sp.html about:blankp2esocks instant access

I have done all the required steps in the sticky and get to a nice problem free Hjt log until I go on line and in seconds my desktop becomes a big black warning ,a bunch of pages telling me, of course, that i am infected come down the line and the log is now bad .
sp.html and desktop.html and a startup program called instant access and all the lines below are all recreated within seconds of going on line.

Below are the juicy parts for your review

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
O4 - HKLM\..\Run: [xBwu] C:\WINNT\jmjpvc.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1018.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINNT\mslagent\mslagent.exe
O4 - HKCU\..\Run: [SearchSetter] C:\WINNT\System32\searchsetter[1].exe
O4 - HKCU\..\Run: [Hhsc] C:\Documents and Settings\Administrator\Application Data\rddt.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

The 2 programs do not appear among the add/remove list and they were brought in by the owner of the computer (it's my neighbor's) after the initial infection.
Attached are 2 logs - the first after doing all the required steps and the second right after reconnecting,.
If I don't reconnect the log stays as the first but that means no internet.
So I assume something waits for the connection and then ...wammo.
What is it?
Good luck to all
Shalom

 

FIRST, Make sure "System Restore" is temporarily disabled

Now, lets have HJT fix a few entries. Please close all browsers before fixing anything with HJT. Remove the below entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1018.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINNT\mslagent\mslagent.exe
O4 - HKCU\..\Run: [SearchSetter] C:\WINNT\System32\searchsetter[1].exe
O4 - HKCU\..\Run: [Hhsc] C:\Documents and Settings\Administrator\Application Data\rddt.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan


After you remove these entries, download the following tools.

About:Buster 4.0

HSRemove 2.40



Run both of these tools, reboot and post new HJT log.

NOTE: Probably would be a good idea to download the latest security updates for you OS. Microsoft Windows Updates

 

BJ - it's windows 2k -there is no system restore.
Chaslang - I deleted the temp...sp.html and all the temporary internet files and instant access files.
I believe there is a dll somewhere in system32 that keeps regenerating the stuff,but have no ideahow to locate it.
I used about buster 3 with list 21, I'll get v.4 and try again but I don't think that's the key.
What did I miss in the read me first (you write "at least not completely")
Let you know in about 12 hours.
Shalom

 

Sorry, Have posted many times today most of which were WinXP sorry for the mix up. I will get back with you on this tomorrow if I dont chaslang will be back, I must get some rest!

 

Using HJT 1.99 and buster 4 list 21 and hsremove 2.40 and all else updated the results were the same. I believe I removed any problem related file and reg entry .
Upon reboot the registry changed and upon connection we were back to the big black warning screen and spyware windows popping up as before.
Perhaps from the log you will find an 023 service or something else to be handled to solve this.
I also searched any dlls in the system folder that changed in the last week and moved them. Did not help.
names of shortcuts that crop up are "protect your data!" "Protect yourself"
and a desktop.html in c:\winnt that can be temporarily neutralized by erasing the web page for it in active desktop.
Many thanks
Shalom

 

Smart security infection (was sp.html about:blank p2esocks)

Seems the infection is caused by Smart-Security spyware (manufacturers) .
It takes over the desktop with an active desktop (security.html), makes your homepage "about:blank" (sp.html) and adds mstasks1-4 to your computer.
A bogus removal tool adds freescan.exe which makes matters worse.
An indecisive discussion of this appears in the following link:
http://www.thetechguide.com/forum/index.php?showtopic=10600&st=80
This is a major part of the problem with my neighbor's computer.
Anyone out there have suggestions as how to remove it?
Thanks in advance
Shalom

 

Re: Smart security infection (was sp.html about:blank p2esocks)

Except for rddt.exe (which I keep erasing) all the other files don't show and so cannot be erased.
Yes, I have set per tutorial for all directories:
Show Hidden files and folders .
Show File extensions for known types .
Show System files .
I'll check tomorrow on the infected computer for the files "mstasks1 thru 4" (that are referred to in an article from a different forum) and if they show will delete them.
It's extraordinary that when I am offline and in safe mode I can try to change the registry,say,delete the entries for sp.html, using either HJT-fix or using regedit and even before reconnecting the entry reappears and the page doesn't. When I connect the page does show,so it seems it's coming from the internet.
And no, I'm not on drugs.
Thanks,
Shalom

 

Re: Smart security infection

value field is empty.blank.
Aside from:
Network Security Service
Workstation Netlogon Service
Remote Procedure Call (RPC) Helper
could there be a different service that kicks in when an internet connection is made?
If not I think the bastards have won and we'll re-install, much as it hurts.
Thanks for your time, effort and patience
Shalom