"Only the best" - HSA hijack...

SWario · Jun 14, 2005

According to the dates I've seen in various forums, this has been around for two years now... Hasn't anyone come up with some kind of simple fix that doesn't involve installing 5 or more new programs, rebooting a dozen times, all while following a list of 100 instructions?

In short, this one has got my computer, and searching for methods to fix it has caused more headaches than relief. Just finding a valid web page with a fix on it has been hard enough, and I haven't found any that have been remotely simple or easy. Alternatively, has anyone used Lavasoft Ad-Aware's (now at version SE 1.06) ADS scan with this? Has anyone tried using SpyBot Search & Destroy's (now at version 1.4) Hosts File tool? And finally, is there any simpler fix than the very long solution provided (generously) by chaslang?

chaslang · Jun 14, 2005

SWario said:

According to the dates I've seen in various forums, this has been around for two years now... Hasn't anyone come up with some kind of simple fix that doesn't involve installing 5 or more new programs, rebooting a dozen times, all while following a list of 100 instructions?
Click to expand...

In short no! That's because there are literally dozens of variations of the hijacker and it mutates and spreads on the fly, especially when incorrect/incomplete cleanup procedures are attempted. There a a variety of tools out there the say they remove this hijacker. None of them do. At least none of them will always work on all forms. Some tools will help with minor forms of the infections.

The Generic Procedure was started along time ago and always worked to help fixed the problems. It evolved to add in some tools that others developed as time went on and the hijacker itself was evolving and getting more insidious and difficult to remove. We have had some luck lately using some other procedures but they are written on an individual user PC basis after determining the exact state of the infection. This takes more time on our part. Running the Generic Procedure for the forms of the hijack that it addresses, works for everyone and saves us time.

If this was an easy thing to fix, antivirus and spyware removal tools would have had fixes long ago. Complex problems require complex solutions. However there are several hundred fixes (probably more than that) that have been applied in this forum. Some are shorter than others. It all depends on the level and type of infection.

Please follow the steps below. While the READ ME FIRST will not necessarily fix the hijacker, it helps to get you into a know state and also has steps related to the hijacker that also help to get the repair started.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

SWario · Jun 14, 2005

So long as going through the "READ ME FIRST" lists won't endanger my hard drive (such as disabling System Restore, thus losing all existing restore points) I will go through them. I don't mind losing all of my existing restore points as long as going through these lists will not crash my hard drive or otherwise screw it out of being bootable.

SWario · Jun 14, 2005

Also, have either the Ad-Aware ADS (Alternate Data Stream) Scan or the SpyBot Hosts List tool been tested on this problem before?

I've just performed an ADS Scan if you would like to see the Scan Log from it.

SWario · Jun 14, 2005

I hate to keep posting new posts, but I keep neglecting to mention things before I click submit, and then want to add them later.

I ran the ADS scan, but I did not opt to fix any problems it found yet. If this has never been tried before, I'll be the guinea pig and see what Ad-Aware can do with what it found. And again, if someone wants the scan log, let me know.

EDIT: Also, are the services mentioned in the "READ ME FIRST" lists (Network Security Service, Remote Procedure Call (RPC) Helper, etc.) bad services that should be stopped and disabled no matter what, or just services that should not be running while fixing problems?

chaslang · Jun 14, 2005

SWario said:

So long as going through the "READ ME FIRST" lists won't endanger my hard drive (such as disabling System Restore, thus losing all existing restore points) I will go through them. I don't mind losing all of my existing restore points as long as going through these lists will not crash my hard drive or otherwise screw it out of being bootable.
Click to expand...

Do you really believe would would have procedures here that could physically damage your hard disk? If we did, this forum would have been gone a long time ago.

System Restore points are of no use to you once your system has become infected. You do not know what is actually in each of the restore points. They could be infected themselves. They could even have older problems that you have already fixed.

Note: however you can try using system restore to bring your system back to a point before this infection occurred (if you can pin point that date/time). You will loose other registry setttings/configurations for things you have added/changed/installed since that point in time too. It's up to you.

chaslang · Jun 14, 2005

SWario said:

Also, have either the Ad-Aware ADS (Alternate Data Stream) Scan or the SpyBot Hosts List tool been tested on this problem before?

I've just performed an ADS Scan if you would like to see the Scan Log from it.
Click to expand...

There can be many files having ADS on your system. Many can be legitimate. You have to be very careful using Ad-Aware ADS or ADS Spy mentioned in the READ ME FIRST. You must know what you are doing and how to identify bad from good which is not always that easy.

Spybot Hosts List tool is of no help for this problem.

chaslang · Jun 14, 2005

SWario said:

EDIT: Also, are the services mentioned in the "READ ME FIRST" lists (Network Security Service, Remote Procedure Call (RPC) Helper, etc.) bad services that should be stopped and disabled no matter what, or just services that should not be running while fixing problems?
Click to expand...

Yes they are bad services that are only associated with the hijacker problems. Some forms of the hijacker do not use these services, so they may not always be found.

SWario · Jun 14, 2005

Sorry again, but something else that I wanted to ask: I've seen in my "Add/Remove Programs" list things such as "Offer Optimizer", "Search Assistant", and "Shopping Wizard" (when I viewed the source of a popup, it had a comment in it with a URL saying "go here to remove these popups", but instead of uninstalling the popups, I think it installed "Shopping Wizard"). Of course the ever-present "ViewPoint" series of programs is there, which never really present a problem, but it doesn't seem that they are useful anyways, so I should probably just get rid of them. Now, "Search Extender" and "Home Search Assistant" have finally showed their ugly faces, and another "Shopping Wizard" has appeared. Also, the uninstall paths for "Offer Optimizer" and "Search Assistant" point to http://buckstoolbar.com/uninstall/OfferOptimizer.html and http://buckstoolbar.com/uninstall/SearchAssistant.html, respectively (buckstoolbar.com is an equally shady web site itself, and the uninstall pages do not exist). Attempting to uninstall them from Add/Remove Programs has always resulted in IE or machine freezes. "Search Extender" and "Home Search Assistant"'s uninstall paths point to http://looking-for.cc/uninstall/SearchExtender.html and http://looking-for.cc/uninstall/HomeSearchAssistant.html, respectively (I have not looked into this domain yet).

Also, those annoying mouseover ads appeared on my computer yesterday being loaded from kontera.com (te.kontera.com and dc.kontera.com). I added all of those domains into my Restricted Zone and they have since gone away. I hope they like eating firewall.

On another note, has anyone used SpyBot's "Uninstall info" tool? Does deleting an item from the list in it uninstall the program or just remove it from SpyBot's list (or remove its corresponding registry info)?

chaslang · Jun 14, 2005

Please just follow the steps given to you in message # 2. We will get to all of the problems eventually. Some of the things you mentioned are part of this infection. Complete the steps of the READ ME FIRST and then move on to posting the HijackThis log as requested so we can get to work on fixing you up.

After posting your HJT log, it is critical that you do not reboot or power down. Also do not make any attempts to run other procedures or scanners to fix anything. Doing this can make the problem spread and mutate which would make any fix I would provide a waste of time.

SWario · Jun 14, 2005

I don't believe that procedures here would cause physical damage to hard drives, I more meant having negative effects. As for System Restore points, I would say anything before the beginning of May would be good for me (which I have) except that I might lose some programs or media. I also have a restore point when I last formatted my HD and reinstalled the OS which was the beginning of February of this year. However, to do a restore (which would erase my programs and media) I would need to first back them up, which I cannot do until either Thursday or this weekend, and even then it's a pain to reinstall, reconfigure, and reload all of my files.

Concerning those services: they are only ever related to hijackers and never used by Windows or other legitimate programs? If this is the case, then I will stop and disable the one that I have (Network Security Service).

About Ad-Aware's ADS: if you would like me to attach the Scan Log, I can since I still have the program sitting at the end of the scan. Most of the results seem to be Thumbs.db files. If you instead just want me to go through your preliminary checklists and forget about the ADS Scan for now, say so, so that we better understand each other here.

For now, I must reboot since explorer.exe crashed and reloaded (but it does not reload correctly) so I will have difficulty with things until I restart.

Does all of this sound agreeable for now?

chaslang · Jun 14, 2005

SWario said:

I don't believe that procedures here would cause physical damage to hard drives, I more meant having negative effects. As for System Restore points, I would say anything before the beginning of May would be good for me (which I have) except that I might lose some programs or media. I also have a restore point when I last formatted my HD and reinstalled the OS which was the beginning of February of this year. However, to do a restore (which would erase my programs and media) I would need to first back them up, which I cannot do until either Thursday or this weekend, and even then it's a pain to reinstall, reconfigure, and reload all of my files.

Concerning those services: they are only ever related to hijackers and never used by Windows or other legitimate programs? If this is the case, then I will stop and disable the one that I have (Network Security Service).

About Ad-Aware's ADS: if you would like me to attach the Scan Log, I can since I still have the program sitting at the end of the scan. Most of the results seem to be Thumbs.db files. If you instead just want me to go through your preliminary checklists and forget about the ADS Scan for now, say so, so that we better understand each other here.

For now, I must reboot since explorer.exe crashed and reloaded (but it does not reload correctly) so I will have difficulty with things until I restart.

Does all of this sound agreeable for now?
Click to expand...

Using system restore does not delete files or restore files. It basically just changes registry settings which can make installations/uninstalls look like they were never done even though the file status itself has not changed. It would not affect files you downloaded. It does require re-installing and reconfiguring your settings. It's up to you what you want to try.

No I do not need any logs from Ad-aware.

Complete the steps from the READ ME and post your HJT log.

SWario · Jun 14, 2005

Is there an easy way to see what programs I've installed or what configurations have been made since a certain date on my computer? If I find that there haven't been a whole lot of installations since April, then I might try to do a system restore and work from there. Although, doing that might still require me to do some cleanup so perhaps it would be best to just start from here and solve the problem instead of trying to dodge it?

What is your recommendation?

Also, those services listed: are they only associated with spyware/malware or do they have legitimate uses but they are being misused? If they have no legitimate uses, then I have no problems removing them.

chaslang · Jun 14, 2005

SWario said:

Is there an easy way to see what programs I've installed or what configurations have been made since a certain date on my computer? If I find that there haven't been a whole lot of installations since April, then I might try to do a system restore and work from there. Although, doing that might still require me to do some cleanup so perhaps it would be best to just start from here and solve the problem instead of trying to dodge it?

What is your recommendation?
.
Click to expand...

Let's fix the problems. If you look in current threads, I'm working quite a few of these right now.

SWario said:

Also, those services listed: are they only associated with spyware/malware or do they have legitimate uses but they are being misused? If they have no legitimate uses, then I have no problems removing them.
Click to expand...

Already answered in message number 8.

You are wasting alot of time. We could be just about done already.

SWario · Jun 14, 2005

Yeah, I have noticed that a lot of these have been posted in the past day or two and the work that you have been doing to help fix them - I have a lot of respect for your generosity and knowledge with all of this.

About my asking questions, sorry if I seem to be acting difficult about things, but I usually try to be extra sure of stuff before I commit to something with my computer. It's an odd quirk I picked up from my dad, who's been working in the telecommunications industry for almost 20 years. Research, research your research, confirm it, test it, and THEN actually do it.

Anyways, I'll give it a go. I'm working on the READ ME FIRST list right now, so I'll be back with an update once I'm done.

Thanks for helping!

chaslang · Jun 14, 2005

SWario said:

About my asking questions, sorry if I seem to be acting difficult about things, but I usually try to be extra sure of stuff before I commit to something with my computer. It's an odd quirk I picked up from my dad, who's been working in the telecommunications industry for almost 20 years. Research, research your research, confirm it, test it, and THEN actually do it.
Click to expand...

Look at my profile under occupation!

SWario · Jun 15, 2005

I know you know what you're doing, but it's still a habit, and old habits die hard, especially when I also have a mild bit of perfectionism in me.

Anyways, I've run into a problem:

- Stopped and disabled Workstation Netlogon Service (C:\WINDOWS\winsq32.exe) without a problem

- Shortly after disabling WNS, Norton Internet Security alerts me that C:\WINDOWS\javanp.exe is attempting an outbound connection to 205.188.146.145:53 from my local port 0, I selected the option to block all connections from the program on all ports

- Workstation Netlogon Service repeatedly restarts itself and changes its startup type back to Automatic, probably since its executable is still running in the background

Basically, WNS is being a pain. Recommendation?

chaslang · Jun 15, 2005

That's because there are multiple processes associate with the hijacker and they all watch out for each other. That way they can respawn when you shut down other processes or services. Just complete all the rest of the steps in the READ ME FIRST. Make sure you run About:Buster and HSremove as indicated. When finished with the READ ME FIRST. Post your HJT log so we can identify all the processes related to the hijacker.

SWario · Jun 15, 2005

Okay, I finally completed the "READ ME FIRST" tutorial and made a "results" textfile from it. I'll attach that along with my HJT log that you asked for. As of the HJT scan I have not done anything except for reconnect to the Internet and post this here.

That Symantec online Virus scan took forever - at least an hour.

chaslang · Jun 15, 2005

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\javanp.exe

After killing all the above processes, click the "Back" that is 3 buttons to the right of Kill Process and just leave HijackThis running.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Workstation NetLogon Service (or if you cannot find that name, try the short name 11Fßä#·ºÄÖ`I ) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, go back to your HJT windows and select 'Delete an NT Service" Now copy/paste the following into the box that opens, and press "OK":

Workstation NetLogon Service

If that does not work, copy and paste in the short name: 11Fßä#·ºÄÖ`I
You have to copy and paste because these characters are not easily entered.

After doing that exit HijackThis. We will be restarting HJT in a couple of lines though.

Now please download the following tool: Pocket KillBox

Extract Pocket Killbox to its own folder but do not run it yet. We will need it later.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis again and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (I double checking to make sure they are not running again - now matter what happens here, just continue):
C:\WINDOWS\javanp.exe
C:\WINDOWS\winsq32.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dpsjp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dpsjp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dpsjp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dpsjp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dpsjp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dpsjp.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F8254D4D-78D5-68D0-643E-BC89D9755ADE} - C:\WINDOWS\crbv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [javanp.exe] C:\WINDOWS\javanp.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\winsq32.exe <-- this line may or may not be found. It depends on what happened in previous steps.

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run Pocket Killbox.

Now, Copy and Paste C:\WINDOWS\crbv.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\javanp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the RedX and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\winsq32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself.

Now get a new HJT log and post it here. And tell us how these steps went and how things are working.

Also DO NOT REBOOT OR POWER DOWN after posting your log. If you are still infected, this can cause it to mutate and spread making any following fixes I suggest a ineffective.

By the way if you do not use the Viewpoint crap from AOL (most people do not), just go to Add/Remove programs and uninstall them.

SWario · Jun 16, 2005

chaslang said:

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\javanp.exe

After killing all the above processes, click the "Back" that is 3 buttons to the right of Kill Process and just leave HijackThis running.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Workstation NetLogon Service (or if you cannot find that name, try the short name 11Fßä#·ºÄÖ`I ) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, go back to your HJT windows and select 'Delete an NT Service" Now copy/paste the following into the box that opens, and press "OK":

Workstation NetLogon Service

If that does not work, copy and paste in the short name: 11Fßä#·ºÄÖ`I
You have to copy and paste because these characters are not easily entered.
Click to expand...

I'm having trouble at this point. Firstly, the WNS' executable path is "C:\WINDOWS\winsq32.exe /s", but that process is no longer running. I left my house (and computer) for a while, and Norton AntiVirus ran a scan while I was out. It's stuck with a popup complaining about the winsq32.exe file being infected with a Trojan. I can't get it to go away, but I haven't restarted because I wasn't sure if I should. Also, using the "Delete NT Service" tool in HJT keeps failing.

Recommendation?

SWario · Jun 16, 2005

Okay, I got rid of the Norton AV popup about the Trojan (just a LOT of popups queued up to appear), but I still cannot get the removal with HJT to work.

SWario · Jun 16, 2005

A new day, same problem. I have not restarted my computer since the last time I was told to do so. I am still waiting for a new recommendation on my current situation.

chaslang · Jun 16, 2005

SWario said:

Okay, I got rid of the Norton AV popup about the Trojan (just a LOT of popups queued up to appear), but I still cannot get the removal with HJT to work.
Click to expand...

Describe what you mean by you cannot get it to work. Does this mean that you get an error message? If so, what is the message. Or do yo mean nothing happens? Or something else?

It will not work if you have not done the below:

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Workstation NetLogon Service (or if you cannot find that name, try the short name 11Fßä#·ºÄÖ`I ) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.
Click to expand...

Unless the Service is both stopped and disabled, HJT cannot Delete the NT service.

If you still cannot get this step to work properly, just continue with the other steps and we will see what happens in the follow up HJT log.

SWario · Jun 16, 2005

I get the error message "The selected process could not be killed. It may have already closed, or it may be protected by Windows." when trying to kill C:\WINDOWS\javanp.exe, but I can see that it is still running by using Task Manager.

Concerning WNS, I get the message "Service 'Workstation NetLogon Service' was not found in the Registry. Make sure you entered the short name of the service., vbExclamation" and the same message when I copy-paste 11Fßä#·ºÄÖ`I into the "Kill Process" box (except when I paste it in, there's a hyphen between 'ä' and '#'. Again though, when looking in services.msc, the executable path for that service is "C:\WINDOWS\winsq32.exe" which is NOT a running process at the time, as I have stopped and disabled the service (I have triple-checked this, the service is still stopped and disabled and has not restarted, Norton may be keeping it from restarting, which I assume is good). Currently though, my Norton AntiVirus is having a fit over that file, telling me to quarantine and delete it because it is a Trojan. I would let Norton do its business, but I was not sure if you would want me to let it or if you would prefer another method.

Does that answer your questions and what would you like me to do?

chaslang · Jun 17, 2005

As stated in my last message:

If you still cannot get this step to work properly, just continue with the other steps and we will see what happens in the follow up HJT log.
Click to expand...

SWario · Jun 17, 2005

Here's the new log after the steps you had me perform.

chaslang · Jun 17, 2005

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wjudf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wjudf.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wjudf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wjudf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wjudf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wjudf.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {943544B1-5A24-1DF9-55CE-89DC02154188} - C:\WINDOWS\system32\iewv.dll
O2 - BHO: Class - {F8254D4D-78D5-68D0-643E-BC89D9755ADE} - C:\WINDOWS\crbv.dll (file missing)
O4 - HKLM\..\Run: [javanp.exe] C:\WINDOWS\javanp.exe

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run Pocket Killbox.

Now, Copy and Paste C:\WINDOWS\system32\iewv.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\javanp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself.

Now get a new HJT log and post it here. And tell us how these steps went and how things are working.

PLEASE DO NOT REBOOT after posting your log. If you are still infected, it could mutate making the next steps I would post ineffective.

SWario · Jun 17, 2005

New steps followed and new log as requested. Only one thing worth mentioning from the steps you posted. The entry:

O2 - BHO: Class - {F8254D4D-78D5-68D0-643E-BC89D9755ADE} - C:\WINDOWS\crbv.dll (file missing)
Click to expand...

was not listed in the HJT scan-and-fix.

SWario · Jun 17, 2005

I am posting from another computer for now, my laptop is sitting on the other side of the room disconnected from the Internet. The battery in it ran low, and it went into Hibernate mode before I could get it plugged into AC or put another battery in the second bay. Just mentioning this so you know, since I am not sure if that will affect the situation. On another note, my Norton AV ran again (it's scheduled for Fridays) and now found over 40 infected files. I really need some help here.

SWario · Jun 18, 2005

I saw mentioned elsewhere that if there are multiple user accounts on a computer you must clean them all separately. On my laptop, there are three user accounts (when booting in Safe Mode, a fourth, "Administrator", account appears), but my account has full administrative rights, as I am the owner of the laptop. the other two accounts have not been used since at least the beginning of March, but it is more likely that they have not been used since late last year.

Does this mean that I will or will NOT have to clean those accounts separately?

Oh, and those 40+ infected files from Norton? About half are listed as adware, and half are listed as Trojans, but look similarly named to "winsq32.exe" (4 to 6 characters, followed by two numbers), so are they related to my current problem, or are they a whole other problem by themselves?

SWario · Jun 18, 2005

Sorry that this was not requested, but in case it is needed I will attach it anyways while I wait for new instructions. It's the logfile from the Norton AntiVirus scan of my C:\WINDOWS, C:\WINDOWS\system, and C:\WINDOWS\system32 folders.

chaslang · Jun 19, 2005

SWario said:

Sorry that this was not requested, but in case it is needed I will attach it anyways while I wait for new instructions. It's the logfile from the Norton AntiVirus scan of my C:\WINDOWS, C:\WINDOWS\system, and C:\WINDOWS\system32 folders.
Click to expand...

Those are all bad files and need to be deleted (in safe mode). Many of them are related to your HSA hijacker problems.

Sorry I have not been around for a couple of days. Is your last HJT log still correct? Meaning does a current log still look exactly the same?

chaslang · Jun 19, 2005

SWario said:

I saw mentioned elsewhere that if there are multiple user accounts on a computer you must clean them all separately. On my laptop, there are three user accounts (when booting in Safe Mode, a fourth, "Administrator", account appears), but my account has full administrative rights, as I am the owner of the laptop. the other two accounts have not been used since at least the beginning of March, but it is more likely that they have not been used since late last year.

Does this mean that I will or will NOT have to clean those accounts separately?
Click to expand...

No! Any account can become infected even if it has not been used! You should check them to be safe.

SWario · Jun 19, 2005

Haha, I just sort of figured you just went somewhere for the weekend or something, no big deal.

I do not know if a current HJT log is identical or not. Should I boot into safe mode to delete those files or should I use Pocket Killbox's "delete on reboot" function? Or should I let Norton attempt to fix the problems (in safe mode or normal mode)? Concerning the other user accounts: if I have full administrative rights, shouldn't any fixes I do from my user name affect the other users? Also, what if I just removed those user accounts?

chaslang · Jun 19, 2005

SWario said:

Haha, I just sort of figured you just went somewhere for the weekend or something, no big deal.

I do not know if a current HJT log is identical or not. Should I boot into safe mode to delete those files or should I use Pocket Killbox's "delete on reboot" function? Or should I let Norton attempt to fix the problems (in safe mode or normal mode)? Concerning the other user accounts: if I have full administrative rights, shouldn't any fixes I do from my user name affect the other users? Also, what if I just removed those user accounts?
Click to expand...

You can fix them any way that works. Just make sure they get removed.

Every user on a PC has their own folders and registry settings, you need to clean them while logged in as that user. Yes, you can remove the user accounts if desired. Make sure no info (like file folders etc) remain for those accounts afterwards.

Your last log was clean, that's why I asked if it is still the same. Are you having any problems (other than those remaining files to delete)?

SWario · Jun 19, 2005

I am not sure, I have not been using IE since the popups started so that I could sort out the problems with less hassle. I will try to remove those problems, remove the user accounts, and then post a new HJT log when I am done.

chaslang · Jun 19, 2005

Okay! The real test of making sure the hijacker is gone is to open and close a couple Internet Explorer browser sessions. Do that after removing those other files.

SWario · Jun 22, 2005

Okay, I quarantined/deleted all of those files through Norton, and scanned all of the user accounts on my computer instead of removing them. I've also opened and closed IE a few times, and except for it performing a tad slowly, there are no noticeable problems (crazy amounts of popups, or 100% CPU usage). I have HJT logs for all of the user accounts available, which I will attach to the next few posts.

There are only two remaining problems that I have noticed: 1) There are still items in my Add/Remove programs list that are related to this (Home Search Assistent, Search Extender, Shopping Wizard); 2) I continue getting a virus alert from Norton every so often about a file in my Windows folder, but when I scan the folder, no viruses are detected. Other than that, when I was running SpyBot and Ad-Aware, some CWS objects came up, but I cleaned them off and I haven't seen them return.

SWario · Jun 22, 2005

My user's HJT log and a screenshot of the alert Norton's been giving me.

EDIT: Also, the only problem I had when running the programs to clean up the other users was when I ran About:Buster. The program cloned itself so that at least 20 instances of the program were "running" but I could not see the physical window of the program. Also, the number of instances kept fluctuating in Task Manager, and I was unable to end task them in any decent fashion, so I ended up just logging the user off forcefully.

chaslang · Jun 23, 2005

All you HJT logs are clean. Just fix the left over lines from HSremove. Any of these type lines:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

The file Norton is showing seem to be an ADS file. Try running ADS SPY and see if it finds it.

Note: ADS spy also displays legitimate ADS streams. Don't delete streams if you are not completely sure they are malicious! You should consult with an expert before deleting any files with this tool.

For the HSA hijacker related items in your registry, try the registry patch below.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixhsa.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixhsa.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]
Click to expand...

SWario · Jun 23, 2005

I ran the registry patch, but "Offer Optimizer" and "Shopping Wizard" still remain in my Add/Remove Programs list (everything else I listed previously is gone now though ^_^ ). I have not run ADSSpy yet or Ad-Aware's ADS Scan, I may do this after researching the file in question - I have not gotten any alerts from Norton about the file for the past 7 or so hours. I have attached a current HJT log from my user, and wanted to know about some items.

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
Click to expand...

What are these lines and are they okay to fix (as in will it damage IE or other programs if I remove them)?

chaslang · Jun 23, 2005

SWario said:

I ran the registry patch, but "Offer Optimizer" and "Shopping Wizard" still remain in my Add/Remove Programs list (everything else I listed previously is gone now though ^_^ ). I have not run ADSSpy yet or Ad-Aware's ADS Scan, I may do this after researching the file in question - I have not gotten any alerts from Norton about the file for the past 7 or so hours. I have attached a current HJT log from my user, and wanted to know about some items.

What are these lines and are they okay to fix (as in will it damage IE or other programs if I remove them)?
Click to expand...

If you do not use the below, then uninstall them via Add/Remove programs:
Viewpoint Toolbar
Viewpoint Manager
AIM

If you do not use Windows Messenger, run the below:
Disable/Remove Windows Messenger

Do not touch the below:
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

Do you use RealPlayer? The below is related to it.
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

If you do not use RealPlayer, look in Add/Remove programs for it and uninstall it.

chaslang · Jun 23, 2005

Run regedit and navigate to the below key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

How are Internet Optimizer and Shopping Wizard listed? Are they spelled out or abbreviated?

SWario · Jun 23, 2005

I uninstalled everything Viewpoint related when I was cleaning my computer, but those entries in the HJT log remained for some reason. I do use AIM, so I will not be uninstalling it. I have already stopped and disabled Windows Messenger using Ad-Aware's plugin for it, but I will try running this other tool as well.

The registry entries are listed as "OfferOptimizer" and "ShoppingWizard". Also, in my

HKEY_LOCAL_MACHINE\SOFTWARE\

folder, a folder for "Viewpoint" still remains. Is this okay or should it be removed?

chaslang · Jun 24, 2005

Just be aware that if you install any AOL software including AIM, the Viewpoint stuff will come back and you will have to uninstall it again. Yes you can manually delete the Viewpoint folder.

Try manually delete all the related registry keys for OfferOptimizer and ShoppingWizard.

SWario · Jun 24, 2005

Okay, I've manually removed those folders from the registry now. Do you think my computer is fairly clean now? Anything else I should do?

Thanks a lot for all the help you've given me!

chaslang · Jun 24, 2005

You're last log indicated that you were clean at that time. So now that the registry entries have been fixed, it is time for you to work thru the steps of the below thread to help keep you clean:

How to Protect yourself from malware!

SWario · Jun 25, 2005

Okay, I went through the link you gave me for prevention.

- I am running Windows Update right after I post this, and will install SP2 using a CD I have within a week.

- I am using Norton Internet Security 2005 (fully updated) as my AntiVirus and Firewall. I am happy with the way it works, and I like it as much or more than ZoneAlarm, so I think I'll be sticking with it for a while.

- I have CCleaner from "READ ME FIRST"

- I have SpyWare Blaster from "READ ME FIRST", do I need to get any more of those preventative programs?

- I have Ad-Aware SE Personal with the VX2 Cleaner Plug-In and SpyBot - Search & Destroy with TeaTimer disabled, and I am using the Immunize feature. Do you know anything or have anything to say about the SDHelper function of SpyBot?

- I have adjusted my Active X security settings accordingly.

- I removed MSJVM and already have Sun Java installed and updated, however, MSJVM still shows up in my Internet Security Settings (in the same dialog box as the Active X security settings).

Anything else I should do or is there something I am missing?

chaslang · Jun 26, 2005

The SDhelper function of Spybot is okay to use.

Consider whether you want another full blown spyware blocking program like Microsoft® Windows AntiSpyware (which is free right now) or Spy Sweeper (which is not free).

"Only the best" - HSA hijack...

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

SWario Sergeant

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

SWario Sergeant

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

Attached Files:

SWario Sergeant

SWario Sergeant

SWario Sergeant

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

Attached Files:

SWario Sergeant

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

SWario Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches