About blank and fake security centre - nothing I try works.

In addition to CWShredder, download and run these "about:blank"-related removal tools (read any instructions given before downloading):

about:buster
HSRemove
Se.html-Sp.dll Hijack Fix

Post a new HiajckThis log once you've done the above; I think there will be more to remove.

Thanks DMR,

I got that along with HSremove. I "think" I got it licked.

The problem was the 2 files "apiqa" and "d3sh32". When I uploaded them and got them scanned at an av website (the one with the multiple av engines) , both had trojan.downloader variants. Weird that AVG and Norton antivirus missed them.

Each was linked in a registry key that had a weird hex section in a subfolder.

I went into safe mode, deleted these files, ran CW, about buster and HSremove. Deleted all temp files (there were over a thousand small temp files in the WIndows folder). Emptied the bin and rebooted.

I got a warning message from Ad aware's live monitor - that the apiqa and d3sh32 were trying to do something again (though the files weren' there). So I went back into safe mode, deleted the registry keys that mentioned them. I also reran Hijack and "fixed" all the sectioins that linked to web addresses.

Rebooted and no warning from Ad watch. Fired up explorer and no bad things. Browsed for 20 minutes with no nonsense :)

Ran a a couple of scans (AV and spyware) with nothing showing.

I must say that this site and the people who post help are a godsend. I am actually an IT worker and I consider myself "capable" of mainitaing a PC etc - but the newer forms of spyware really do bring one down with a bump. I'm not decrying the makers of AV and antispy products - but these new forms are worse than virii in my book.

It was an eye opener for someone who has been lucky enough to avoid such problems - mainly because I have a hardware and software firewall and don't use explorer at all.

Once again, thanks to everyone at this site - my friend has his PC back, though how long it stays working once his kids get on it is another matter :D

mj

The problem was the 2 files "apiqa" and "d3sh32".

Absolutely, but C:\WINDOWS\SYSTEM\APPNE.DLL is one I'd question as well.

When I uploaded them and got them scanned at an av website (the one with the multiple av engines) , both had trojan.downloader variants. Weird that AVG and Norton antivirus missed them.

The variants mutate and evolve too rapidly; that's why we have to resort to doing scans with multiple tools.

I got a warning message from Ad aware's live monitor - that the apiqa and d3sh32 were trying to do something again (though the files weren' there). So I went back into safe mode, deleted the registry keys that mentioned them. I also reran Hijack and "fixed" all the sectioins that linked to web addresses.

Good call.

I must say that this site and the people who post help are a godsend.

Aww, come on now... you'll make us :o:o

I am actually an IT worker and I consider myself "capable" of mainitaing a PC etc - but the newer forms of spyware really do bring one down with a bump. I'm not decrying the makers of AV and antispy products - but these new forms are worse than virii in my book.

No kidding. Not only do I see that here, but although most of my "real-life" work is supposed to revolve around systems installation and support, I usually end up spending the bulk of time running around in some silly-looking Spyware Warrior cape. :mrgreen:

Once again, thanks to everyone at this site - my friend has his PC back, though how long it stays working once his kids get on it is another matter :D

You're welcome; glad we help you banish the Gremlins. And good luck with that kid thing- it usually takes my residential clients' kids a hot 20 minutes to muck things up again, even with all protecive measures put in place. :(

BTW:

Can you please post another (and hopefully final) HJT log to review? I'd like to give it a review before marking this one as "Solved".

Thanks.

Hi DMR,

I will post a new Hijack log in the next couple of days, as I have to go and set up his new mail accounts. Ideally I could have reinstalled the OS and started afresh, but alas his PC is an older P-Bell with integrated board and he has no CD's around. So it would have been a driver hunt and a hunt for what might be considered "personal" files. At least 2000/XP make some attempt at steering users towards a structured storage model -but in a Win98 PC thats about 6 years old................ lets just say that the root had about 50 folders, ProgFiles (2 instances of) had about 100 each. Bit of a shambles really. I have advised him to move all his important stuff to a backup folder from which I will dump the contents to my portable and do a clean install in the next month or so. He just needed it back asap and the damage done by these new "spyware's" really knocked me for six.

Once again, sincerest thanks and regards to you and the other members of the "league of spyware warriors" :lol:

mj

OK, post the log if and/or when you can.

I definitely understand what you're saying about the state of the machine and what a hassle it would be to to do a fresh install. I've got quite a few clients who are still using old P-IIIs running 98, have no install/driver disks, and haven't done a backup in years. Rescuing/restoring those machines is always Big Fun. :eek:

When you do get around to rebuilding the machine, here are a couple of suggestions:

1. After verifying that the current drive is malware-free, buy a new drive, do a clean install to that drive, and install the existing drive as a slave drive. That way, you'll have all of the original data intact, and in the same locations that the person was used to having it in.

2. Secure the machine immediately after the install. Previous estimates were that an unpatched and unprotected computer could be infected withinabout 30 minutes of connecting to the Internet (which I've personally seen happen), but the massive increase in malware has brought that time down to less than 15 minutes according to more recent studies and surveys.

Here are some things you should do before "releasing the computer into the wild":

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm, Sygate Personal Firewall, or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as every two or three days.

Just to be on the safe (paranoid?) side, aside from going online to get the most current Microsoft security patches and bug fixes, I would install all other preventative utilities offline. That is, keep the newly-rebuilt computer disconnected from the Internet, download any utilities you want onto a protected/patched machine, burn them to CD, and install them on the new machine that way.