again until I tell you to do so. In many cases this step had been one of the most important steps.
Do not ignore it!!!
In an attempt to make this solution easier to follow, I'm first going to show parts of the information we are concerned with from a sample HijaakThis log. Sample log snipets:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ftlsk.dll/sp.html#27859
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ftlsk.dll/index.html#27859
O2 - BHO: (no name) - {ADFA3880-261B-1BF8-91EB-1DEF4A8C4300} - C:\WINDOWS\atlef.dll
O4 - HKLM\..\Run: [winya.exe] C:\WINDOWS\system32\winya.exe
O4 - HKLM\..\RunOnce: [msfo.exe] C:\WINDOWS\system32\msfo.exe
O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
O4 - HKLM\..\RunOnce: [winuh32.exe] C:\WINDOWS\system32\winuh32.exe
O4 - HKLM\..\RunOnce: [nthc32.exe] C:\WINDOWS\nthc32.exe
O4 - HKLM\..\RunOnce: [syspg.exe] C:\WINDOWS\syspg.exe
Note, your filenames will be different. The above lines are examples that I am using below for demonstrating the generic solution. The full path to the DLL file that you obtain from your HijaakThis log on the R0 & R1 lines is what you will need to substitute into step 5 below where it gives c:\windows\system32\xxxxx.dll as an example. Your R0 & R1 lines may not even have c:\windows\system32 as the directory. There have been several cases where the directory was either c:\windows or c:\windows\system.
This next paragraph will be important for you to understand before you get to step 8. You will need to do all of the online searching for good/bad files before I take you offline. So read the next paragraph and look at your HijackThis log and see if you can identify the bad files indicated in the O4 section. Some of these EXE files may only show in the processes list of HijackThis, and some may show in both the process list and the O4 section of HijaakThisNow. This is the hardest part, you need to identify these files good or bad. Try excite.com or google.com (I find excite.com to come up with more useful hits than google.com). Use PacMan's Startup List (http://www.sysinfo.org/startuplist.php ) to find the entry and see if it's good or bad.
You can also use http://www.liutilities.com/products...processlibrary/ to compare against. My experience is that typically these bad EXE file names will be 4 to 7 characters long + .exe Sometimes (as shown above) the have a 32 just before the .exe. In addition, when performing all the possible searches listed, you typically do not get any hits describing a valid EXE or even a known other type of bad EXE. You either get no hits or the only hits will be other peoples HijaakThis logs with the same type of hijack going on. Sometimes you can locate all of these EXE files in c:\windows, c:windows\system, or c:\windows\system32 easily by using Windows Explorer and sorting on modification date. Look for a date to be anywhere between the time you first got the problem to the current date. One additional note in identifying these bad files they, always have the following pattern: [syspg.exe] C:\WINDOWS\syspg.exe
Notice the name in [] is an exact match of the file name at the end of the line.
ALMOST READY TO START
Obviously before continuing, you need your current HijaakThis log. So if you rebooted since last checking your log, run another one to make sure it has not changed the filenames again. You should print this information so you can refer to it later when you are offline.
Note: In the steps below the underlined items are links that MUST be click to see additional important information and directions (how to do's)!
THE STEP BY STEP SOLUTION
1) If running WinMe or WinXP, disable system restore and reboot!
http://anonym.to/?http://www.majorgeeks.com/vb/showthread.php?t=31668
2) Make sure you have enabled viewing of Hidden Files and Folders and system files with Windows Explorer. While doing this, also verify that you do NOT have a check on the option to Hide extensions for known file types.
http://anonym.to/?http://forums.majorgeeks.com/showthread.php?t=37650
3) Make sure you know how to boot in safe mode too (but don't do it yet!):
http://anonym.to/?http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
4) Physically disconnect from the internet (pull your ethernet cable if you have DSL or cable modem. If you have an analog modem, drop your connection and unplug the telephone line to the modem.) Also at this point, you must exit all Internet Explorer sessions (it would be a good idea to exit anything that is not necessary).
5) Now we are going to use notepad to erase the contents of the DLL file shown in the R0 & R1 lines of your HijaakThis log. To do this click Start, Run, and enter the following command "notepad c:\path\xxxxx.dll" (without the quotes) and click OK.
NOTE: You must replace the generic c:\path\xxxxx.dll will be replaced by the path and filename found in the R0 & R1 lines from your HijaakThis log. So for the example log being used the command would be:
notepad C:\WINDOWS\system32\ftlsk.dll
Now in the notepad window, hit CTRL-A to select all contents of the file then hit the Delete key to delete all lines of the file. Now save the file (yes as an empty file). Now using Windows Explorer, locate the file ftlsk.dll and right click on it and select Properties and change the attributes to Read Only and click OK.
6) This step only applies to Win2K or WinXP systems. For Win9x and Me based systems you will most likely see additional lines in the O4 section of HijaakThis (typically O4 - HKLM\..\RunServices).
Check to see if a Windows service name "Network Security Service" (NSS for short) is running. To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now in the Services window that pops up look for Network Security Service. If you find that service, you must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, make note of the information in the "Path to executable" box. You are going to use this
later.
Another service has been found to possibly be used. So we also need to look for the "Workstation Netlogon Service" (WNS for short) using the same method as above. And again, if found, stop it and disable it. Again make note of the "Path to executable" for later use.
A third possible service has been identified to be used sometimes. So now we need to look for the Remote Procedure Call (RPC) Helper using the same method as above. And again, if found, stop it and disable it. Again make note of the "Path to executable" for later use.
If you do not find any of these services running, just continue with the next steps. Only look for those exact names "Network Security Service" and/or "Workstation Netlogon Service" and/or "Remote Procedure Call (RPC) Helper" nothing else.
7) This is where things become difficult. You need to determine the BHO (Browser Helper Object) line added by the hijacker. Normally you will see the hijacker add only one BHO line, however, there have been cases with many these BHO lines added. Be careful not to confuse the hijacker BHO with valid BHO lines. A typical BHO line may look like the line below from the example HijaakThis log:
O2 - BHO: (no name) - {ADFA3880-261B-1BF8-91EB-1DEF4A8C4300} - C:\WINDOWS\atlef.dll
8) You also need to determine all the executable (EXE) files that are loading during Startup. These EXE files can be loaded many different ways. Most of them will show in one of many types of O4 lines that HijaakThis can display. From the example HijaakThis log (there are more types that could occur):
O4 - HKLM\..\Run: [winya.exe] C:\WINDOWS\system32\winya.exe
O4 - HKLM\..\RunOnce: [msfo.exe] C:\WINDOWS\system32\msfo.exe
O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
O4 - HKLM\..\RunOnce: [winuh32.exe] C:\WINDOWS\system32\winuh32.exe
O4 - HKLM\..\RunOnce: [nthc32.exe] C:\WINDOWS\nthc32.exe
O4 - HKLM\..\RunOnce: [syspg.exe] C:\WINDOWS\syspg.exe
9) Shutdown (not minimize) all applications (especially IE and Windows explorer) and run HijaakThis. Have it fix all the lines determined to be part of the hijacker in steps 7 & 8.
10) Now reboot in safe mode (via method given in step 3) and then delete all the DLL and EXE file names found in steps 7 and 8. And also if you found the Network Security Service and/or the Workstation Netlogon Service runnning in step 6, delete the files indicated in the Path to executable!
Be careful here the Path to the executable always contains a trailing /s. The /s is not part of the filename. For example the Path to executable could be C:Windows\system32\javajt32.exe /s but the filename (with path) is C:Windows\system32\javajt32.exe
If you have a problem deleting any of these files (like it is denied because it is in use), run ProcessExplorer and try to locate the running process and kill it. Then try to delete the file.
11a) This part of step 11 is for WinXP only. Now also look in c:\windows\Prefetch for all of the above files deleted in steps 7 to 10. If found, delete them too.
11b) Now for all OS's, after deleting all of the items from the steps above, empty your Recycle bin.
12) Now while still in safe mode, run only Hijaak This and have it fix all the R0 and R1 lines that have the typical symptom information. For example, these R0 & R1 lines always end with something like one of the following three lines:
res://C:\WINDOWS\system32\xxxxx.dll/qqqqq.html#nnnnn
res://C:\WINDOWS\xxxxx.dll/qqqqq.html#nnnnn
res://xxxxx.dll/qqqqq.html#nnnnn
where the xxxxx is random characters, qqqqq is a random name, and the nnnnn is random numbers. Here are a couple examples:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ftlsk.dll/sp.html#27859
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ftlsk.dll/index.html#27859
13a) Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.Google.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
13b) Search the registry for every instance of xxxxx.dll (the file from step 5) and delete every instance.
13c) Search the registry for every instance of O2 BHO DLL file found in step 7 and delete every instance.
13d) Search the registry for every instance of the suspicious exe files found by Hijack This from step 8. Delete every instance.
13e) Search your computer for xxxxx.dll. Delete each instance. Also, look for files with the same name but having an extension of .DAT or .EXE. For example, if looking for ftlsk.dll, also look for ftlsk.dat and ftlsk.exe.
13f) Search your computer for the suspicious exe files. Delete each instances. Also, look for files with the same name but having an extension of .DAT or .DLL. For example, if looking for nthc32.exe, also look for nthc32.dat and nthc32.dll.
13g) Now for a second time: if running WinXP, delete everything in the Prefetch folder in C:\WINDOWS\Prefetch and now for all OS's empty your Recycle Bin again.
13h) Delete Memory.dmp if found in either C:\WINDOWS or C:\WINDOWS\System32
13i) Run CCleaner and on the Windows tab (you'll see when you run it) leave the defaults and click Run Cleaner.
13j) For Win NT/2K/XP, run HSRemover (does not support Win9x/Me)
13k) Run about:Buster (copy the output to a file ablog1.txt)
If you receive an error message about a missing MSCOMCTL.OCX file when you run about:Buster, download the file in the link below and run it. It will give you the necessary file.
http://www.javacoolsoftware.net/downloads/missingfilesetup.exe
13l) Also while still in Safe Mode to finish the cleanup process, please do the following:
Go to Start --> Run and type Regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es
and highlight Services in the left pane. In the right pane, look for any of these entries:
__NS_Service
__NS_Service_2
__NS_Service_3
If any are listed, right-click that entry in the right pane and choose Delete.
13m) Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot
and highlight Root in the Left Pane. In the right pane, look for these entries:
LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3
If you find it, right-click it in the right-pane and choose delete.
13n) Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Workstation NetLogon Service
If Workstation NetLogon Service exists, right click on it and choose delete from the menu.
13o) Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_Workstation NetLogon Service
If LEGACY_Workstation NetLogon Service exists then right click on it and choose delete from the menu.
13p) Now navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Remote Procedure Call (RPC) Helper
If Remote Procedure Call (RPC) Helper exists, right click on it and choose delete from the menu.
13q) Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_Remote Procedure Call (RPC) Helper
If LEGACY_Remote Procedure Call (RPC) Helper exists, right click on it and choose delete from the menu.
If you have trouble deleting a key from steps 13l or 13q. Then click once on the key name to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.
14) Now (still in safe mode) run Ad-aware SE and under scan select Perform Full System Scan and then SpyBot S&D and clean what they find.
15) Now click Start, Run, and in the Open box enter "regedit" (without the quotes). Now navigate thru the registry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall
Click the [+] next to uninstall. Scroll down until you see the NAMES of programs (skip past the lines with numbers in {,} ). See if you can find any of the following listed:
HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of
assistant is wrong)
SA = Search Assistant
SE = Search Extender
SW = Shopping Wizzard
If you find any of them, select one at a time, and hit your delete key. Once you delete all three, you can exit the registry editor.
As an alternate approach save the following 4 lines to a file called hsafix.reg, then using windows explorer double click on the hsafix.reg file a merge the fix into the registry.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SW]
16) Now reboot normal mode. And run about:Buster one more time saving the output again (ablog2.txt do not overwrite the first log)
17) Before running anything else run HijaakThis and save a log.
18) Reconnect your internet connection, run your browser, and connect here to MG's and post the new HijackThis and about:Buster logs as attachments. Then continue running and let's see how everything is working.
19) After you have gone thru a few reboots and performed some typical surfing and if everything is working okay, re-enable your system restore (again only applies for WinMe and WinXP).
6: OPTIONAL: Scan With Hijack This; If you have gotten this far without success, you may need to download Hijack This!.
Alternative Scans - If still having problems
If you are still having problems after performing all the above, these alternative scans below may prove to be useful. As mentioned above, it would be good to perform these in safe mode since it may assist in the ability to remove an infection. However, there are cases where a problem does not show itself completely until you boot in normal mode. So first run these scans in normal boot mode, and if they have problems cleaning any particular items repeat the scan in safe mode to see if it helps. Always keep track of what these scans find (save logs or take notes), and report them back in your thread to anyone helping you.
Bitdefender online scan
http://anonym.to/?http://www.bitdefender.com/scan/license.php
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
http://anonym.to/?http://www.ravantivirus.com/scan/
TrojanScan online scan
http://anonym.to/?http://www.windowsecurity.com/trojanscan/
a-squared (aČ) Free edition free but requires an email address to register
http://anonym.to/?http://www.majorgeeks.com/download4281.html
avast! Virus Cleaner Tool
http://anonym.to/?http://www.majorgeeks.com/download4188.html
ADS SPY - Alternate Data Streams Spy from Merijn
http://anonym.to/?http://www.spywareinfo.com/%7Emerijn/files/adsspy.zip
Recent browser hijackers started using ADS to hide their files, and very few anti-malware scanners detect this. Use ADS Spy to find and remove these streams. Note: this app also displays legitimate ADS streams. Don't delete streams if you are not completely sure they are malicious! You should consult with an expert before deleting any files with this tool.
Keeping your computer safe and secure:
1: Windows Update; Update Windows at Microsoft Windows Update. Just click on Start, then Windows Update. Many security loopholes are found and exploited and Microsoft patches for these. The Blaster worm affected millions of people because they were not up to date, as an example. If you're not up to date, you're at risk. You can setup automatic updates in your control panel; go to Start, Settings, Control panel.
2:Remove Microsoft Java; Microsoft no longer supported version of Java is often a source of installed spyware and hijacks so it is a good idea to remove Microsoft Java Virtual Machine and Install Sun Java. To remove it follow these steps.
1: Select Start > Run and Enter "RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall" in the Open box, and click ok.
2: Click Yes to confirm that you want to remove the Microsoft VM
3: When prompted, reboot the computer
4: Remove the following items: (Systemroot is where Windows is installed (usually C:\Windows)
The \%Systemroot%\Java folder
The file java.PNF from the \%Systemroot%\inf folder
The files jview.exe and wjview.exe from the \%Systemroot%\system32 folder
The registry subkey HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Java VM
The registry subkey HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \JAVA_VM
5: Install Sun Java here: http://java.sun.com/getjava/index.html
(Any files or registry entries not found or errors can be ignored and go to the next step)
Optionally, consider replacing your web browser with a free alternative like FireFox or a shareware browsers like Opera or GreenBrowser...
This article reflects countless hours of experience removing spyware, trojans and viruses. If you can take the time to do all of these steps, there's a good chance your problem will be solved by following this article. While all of these steps are not required for each case, they should be beneficial to all. In general, these steps will work on all versions of Windows XP, but some may not apply to older operating systems like Windows 95, 98 or ME.
* Section 1: Makes sure your computer is not at risk for hard to remove viruses.
* Section 2: Covers cleaning and removal.
* Section 3: Makes suggestions on securing your machine after clean up.
Getting Prepared; Steps to be sure your system is ready to be scanned:
1: Disable System Restore temporarily (WinXP & WinME only) if you are infected; any trojans, spyware, etc. you may have picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools cannot access it to delete files, trapping viruses inside. Please follow these instructions:
For Windows XP:
1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes when you are prompted to restart the computer
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.
For Windows Millennium:
1: Right-click My Computer, and then click Properties.
2: On the Performance tab, click File System, or press ALT+F.
3: On the Troubleshooting tab, click to select the Disable System Restore check box.
4: Click OK twice, and then click Yes when you are prompted to restart the computer.
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.
2: Network Security, Workstation Netlogon Services & Remote Procedure Call (RPC) Helper (Windows XP, 2K, NT); If you have the about: blank or home search hijack you need to check to see if a Windows service name "Network Security Service" or "Workstation Netlogon Service" are running. To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now, in the Services window that pops up look for exactly the following service names (no others) "Network Security Service" or "Workstation Netlogon Service" or "Remote Procedure Call (RPC) Helper". If you find these services, you must right click on it to bring up the service Properties window and do the following (refer to the Figure too):
Step 1: Stop the service by click the Stop button.
Step 2: Now, disable it by changing the Startup type to Disabled and click Apply
If you do not find these exact services, do not worry and just skip this step.
3: Enable viewing of hidden files and folders and extensions; Some programs can hide this way by not being visible in Windows. Start Windows Explorer and click on your main hard drive, usually c:\. Then select Tool from the top of Windows Explorer and then Folder Options. Go to the View tab. Scroll down to the folder icon that says Hidden files and folders and check show hidden files and folders. Optionally, right below it, uncheck the hide file extensions for known types. Not doing this could allow file extensions commonly used by trojans and spyware to be hidden, for example a file ending in .exe or dll making manually finding it, if needed, difficult to impossible
4: Downloading Tools; Download the following tools and save in your favorite download folder or create one, for example C:\Temp or C:\Downloads. And then install, update, and configure as indicated below.
McAfee Quickclean (not free)
Webroot SpySweeper (not free)
Pareto Logic XoftSpy (not free)
Install, click Check for Updates now and get any updates, then exit.
ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe
http://anonym.to/?http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe .....Install only
http://anonym.to/?http://public.planetmirror.com/pub/majorgeeks/drives/ccsetup114.exe.............Install only, then exit
ftp://ftp.download.com/pub/win95/utilities/spybotsd13.exe................Install, do the search for updates now and get any updates, then exit.
http://anonym.to/?http://files.webattack.com/localdl834/spywareblastersetup.exe...Install, click Download Latest Protection Updates, Check for Updates, and then Enable All Protection, then exit. It does a great job of blocking known vulnerabilities as well as known malicious websites
http://anonym.to/?http://vil.nai.com/vil/stinger....No installation required! Ready to run as is.
http://anonym.to/?http://www.majorgeeks.com/download4086.html......No installation required! Just unzip it to a folder.
Your system is now ready to be properly scanned for spyware, trojans and viruses.
Scanning And Cleaning Steps:
1: Virus And Trojan Scanning;
a) Win9x (Windows 95, 98, 98SE) users boot normal mode.
do an online scan at: http://anonym.to/?http://housecall.trendmicro.com/housecall/start_corp.asp
do an online scan at: http://anonym.to/?http://security.norton.com/sscv6/default.asp?langid=ie&venid=sym
now boot in safe mode (and remain there) and run McAfee AVERT Stinger. See how to boot in safe mode below.
b) And Windows XP, 2000, NT, ME, users boot in "safe mode with networking support" (and remain in there). See how to boot in safe mode below.
do an online scan at: http://anonym.to/?http://housecall.trendmicro.com/housecall/start_corp.asp
do an online scan at: http://anonym.to/?http://security.norton.com/sscv6/default.asp?langid=ie&venid=sym
Run McAfee AVERT Stinger...
How to boot in safe mode: To boot into safe mode, restart your computer and tap the f8 key (after first black and white screen, but before the Windows splash screen) until you get to a black and white screen asking you what to do. With Windows XP, 2000, NT, ME: Use your arrow keys and select "safe mode with networking support".
Booting in safe mode is important because best results are achieved since safe mode disables most drivers and running programs. If you have a problem for any reason trying to run these scans in safe mode, do them in normal boot mode but make sure you tell us that in any subsequent message you may need to post about your problem,
2: Clean Your Hard Drive; Remove temporary internet and other files not needed with CCleaner. Run CCleaner with the default options to clean out temporary files. Optionally, check the clean "Delete Index.dat" checkbox.
3: Main Spyware Scan And Removal; Scan your machine with Ad-Aware SE (remember to install the Ad-Aware VX2 Cleaner Plug-In for it) and Spybot. Look for the Immunize feature in Spybot and use it.
4: Secondary Spyware Scan And Removal: Other Removal Tools; Run the other programs you downloaded; CWShredder (make sure you select Fix), Kill2me, about:Buster and HSRemove. They are free, standalone and easy to use. Note: about:Buster and HSRemove need only be run if you are having about:blank or HomeSearchAssistent hijacks. Also, note that HSRemove is not compatible with Win9x or WinMe systems.
These final 2 OPTIONAL steps require you reboot back to normal mode.
5: OPTIONAL: If you can not remove the stubborn "Only the Best" aka "HSA" HIJACKER please follow the outline below:
Below is an almost generic solution to use in attempting to fix the now infamous "Only the Best" aka "HomeSearchAssistent" aka "HSA" hijacker. I say almost generic because it is impossible to predict what DLL and EXE filenames everyone having this problem will see on their computer. In addition, it is also impossible to determine how many of these files will be found running. It appears that the more times an incorrect or incomplete fix is attempted the more EXE file names will be spawned. The difficult area is steps 7 and 8 below.
I have now added about:blank to the title since some form of the about:blank hijack can also be fixed using this procedure. The form I'm referring to is one the has R0, R1, and O2 type lines in a HijackThis log that are similar to those of an HSA hijack. The syntax of those lines are mentioned below in the section titled HOW TO IDENTIFY HIJACKER LINES: AN EXAMPLE. The kind of about:blank hijack that CANNOT be fixed with this procedure is of the following form:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {3DF009ED-54BF-4A31-AADC-679997254A74} - C:\WINDOWS\SYSTEM\AIGHKH.DLL
O18 - Filter: text/plain - {7CC1DA6A-B893-4E55-997E-8046D9F77D8B} - C:\WINDOWS\SYSTEM\AIGHKH.DLL
ADDITIONAL THINGS TO KNOW
If you do not know how to use the Windows Registry Editor please see this.
http://support.microsoft.com/default.aspx?scid=kb;en-us;136393
If using WinXP, setup search to locate hidden/system files: click Start, Search, All Files and folders, select More advanced options. Make sure you have checks on:
1) Search system folders
2) Search hidden files and folders
3) Search subfolders
HOW TO IDENTIFY HIJACKER LINES: AN EXAMPLE
Okay, below are the steps we are going to use. Make sure you print these or save them to a file on your PC because I am going to have you disconnect your PC from the internet at a certain point (Not Yet!). Once disconnected, do not connect again until I tell you to do so. In many cases this step had been one of the most important steps.
Do not ignore it!!!
In an attempt to make this solution easier to follow, I'm first going to show parts of the information we are concerned with from a sample HijaakThis log. Sample log snipets:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ftlsk.dll/sp.html#27859
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ftlsk.dll/index.html#27859
O2 - BHO: (no name) - {ADFA3880-261B-1BF8-91EB-1DEF4A8C4300} - C:\WINDOWS\atlef.dll
O4 - HKLM\..\Run: [winya.exe] C:\WINDOWS\system32\winya.exe
O4 - HKLM\..\RunOnce: [msfo.exe] C:\WINDOWS\system32\msfo.exe
O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
O4 - HKLM\..\RunOnce: [winuh32.exe] C:\WINDOWS\system32\winuh32.exe
O4 - HKLM\..\RunOnce: [nthc32.exe] C:\WINDOWS\nthc32.exe
O4 - HKLM\..\RunOnce: [syspg.exe] C:\WINDOWS\syspg.exe
Note, your filenames will be different. The above lines are examples that I am using below for demonstrating the generic solution. The full path to the DLL file that you obtain from your HijaakThis log on the R0 & R1 lines is what you will need to substitute into step 5 below where it gives c:\windows\system32\xxxxx.dll as an example. Your R0 & R1 lines may not even have c:\windows\system32 as the directory. There have been several cases where the directory was either c:\windows or c:\windows\system.
This next paragraph will be important for you to understand before you get to step 8. You will need to do all of the online searching for good/bad files before I take you offline. So read the next paragraph and look at your HijackThis log and see if you can identify the bad files indicated in the O4 section. Some of these EXE files may only show in the processes list of HijackThis, and some may show in both the process list and the O4 section of HijaakThisNow. This is the hardest part, you need to identify these files good or bad. Try excite.com or google.com (I find excite.com to come up with more useful hits than google.com). Use PacMan's Startup List (http://www.sysinfo.org/startuplist.php ) to find the entry and see if it's good or bad.
You can also use http://www.liutilities.com/products...processlibrary/ to compare against. My experience is that typically these bad EXE file names will be 4 to 7 characters long + .exe Sometimes (as shown above) the have a 32 just before the .exe. In addition, when performing all the possible searches listed, you typically do not get any hits describing a valid EXE or even a known other type of bad EXE. You either get no hits or the only hits will be other peoples HijaakThis logs with the same type of hijack going on. Sometimes you can locate all of these EXE files in c:\windows, c:windows\system, or c:\windows\system32 easily by using Windows Explorer and sorting on modification date. Look for a date to be anywhere between the time you first got the problem to the current date. One additional note in identifying these bad files they, always have the following pattern: [syspg.exe] C:\WINDOWS\syspg.exe
Notice the name in [] is an exact match of the file name at the end of the line.
ALMOST READY TO START
Obviously before continuing, you need your current HijaakThis log. So if you rebooted since last checking your log, run another one to make sure it has not changed the filenames again. You should print this information so you can refer to it later when you are offline.
Note: In the steps below the underlined items are links that MUST be click to see additional important information and directions (how to do's)!
THE STEP BY STEP SOLUTION
1) If running WinMe or WinXP, disable system restore and reboot!
http://anonym.to/?http://www.majorgeeks.com/vb/showthread.php?t=31668
2) Make sure you have enabled viewing of Hidden Files and Folders and system files with Windows Explorer. While doing this, also verify that you do NOT have a check on the option to Hide extensions for known file types.
http://anonym.to/?http://forums.majorgeeks.com/showthread.php?t=37650
3) Make sure you know how to boot in safe mode too (but don't do it yet!):
http://anonym.to/?http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
4) Physically disconnect from the internet (pull your ethernet cable if you have DSL or cable modem. If you have an analog modem, drop your connection and unplug the telephone line to the modem.) Also at this point, you must exit all Internet Explorer sessions (it would be a good idea to exit anything that is not necessary).
5) Now we are going to use notepad to erase the contents of the DLL file shown in the R0 & R1 lines of your HijaakThis log. To do this click Start, Run, and enter the following command "notepad c:\path\xxxxx.dll" (without the quotes) and click OK.
NOTE: You must replace the generic c:\path\xxxxx.dll will be replaced by the path and filename found in the R0 & R1 lines from your HijaakThis log. So for the example log being used the command would be:
notepad C:\WINDOWS\system32\ftlsk.dll
Now in the notepad window, hit CTRL-A to select all contents of the file then hit the Delete key to delete all lines of the file. Now save the file (yes as an empty file). Now using Windows Explorer, locate the file ftlsk.dll and right click on it and select Properties and change the attributes to Read Only and click OK.
6) This step only applies to Win2K or WinXP systems. For Win9x and Me based systems you will most likely see additional lines in the O4 section of HijaakThis (typically O4 - HKLM\..\RunServices).
Check to see if a Windows service name "Network Security Service" (NSS for short) is running. To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now in the Services window that pops up look for Network Security Service. If you find that service, you must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, make note of the information in the "Path to executable" box. You are going to use this
later.
Another service has been found to possibly be used. So we also need to look for the "Workstation Netlogon Service" (WNS for short) using the same method as above. And again, if found, stop it and disable it. Again make note of the "Path to executable" for later use.
A third possible service has been identified to be used sometimes. So now we need to look for the Remote Procedure Call (RPC) Helper using the same method as above. And again, if found, stop it and disable it. Again make note of the "Path to executable" for later use.
If you do not find any of these services running, just continue with the next steps. Only look for those exact names "Network Security Service" and/or "Workstation Netlogon Service" and/or "Remote Procedure Call (RPC) Helper" nothing else.
7) This is where things become difficult. You need to determine the BHO (Browser Helper Object) line added by the hijacker. Normally you will see the hijacker add only one BHO line, however, there have been cases with many these BHO lines added. Be careful not to confuse the hijacker BHO with valid BHO lines. A typical BHO line may look like the line below from the example HijaakThis log:
O2 - BHO: (no name) - {ADFA3880-261B-1BF8-91EB-1DEF4A8C4300} - C:\WINDOWS\atlef.dll
8) You also need to determine all the executable (EXE) files that are loading during Startup. These EXE files can be loaded many different ways. Most of them will show in one of many types of O4 lines that HijaakThis can display. From the example HijaakThis log (there are more types that could occur):
O4 - HKLM\..\Run: [winya.exe] C:\WINDOWS\system32\winya.exe
O4 - HKLM\..\RunOnce: [msfo.exe] C:\WINDOWS\system32\msfo.exe
O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
O4 - HKLM\..\RunOnce: [winuh32.exe] C:\WINDOWS\system32\winuh32.exe
O4 - HKLM\..\RunOnce: [nthc32.exe] C:\WINDOWS\nthc32.exe
O4 - HKLM\..\RunOnce: [syspg.exe] C:\WINDOWS\syspg.exe
9) Shutdown (not minimize) all applications (especially IE and Windows explorer) and run HijaakThis. Have it fix all the lines determined to be part of the hijacker in steps 7 & 8.
10) Now reboot in safe mode (via method given in step 3) and then delete all the DLL and EXE file names found in steps 7 and 8. And also if you found the Network Security Service and/or the Workstation Netlogon Service runnning in step 6, delete the files indicated in the Path to executable!
Be careful here the Path to the executable always contains a trailing /s. The /s is not part of the filename. For example the Path to executable could be C:Windows\system32\javajt32.exe /s but the filename (with path) is C:Windows\system32\javajt32.exe
If you have a problem deleting any of these files (like it is denied because it is in use), run ProcessExplorer and try to locate the running process and kill it. Then try to delete the file.
11a) This part of step 11 is for WinXP only. Now also look in c:\windows\Prefetch for all of the above files deleted in steps 7 to 10. If found, delete them too.
11b) Now for all OS's, after deleting all of the items from the steps above, empty your Recycle bin.
12) Now while still in safe mode, run only Hijaak This and have it fix all the R0 and R1 lines that have the typical symptom information. For example, these R0 & R1 lines always end with something like one of the following three lines:
res://C:\WINDOWS\system32\xxxxx.dll/qqqqq.html#nnnnn
res://C:\WINDOWS\xxxxx.dll/qqqqq.html#nnnnn
res://xxxxx.dll/qqqqq.html#nnnnn
where the xxxxx is random characters, qqqqq is a random name, and the nnnnn is random numbers. Here are a couple examples:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ftlsk.dll/sp.html#27859
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ftlsk.dll/index.html#27859
13a) Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.Google.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
13b) Search the registry for every instance of xxxxx.dll (the file from step 5) and delete every instance.
13c) Search the registry for every instance of O2 BHO DLL file found in step 7 and delete every instance.
13d) Search the registry for every instance of the suspicious exe files found by Hijack This from step 8. Delete every instance.
13e) Search your computer for xxxxx.dll. Delete each instance. Also, look for files with the same name but having an extension of .DAT or .EXE. For example, if looking for ftlsk.dll, also look for ftlsk.dat and ftlsk.exe.
13f) Search your computer for the suspicious exe files. Delete each instances. Also, look for files with the same name but having an extension of .DAT or .DLL. For example, if looking for nthc32.exe, also look for nthc32.dat and nthc32.dll.
13g) Now for a second time: if running WinXP, delete everything in the Prefetch folder in C:\WINDOWS\Prefetch and now for all OS's empty your Recycle Bin again.
13h) Delete Memory.dmp if found in either C:\WINDOWS or C:\WINDOWS\System32
13i) Run CCleaner and on the Windows tab (you'll see when you run it) leave the defaults and click Run Cleaner.
13j) For Win NT/2K/XP, run HSRemover (does not support Win9x/Me)
13k) Run about:Buster (copy the output to a file ablog1.txt)
If you receive an error message about a missing MSCOMCTL.OCX file when you run about:Buster, download the file in the link below and run it. It will give you the necessary file.
http://www.javacoolsoftware.net/downloads/missingfilesetup.exe
13l) Also while still in Safe Mode to finish the cleanup process, please do the following:
Go to Start --> Run and type Regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es
and highlight Services in the left pane. In the right pane, look for any of these entries:
__NS_Service
__NS_Service_2
__NS_Service_3
If any are listed, right-click that entry in the right pane and choose Delete.
13m) Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot
and highlight Root in the Left Pane. In the right pane, look for these entries:
LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3
If you find it, right-click it in the right-pane and choose delete.
13n) Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Workstation NetLogon Service
If Workstation NetLogon Service exists, right click on it and choose delete from the menu.
13o) Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_Workstation NetLogon Service
If LEGACY_Workstation NetLogon Service exists then right click on it and choose delete from the menu.
13p) Now navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Remote Procedure Call (RPC) Helper
If Remote Procedure Call (RPC) Helper exists, right click on it and choose delete from the menu.
13q) Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_Remote Procedure Call (RPC) Helper
If LEGACY_Remote Procedure Call (RPC) Helper exists, right click on it and choose delete from the menu.
If you have trouble deleting a key from steps 13l or 13q. Then click once on the key name to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.
14) Now (still in safe mode) run Ad-aware SE and under scan select Perform Full System Scan and then SpyBot S&D and clean what they find.
15) Now click Start, Run, and in the Open box enter "regedit" (without the quotes). Now navigate thru the registry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall
Click the [+] next to uninstall. Scroll down until you see the NAMES of programs (skip past the lines with numbers in {,} ). See if you can find any of the following listed:
HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of
assistant is wrong)
SA = Search Assistant
SE = Search Extender
SW = Shopping Wizzard
If you find any of them, select one at a time, and hit your delete key. Once you delete all three, you can exit the registry editor.
As an alternate approach save the following 4 lines to a file called hsafix.reg, then using windows explorer double click on the hsafix.reg file a merge the fix into the registry.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SW]
16) Now reboot normal mode. And run about:Buster one more time saving the output again (ablog2.txt do not overwrite the first log)
17) Before running anything else run HijaakThis and save a log.
18) Reconnect your internet connection, run your browser, and connect here to MG's and post the new HijackThis and about:Buster logs as attachments. Then continue running and let's see how everything is working.
19) After you have gone thru a few reboots and performed some typical surfing and if everything is working okay, re-enable your system restore (again only applies for WinMe and WinXP).
6: OPTIONAL: Scan With Hijack This; If you have gotten this far without success, you may need to download Hijack This!.
Alternative Scans - If still having problems
If you are still having problems after performing all the above, these alternative scans below may prove to be useful. As mentioned above, it would be good to perform these in safe mode since it may assist in the ability to remove an infection. However, there are cases where a problem does not show itself completely until you boot in normal mode. So first run these scans in normal boot mode, and if they have problems cleaning any particular items repeat the scan in safe mode to see if it helps. Always keep track of what these scans find (save logs or take notes), and report them back in your thread to anyone helping you.
Bitdefender online scan
http://anonym.to/?http://www.bitdefender.com/scan/license.php
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
http://anonym.to/?http://www.ravantivirus.com/scan/
TrojanScan online scan
http://anonym.to/?http://www.windowsecurity.com/trojanscan/
a-squared (aČ) Free edition free but requires an email address to register
http://anonym.to/?http://www.majorgeeks.com/download4281.html
avast! Virus Cleaner Tool
http://anonym.to/?http://www.majorgeeks.com/download4188.html
ADS SPY - Alternate Data Streams Spy from Merijn
http://anonym.to/?http://www.spywareinfo.com/%7Emerijn/files/adsspy.zip
Recent browser hijackers started using ADS to hide their files, and very few anti-malware scanners detect this. Use ADS Spy to find and remove these streams. Note: this app also displays legitimate ADS streams. Don't delete streams if you are not completely sure they are malicious! You should consult with an expert before deleting any files with this tool.
Keeping your computer safe and secure:
1: Windows Update; Update Windows at Microsoft Windows Update. Just click on Start, then Windows Update. Many security loopholes are found and exploited and Microsoft patches for these. The Blaster worm affected millions of people because they were not up to date, as an example. If you're not up to date, you're at risk. You can setup automatic updates in your control panel; go to Start, Settings, Control panel.
2:Remove Microsoft Java; Microsoft no longer supported version of Java is often a source of installed spyware and hijacks so it is a good idea to remove Microsoft Java Virtual Machine and Install Sun Java. To remove it follow these steps.
1: Select Start > Run and Enter "RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall" in the Open box, and click ok.
2: Click Yes to confirm that you want to remove the Microsoft VM
3: When prompted, reboot the computer
4: Remove the following items: (Systemroot is where Windows is installed (usually C:\Windows)
The \%Systemroot%\Java folder
The file java.PNF from the \%Systemroot%\inf folder
The files jview.exe and wjview.exe from the \%Systemroot%\system32 folder
The registry subkey HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Java VM
The registry subkey HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \JAVA_VM
5: Install Sun Java here: http://java.sun.com/getjava/index.html
(Any files or registry entries not found or errors can be ignored and go to the next step)
Optionally, consider replacing your web browser with a free alternative like FireFox or a shareware browsers like Opera or GreenBrowser...