Jump to content


Photo

HSA Hijack won't die


  • Please log in to reply
4 replies to this topic

#1 techieshane

techieshane

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 19 July 2004 - 02:59 PM

This thing is nasty and I have successfully removed it off this system for almost a 12 hour period ... then it keeps coming back. System restore has been turned off since XP was configured origionally, all the temp folders, cookies, even IE's downloaded program files folder has been cleared ... I've maxed out my spyware/PC knowledge and this helper trainee needs help!

I've run all the tools out there, HSremove, Hijackthis, AboutBuster, BHODeamon ... and still can't seem to kill this thing.

HJT log below:
Logfile of HijackThis v1.98.0
Scan saved at 2:41:59 PM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\ccsrvc.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\ntyk32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\iere32.exe
S:\SHARE\Sys Tools\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ntbmr.dll/sp.html#27859
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ntbmr.dll/index.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ntbmr.dll/index.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ntbmr.dll/sp.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ntbmr.dll/sp.html#27859
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ntbmr.dll/index.html#27859
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://02proxy2:80
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5DCD2B4E-94CD-BAC9-A2ED-1738BBFD853B} - C:\WINDOWS\system32\mstx32.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [iere32.exe] C:\WINDOWS\iere32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{72927841-65FD-4115-AE61-301928AF9E4B}: Domain = brasscrafthq.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{72927841-65FD-4115-AE61-301928AF9E4B}: Domain = brasscrafthq.com
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

All the random 04's and 02's were killed using HJT and the AboutBuster was run producing the following:

-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINDOWS\iere32.exe
Removed! : C:\WINDOWS\ntbmr.dat
Removed! : C:\WINDOWS\ntbmr.dll
Removed! : C:\WINDOWS\System32\nbosg.dat
Removed! : C:\WINDOWS\System32\sfytj.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Pages Reset... Done!

I can then open IE once, get the google search page as my homepage and not see any pop-ups. After closing IE and reopening (sometimes it needs to be done 2 or 3 times) the flipping HSA is back.

I have also tried to unregister the dll's manually using process explorer and can't seem to find what application/process has them locked. I know this particular variant is running msqm.exe, crxa32.exe as the NSS, and the dll of ipin32.dll. I was able to kill the NSS service (crxa32.exe) and msqm.exe process via process explorer but the ipin32.dll has a hook into explorer.exe and even in safe mode I can't seem to get it out.

HELP! :scratchhead:
Live today for Tomorrow you may be OLD!

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 19 July 2004 - 07:29 PM

You already have About:Buster.Donīt run it yet.

How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Donīt use it yet.
1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R332 12.07.2004 or higher listed.

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.If this service is not listed go ahead with the next step.

4. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam


5. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ntbmr.dll/sp.html#27859
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ntbmr.dll/index.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ntbmr.dll/index.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ntbmr.dll/sp.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ntbmr.dll/sp.html#27859
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ntbmr.dll/index.html#27859
O2 - BHO: (no name) - {5DCD2B4E-94CD-BAC9-A2ED-1738BBFD853B} - C:\WINDOWS\system32\mstx32.dll
O4 - HKLM\..\Run: [iere32.exe] C:\WINDOWS\iere32.exe
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll


7. delete the following files if present.
C:\WINDOWS\ntbmr.dll
C:\WINDOWS\msopt.dll
C:\WINDOWS\system32\mstx32.dll
C:\WINDOWS\iere32.exe


8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Scan with Adaware and let it remove any bad files found.

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

11. Reboot to normal mode, scan again with Hijack This and post a new log here.

12. Finally, do an online scan HERE. Let it remove any infected files found.


Post a fresh HijackThis log and the AboutBuster report back here please.

#3 techieshane

techieshane

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 20 July 2004 - 08:53 AM

:techsupport: :techsupport: :techsupport: :techsupport: :techsupport:
I guess I should have been more specific.
I can't run Ad-Aware because this is in a corporate environment and there are licensing issues.
The NSS was stopped and disabled. Spybot, Spywareblaster, and the online x-scanner from spyware-guide.com have all been run until they come back clean. Then HJT was run, all random entries ticked and fixed. This step had to be run more than once to get a clean log. Aboutbuster was then run a total of 4 times to get clean logs. All temp files, cookies, and IE storage folders in all user folders were removed. A manual registry clean was run removing all trace entries for coolweb and HSA, as well as some of the other spyware crap that was on there originally. IE then reported to be clean for almost 12 hours. It took that long for this thing to regenerate itself. It then reappeared as the home page in IE and all attempts to clean since then have resulted in about a 2-min regeneration time. I believe this thing is moving closer to the virus category every day. The above logs were created after running through this routine, getting IE fixed for 3-4 application starts, and then finding on the next run of IE HSA is back. Upon discovering this I then ran HJT and AboutBuster to generate the logs seen in the origional post.

This is not a simple matter of missing a step along the way … this is a case of a new variant that AboutBuster does not solve … tell me what I need to provide for information to assist with it's removal. I have the rest of the day to get info off the machine and test a "new fix" before I will be required to format the hard drive and place a new load on this laptop.
Live today for Tomorrow you may be OLD!

#4 techieshane

techieshane

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 July 2004 - 09:29 AM

GEE THANKS FOR ALL THE HELP! :grrr: ... I ended up runing an Fdisk, format, and clean install of XP to get rid of this F'ing thing.

HSAREMOVE, ABOUTBUSTER, HijackThis, BHODEAMON, SpyBot, and X-Scanner from Spyware-guide.com do NOT fix this thing in every case.

Keep trying guys.

Edited by techieshane, 29 July 2004 - 09:29 AM.

Live today for Tomorrow you may be OLD!

#5 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 10:11 AM

Iīm sorry I didnīt see the other post.
Bad you could not follow the instructions.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
So how did I get infected in the first place?

Good luck :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button