not sure which spyware I have
I have turned off system restore
Set files to show hidden and system
Reset security levels in IE to default level and reset web settings, deleted cookies and files,
Restored default browser settings, uncheckd enable install on demand
Rebooted into safe mode
Gone to each users Local Settings directory and deleted Temp and Temporary Internet Files directories
Updated & Run AVG virus checker (clear)
Updated & run CW Shredder (clear)
Updated & run Adaware (clear)
Updated & run Search & Destroy (DSO Explot, 3 entries)
Whilst in safe mode I have even cleared my log so that all I have left is two entries:-
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
but when booting normal the spyware comes back
Each time I run S&D it finds a DSO Exploit which I clear but if I go straight back and run again it finds it again.
Reboot into normal mode browse internet for a while, close IE reopen IE and hijack log is back showing sp.html
Here is my log :-
Logfile of HijackThis v1.98.0
Scan saved at 22:53:06, on 02/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\PROGRA~1\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijack this\HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
Many thanks for any help you can offer me.
Andy
Set files to show hidden and system
Reset security levels in IE to default level and reset web settings, deleted cookies and files,
Restored default browser settings, uncheckd enable install on demand
Rebooted into safe mode
Gone to each users Local Settings directory and deleted Temp and Temporary Internet Files directories
Updated & Run AVG virus checker (clear)
Updated & run CW Shredder (clear)
Updated & run Adaware (clear)
Updated & run Search & Destroy (DSO Explot, 3 entries)
Whilst in safe mode I have even cleared my log so that all I have left is two entries:-
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
but when booting normal the spyware comes back
Each time I run S&D it finds a DSO Exploit which I clear but if I go straight back and run again it finds it again.
Reboot into normal mode browse internet for a while, close IE reopen IE and hijack log is back showing sp.html
Here is my log :-
Logfile of HijackThis v1.98.0
Scan saved at 22:53:06, on 02/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\PROGRA~1\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijack this\HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
Many thanks for any help you can offer me.
Andy
0
This discussion has been closed.
Comments
the Temp\sp.html problem is a little different than Home Search Assistant.
There are a few opposing ideas as to how to fix this one when you scour the net. Lets try the easiest one first.
First run about:buster: http://www.atribune.org/downloads/AboutBuster.zip
Then, do an online scan at Trend Micro's Housecall:
http://housecall.trendmicro.com/housecall/start_corp.asp
This scan is reported to have been able to fix this problem in many instances.
If this does not work for you, then there are some more complex methods I found....
Let us know how it turns out.
Dexter...
I think the original log I posted may have been incomplete (the result after fixing some of the hijacks), here is the one I get after browsing the net and rebooting a few times.
Logfile of HijackThis v1.98.0
Scan saved at 22:13:47, on 08/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {10A382B6-A5B1-4946-AFBF-0E9C2DF4E073} - C:\WINDOWS\System32\hajfde.dll
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O18 - Filter: text/html - {0AD2190D-6A8B-4ED3-B4CC-B6D42C49A8F8} - C:\WINDOWS\System32\hajfde.dll
O18 - Filter: text/plain - {0AD2190D-6A8B-4ED3-B4CC-B6D42C49A8F8} - C:\WINDOWS\System32\hajfde.dll
I spotted the dll called hajfde.dll so attempted the HSA removal guide again.
Running hsremove didn't work
Ran adaware and s&d, S&d found a DSO exploit as usual
I dont know why but running Trend Micro's Housecall causes my IE to crash on me.
Ran about_:Buster:-
-- Scan 1
About:Buster Version 3.0
Reference List : 15
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
Noticed my sp.html entry in the hijack log doesn't appear in the format sp.html#xxxxx as suggested in the removal guide
I also dont have any R3 entries or 04 entry with a random seeming name and 32 in it.
Also no 04 Run once entries and then some 018's that the guide doesnt talk about, do I really have HSA?
The next problem I found was I didnt have any of the 3 entries in the Services.msc log, I did have Remote Procedure Call (RPC) Locator entry but not with the word Helper after it as in the guide.
Hard rebooting and running the VBS script also didnt show anything.
At this point I had to stop as I should have found something.
Any ideas Dexter?
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.exe
Remove these items with HJT:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Andrew\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {10A382B6-A5B1-4946-AFBF-0E9C2DF4E073} - C:\WINDOWS\System32\hajfde.dll
O18 - Filter: text/html - {0AD2190D-6A8B-4ED3-B4CC-B6D42C49A8F8} - C:\WINDOWS\System32\hajfde.dll
O18 - Filter: text/plain - {0AD2190D-6A8B-4ED3-B4CC-B6D42C49A8F8} - C:\WINDOWS\System32\hajfde.dll
Quarantine these files, rename to .xxx
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.exe
Update to the latest version of HJT and repost a fresh log for me.
http://www.short-media.com/download.php?dc=69
Logfile of HijackThis v1.98.2
Scan saved at 20:31:51, on 12/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack this\HijackThis.exe
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
Looks clean to me
Also, check out our folding team (info in my sig) ... We would love to have you join.