Running XP Home, I picked up some manner of spyware where my homepage gets directed to a search page. Sounds familular I know and I've had and removed these before. This critter seems to sidestep all the ususal spyware programs (they find the rogue files but can't remove them). As a added twist, everytime I access my email accounts, when I click on a email I'm directed back to this search page along with a few popups telling me my PC may be infected with spyware...heh.

I can find/remove the suspect files in both the registry and temp/cookie folders but alas they come back almost instantly. It also seems to be linked to MS homepage as it pops up from time to time as my homepage. Spyblaster 3.2 shows both the spyware file and MSN as being as problem for the browser.

Normally I would google the spyware to find out more about it and how to deal with it but in this case I can't find any reference to a name or what to even call this spyware.

Any ideas on what this spyware is and how to deal with it?

There are several things it could be... You will need to download and run HijackThis for us to look at and help you work it through.. You can get it from the link in my sig...

To run HJT, extract it to a permanent folder such as one you create like C:\HJT. Close all open windows and browsers and make sure that all programs are enabled if you use msconfig. Run it and Scan, then Save the log. When the log window appears, Right click to Copy it, open your browser and come here to Paste the log. Do not make any changes until it is checked since most items are either benign or essential to the computer.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE6
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9A726B7C-457C-4901-9D4C-10220AA5C533} - C:\WINDOWS\System32\ajjb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServicesOnce: [washindex] E:\Washer\Washer\washidx.exe "steveo"
O4 - Global Startup: ZoneAlarm.lnk = E:\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!.chm::/on-line.exe
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy)
O18 - Filter: text/html - {7810EFFD-9112-4BDA-98A3-EB2A00406A3A} - C:\WINDOWS\System32\ajjb.dll
O18 - Filter: text/plain - {7810EFFD-9112-4BDA-98A3-EB2A00406A3A} - C:\WINDOWS\System32\ajjb.dll

************************************************** *****************

Those R entries are the ones I believe are infected.

Entry 016 (on-line) showed up on ZA couple of days ago wanting permission. I deleted it and it never showed up again and I forget about it.

That ajjb.dll file shows up a few times so I'm gonna go see what it is.

That is a very nasty CWS variant that is difficult to remove even with all available tools... You need to post the entire log if we are going to help you....

that was the log minus processes...I'll make another one

Logfile of HijackThis v1.98.2
Scan saved at 9:45:08 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\hijak\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE6
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9A726B7C-457C-4901-9D4C-10220AA5C533} - C:\WINDOWS\System32\ajjb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServicesOnce: [washindex] E:\Washer\Washer\washidx.exe "steveo"
O4 - Global Startup: ZoneAlarm.lnk = E:\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!.online.chm::/on-line.exe
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) -streamaudio.com/download/ccpm_0237.cab
O18 - Filter: text/html - {7810EFFD-9112-4BDA-98A3-EB2A00406A3A} - C:\WINDOWS\System32\ajjb.dll
O18 - Filter: text/plain - {7810EFFD-9112-4BDA-98A3-EB2A00406A3A} - C:\WINDOWS\System32\ajjb.dll


this is all the log shows after I save log

I meant the whole piece that is saved... header, Running Processes and log proper...

You still don't have the part of the header that shows what version of HJT you have... It needs to be 1.98.2...

sorry...it's in there now on the above post

Okay, here is one of the easiest methods to fix this... The drawback is that it doesn't always work... It is worth a try and if it doesn't we can go on to another one:

Method 1: SPHJFIX

This is the easiest way. Unfortunately this method doesn’t always work. SPHJFIX works only on Windows 2000 and Windows XP systems.
Download Sphjfix here (http://www.rokop-security.de/main/download.php?op=getit&lid=59)
Unzip the program and start it.
After an automatic reboot run CWShredder.
Reboot again, run HijackThis and remove all entries related to the about:blank hijack.

In doubt, find expert help.

These are items to fix with HJT at that point in the process... The O16 is a dialer that is not CWS, but needs to be fixed anyway...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\steveo\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
O2 - BHO: (no name) - {9A726B7C-457C-4901-9D4C-10220AA5C533} - C:\WINDOWS\System32\ajjb.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!.online.chm::/on-line.exe
O18 - Filter: text/html - {7810EFFD-9112-4BDA-98A3-EB2A00406A3A} - C:\WINDOWS\System32\ajjb.dll
O18 - Filter: text/plain - {7810EFFD-9112-4BDA-98A3-EB2A00406A3A} - C:\WINDOWS\System32\ajjb.dll

Hope that this works, because it gets harder from here... Reboot and post a fresh log after you finish... Be sure to have all other windows and particularly browsers close when you run HJT for the scan or the fix...

Logfile of HijackThis v1.98.2
Scan saved at 10:17:16 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\MsPMSPSv.exe
E:\Zone Labs\ZoneAlarm\zonealarm.exe
E:\hijak\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE6
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServicesOnce: [washindex] E:\Washer\Washer\washidx.exe "steveo"
O4 - Global Startup: ZoneAlarm.lnk = E:\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!.on-line.exe
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) -streamaudio.com/download/ccpm_0237.cab

************************************************** ******************


here's the new log

I should add that my homepage is now blank (as it should be) and I have no trouble getting into my email accounts.

You still need to fix this... it is a dialer. If it doesn't fix, post back and we will see if there is something else that needs to be done, the O16s usually clean up pretty easily:

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!.on-line.exe

Also, if you didn't set some protections in an anti-spyware program like Spybot, fix this too:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

We won't know for sure that you are clean until you reboot several times, so post back if the infection reappears... In the meanwhile, it would be a real good idea to tighten up security so you are less likely to get hit again... Here is my prevention speech to help with that:

This is a good time to set up protection against further attacks. You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Check out this article for more ideas:

http://www.computercops.biz/postlite7736-.html

It would be a good idea to run HJT again in a couple of days and after several reboots, then post a fresh log to see if you are still clean...