HSA (here to stay?)

Unknown
edited June 2005 in Spyware & Virus Removal
I've been able to remove many virus' & trojans in the past(including smitfraud recently), but this one has proven too tough for me. I think I have this problem because when I removed smitfraud, I also removed my firewall using hijack this, not realizing it. I'm sure a very rookie mistake. Can someone out there give me a hand with this latest problem? I have already downloaded the recommended cleaners & such. I believe all of them. And I'm attaching my hj this log. Here we go. Thanks GK

Comments

  • SpywareShooterSpywareShooter 127.0.0.1
    edited June 2005
    Please post your HJT log.
  • gkoran
    edited June 2005
    When I try to upload, I get 'invalid file type'
    It is saved as hijackthis.log.
  • gkoran
    edited June 2005
    gkoran wrote:
    When I try to upload, I get 'invalid file type'
    It is saved as hijackthis.log.
    I changed the .log to .txt.
    Did it post?
  • SpywareShooterSpywareShooter 127.0.0.1
    edited June 2005
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {1BD3E410-6822-BE2A-0A66-2AEDBD878A3B} - C:\WINDOWS\netky32.dll
    O4 - HKLM\..\RunOnce: [crtw.exe] C:\WINDOWS\system32\crtw.exe
    O4 - HKLM\..\RunOnce: [ieub.exe] C:\WINDOWS\ieub.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\crtw.exe

    Fix those entries then find and delete the following files:
    C:\WINDOWS\system32\ugtjr.dll
    C:\WINDOWS\netky32.dll
    C:\WINDOWS\system32\crtw.exe
    C:\WINDOWS\ieub.exe

    Then reboot your computer and post a new log.
  • gkoran
    edited June 2005
    SpywareShooter wrote:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ugtjr.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {1BD3E410-6822-BE2A-0A66-2AEDBD878A3B} - C:\WINDOWS\netky32.dll
    O4 - HKLM\..\RunOnce: [crtw.exe] C:\WINDOWS\system32\crtw.exe
    O4 - HKLM\..\RunOnce: [ieub.exe] C:\WINDOWS\ieub.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\crtw.exe

    Fix those entries then find and delete the following files:
    C:\WINDOWS\system32\ugtjr.dll
    C:\WINDOWS\netky32.dll
    C:\WINDOWS\system32\crtw.exe
    C:\WINDOWS\ieub.exe

    Then reboot your computer and post a new log.
    I coudn't find crtw & ieub is locked
  • SpywareShooterSpywareShooter 127.0.0.1
    edited June 2005
    Boot into Safe Mode (press F8 at the BIOS screen when booting) and fix these entries:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {6224A6BF-40D4-13DF-EA91-32CF510D802C} - C:\WINDOWS\system32\addlb.dll
    O4 - HKLM\..\Run: [ntwl32.exe] C:\WINDOWS\ntwl32.exe
    O4 - HKLM\..\Run: [apipx.exe] C:\WINDOWS\apipx.exe
    O4 - HKLM\..\RunOnce: [ieub.exe] C:\WINDOWS\ieub.exe
    O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ieub.exe

    Still in Safe Mode, find and delete these files:
    C:\WINDOWS\fhyxq.dll
    C:\WINDOWS\system32\addlb.dll
    C:\WINDOWS\ntwl32.exe
    C:\WINDOWS\apipx.exe
    C:\WINDOWS\ieub.exe

    Then reboot your computer and post a new log.
  • gkoran
    edited June 2005
    SpywareShooter wrote:
    Boot into Safe Mode (press F8 at the BIOS screen when booting) and fix these entries:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fhyxq.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {6224A6BF-40D4-13DF-EA91-32CF510D802C} - C:\WINDOWS\system32\addlb.dll
    O4 - HKLM\..\Run: [ntwl32.exe] C:\WINDOWS\ntwl32.exe
    O4 - HKLM\..\Run: [apipx.exe] C:\WINDOWS\apipx.exe
    O4 - HKLM\..\RunOnce: [ieub.exe] C:\WINDOWS\ieub.exe
    O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ieub.exe

    Still in Safe Mode, find and delete these files:
    C:\WINDOWS\fhyxq.dll
    C:\WINDOWS\system32\addlb.dll
    C:\WINDOWS\ntwl32.exe
    C:\WINDOWS\apipx.exe
    C:\WINDOWS\ieub.exe

    Then reboot your computer and post a new log.
    Booted in safe.
    Fixed entries.
    Deleted fhyxq, apipx & ieub.
    Couldn't find addlb or ntwl.
    In order to find them, I've been using search.
    Is this correct?
    Posting new tjtl
  • SpywareShooterSpywareShooter 127.0.0.1
    edited June 2005
    Your log is now clean!

    As precaution measures for the future, please follow these steps to ensure that your computer stays clean and secure:
    1. Always have AntiVirus software running - Having an AntiVirus is very important and can protect you in the future from all kinds of viruses, spyware and other malicious software.

    2. Keep your AntiVirus program updated - Without having an updated AntiVirus program you will be susceptible to any form of new malware as it is released. If your AntiVirus software has the option of Automatic Updates you should enable it. If not, visit the producer's website at least once a week and download any updates for the product.

    3. Use a Firewall - Using a firewall is essential in the Internet today. Having one at default settings will block intruders from accessing your computer and can block new programs from installing without your consent.

    4. WindowsUpdate - Make sure that you keep your computer updated by visiting [link=http://www.windowsupdate.com]windowsupdate.com[/link] weekly, and downloading any critical updates. Many of these updates are against hackers and malware installations. Without all critical updates you will be susceptible to many of the spyware creator's tricks to get you to install their software. Download and install all critical updates and reboot your computer. Continue this until all critical updates have been installed.

    5. Anti-Spyware Software - Spybot - Search & Destroy and Ad-Aware SE

      Both of these programs are free and reccomended by many anti-spyware professionals. You should download them from the links below, keep them updated, and scan weekly.

      Spybot - Search & Destroy
      Ad-Aware SE Personal Edition 1.06

    6. Secure Internet Explorer - Spyware Shooter is a free program which I developed for the cause of blocking malicious websites from installing spyware onto your computer. Please check for updates weekly and download any new releases to make sure that you are safe against newly-disovered websites.

      Spyware Shooter home page



    How to say "thanks":
    1. Donations are not accepted - At Short-Media we do not accept donations. If you have found this website helpful, you can contribute in the following ways.
    2. Stick Around - Without users like you, Short-Media would not be as successful as it is today. One way you can thank us is to stick around the forums. Even if you are not a computer professional you can learn by reading past topics in the forums, or if you do not feel comfortable helping, there are a few forums for non-computer-related topics.
    3. Refer Friends - If you know anyone who is having problems with their computers, or just needs a place to chill online, they would make a great addition to the Short-Media community.
    4. Fold! - Folding is a safe and easy way to help find a cure for fatal diseases such as Alzheimer's. You can learn more about folding at the topic "[link=http://www.short-media.com/forum/showthread.php?t=3"]Everything About Folding@Home[/link]"
  • gkoran
    edited June 2005
    If I run all of the spyware now,
    will it remove Home Search Assistant, Search Extender & Shopping Wizard?
    Not really sure how to 'clean up'.
    Thanks for all of you help.
    I was making absolutely no progress on my own.
  • gkoran
    edited June 2005
    Thanks again, all is well!
This discussion has been closed.