PDA

View Full Version : Anchor.HSS



salenai
2013-06-23, 14:30
Hi guys, I have same problem as
Rosefriend:
support.proboards.com/thread/469916

Spybot has detected spyware Anchor.HSS every time I used it. It belongs to: PUPSC - it stands for potentionally unwanted program.
I use other programs to detect malware/virus/spyware/adaware as well. Programs are Spybot SD2, Malwarebytes, Advanced SystemCare 6, IOBit MalwareFighter, AVG, Super AntiSpyware. Only Spybot SD (1 - the old one) has detected the same problem again and again.
Every time I decide to scan my computer, I go to safe mod, since it is able to catch more unwanted stuff in my PC. Only spyware I have ever had problem removing was this one.

I looked at malware removal guide - Anchor.Hss thread, but none of what was mentioned there I found anywhere on my PC. I checked regedit, I checked appdata,etc.
Not sure where can I located sysdir though, is it basically system32 folder? I checked that one, nothing there either.
Spyware still keeps coming back :/.
Any suggestions please?
Thanks.

Zenobia
2013-06-24, 05:06
Do you have hotspot shield installed? :)

salenai
2013-06-24, 12:27
Do you have hotspot shield installed? :)
No dude, I do not :). Problem must be somewhere else, perhaps in adobe? I wrote about the problem here as well:
http://forums.adobe.com/thread/1239873?tstart=0
Not sure though :D.

Zenobia
2013-06-24, 17:05
Yes,I saw that post last night,and figured it might be yours. :)
Could you open Spybot,click Mode,Advanced Mode,View Report,View Previous Report,locate the checks or fixes logfile where anchor.hss was detected,doubleclick it,rightclick somewhere in the Spybot window,select Select All,then rightclick again and select Copy,then paste it in a reply here?

salenai
2013-06-25, 01:16
Yes,I saw that post last night,and figured it might be yours. :)
Could you open Spybot,click Mode,Advanced Mode,View Report,View Previous Report,locate the checks or fixes logfile where anchor.hss was detected,doubleclick it,rightclick somewhere in the Spybot window,select Select All,then rightclick again and select Copy,then paste it in a reply here?

Sure mate :). Thanks for help :).
Unfortunately, the report is same as in adobe forums :/.


--- Report generated: 2013-06-24 22:44 ---

Anchor.Hss: [SBI $5B773E15] Používateľské nastavenia (Kľúč v registri, nothing done)
HKEY_USERS\S-1-5-21-3878205609-505246965-1532686573-1001\Software\Conduit


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2013-01-12 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2013-04-11 Includes\Adware.sbi (*)
2013-06-19 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2012-11-14 Includes\Dialer.sbi (*)
2013-04-11 Includes\DialerC.sbi (*)
2013-04-11 Includes\HeavyDuty.sbi (*)
2012-11-14 Includes\Hijackers.sbi (*)
2013-04-11 Includes\HijackersC.sbi (*)
2012-11-14 Includes\iPhone.sbi (*)
2012-11-14 Includes\Keyloggers.sbi (*)
2013-04-11 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2013-05-29 Includes\Malware.sbi (*)
2013-06-19 Includes\MalwareC.sbi (*)
2012-11-14 Includes\PUPS.sbi (*)
2013-06-19 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2012-11-14 Includes\Security.sbi (*)
2013-04-11 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2013-05-22 Includes\Spyware.sbi (*)
2013-06-19 Includes\SpywareC.sbi (*)
2012-11-19 Includes\Tracks.uti
2013-01-16 Includes\Trojans.sbi (*)
2013-05-13 Includes\TrojansC-02.sbi (*)
2013-06-19 Includes\TrojansC-03.sbi (*)
2013-05-16 Includes\TrojansC-04.sbi (*)
2013-06-13 Includes\TrojansC-05.sbi (*)
2013-04-19 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Zenobia
2013-06-25, 03:21
You're welcome. :)

The .hss file extension is listed as associated with adobe...or Dreamweaver Snippet here:
http://filext.com/file-extension/HSS
Or photoshop here:
http://www.ehow.com/info_12121548_hss-file-extension.html

However,there is the anchorfree hss adapter driver,among other things:
https://www.google.ca/search?source=ig&rlz=&q=Anchorfree+HSS+adapter+Network+card&oq=Anchorfree+HSS+adapter+Network+card&gs_l=igoogle.3...0.0.0.27.0.0.0.0.0.0.0.0..0.0...0.0...1ac..12.igoogle.#sclient=psy-ab&q=anchorfree+hss+adapter+driver&oq=Anchorfree+HSS+adapter&gs_l=serp.1.2.0l4.261659.262252.3.265577.15.4.0.1.1.4.423.786.0j3j4-1.4.0...0.0...1c.1.17.psy-ab.OBpSmFtsnyg&pbx=1&bav=on.2,or.r_cp.r_qf.&bvm=bv.48293060,d.dmg&fp=1c08c86110c2abd8&biw=1366&bih=657
I would guess that is related to why this detection is named Anchor.HSS,and the adobe file extension .hss is most probably an unrelated coincidence.

Is your operating system Windows 7,and have you been running as admin when you're scanning?If you haven't,try rightclicking Spybot 1.6.2 on your desktop,and select run as administrator before your next scan.

salenai
2013-06-25, 11:22
You're welcome. :)

The .hss file extension is listed as associated with adobe...or Dreamweaver Snippet here:
http://filext.com/file-extension/HSS
Or photoshop here:
http://www.ehow.com/info_12121548_hss-file-extension.html

However,there is the anchorfree hss adapter driver,among other things:
https://www.google.ca/search?source=ig&rlz=&q=Anchorfree+HSS+adapter+Network+card&oq=Anchorfree+HSS+adapter+Network+card&gs_l=igoogle.3...0.0.0.27.0.0.0.0.0.0.0.0..0.0...0.0...1ac..12.igoogle.#sclient=psy-ab&q=anchorfree+hss+adapter+driver&oq=Anchorfree+HSS+adapter&gs_l=serp.1.2.0l4.261659.262252.3.265577.15.4.0.1.1.4.423.786.0j3j4-1.4.0...0.0...1c.1.17.psy-ab.OBpSmFtsnyg&pbx=1&bav=on.2,or.r_cp.r_qf.&bvm=bv.48293060,d.dmg&fp=1c08c86110c2abd8&biw=1366&bih=657
I would guess that is related to why this detection is named Anchor.HSS,and the adobe file extension .hss is most probably an unrelated coincidence.

Is your operating system Windows 7,and have you been running as admin when you're scanning?If you haven't,try rightclicking Spybot 1.6.2 on your desktop,and select run as administrator before your next scan.


Oh, that is a pity :/. Yeah, I was not before, but after reading somewhere that this could help with the problem, I did it :). Not a change unfortunately:/.

Zenobia
2013-06-25, 15:41
Sorry,I missed your question about sysdir before:
www.pcmag.com/encyclopedia/term/57364/sysdir

After the scan is done,has Spybot been offering to run on startup?If it has,have you been selecting yes?

hookup
2013-06-26, 01:41
Hi, I am having the same problem with Anchor.HSS. I do have Hotspot Shield and it is the source according to the Spybot scans. I have tried logging in as administrator, it detects but it will not get rid of the Spyware. It also prompts me to allow Spybot to run on my next startup and I have done this twice. Each time it says that it detects 2 problems, but the only action it will let me take is to do another scan and that only starts the process over again.

Zenobia
2013-06-26, 09:30
Which version of Spybot do you have,would it be Spybot 2 or 2.1? :)

hookup
2013-06-27, 01:50
Which version of Spybot do you have,would it be Spybot 2 or 2.1? :)

It says that I have 1.6.2.46

Zenobia
2013-06-27, 07:36
Alright,the reason I asked is because I saw this about sdcleaner in the forum a little while back. :)
http://forums.spybot.info/showthread.php?68789-Why-won-t-Spybot-remove-Delta-Toolbar
But,since I don't see sdcleaner listed in salenai's logfile or anything I know to be the equivalent,I'd assume that doesn't apply to you or him,since you both have Spybot 1.6.2.
(unless there was something like sdcleaner.exe in Spybot 1.6.2 and it was called something else that I cannot remember.I'm not sure,so I'll just squint suspiciously at sdmain.exe since I can't quite remember what it was,and move on.No need to concern yourself with this,btw,I'm just rambling out loud a little.) :D:

Anchor.hss is in the pups category,so I'll show you this page explaining those:
http://www.safer-networking.org/faq/pups/
If you've decided after reading the above that you would like to no longer have hotspot shield,then you might like to consider removing it from add/remove programs.
If the two entries are still found after that when you scan with Spybot,then you could ask for help in malware removal:
This is the before you post sticky topic:
http://forums.spybot.info/showthread.php?288-quot-BEFORE-You-POST-quot-(Please-read-this-Procedure-Before-Requesting-Assistance)
And this is malware removal:
http://forums.spybot.info/forumdisplay.php?22-Malware-Removal

hookup
2013-06-27, 07:52
Thanks. I'll check it out.

Andy_P2002
2013-06-27, 15:38
Just to say, here are my findings today...

This Anchor.hss result also just appeared in my latest Spybot scan this morniing.

But are we sure it's not just a false positive? I ran a scan only a few days ago which was clear of it, and don't think I have downloaded anything except some Adobe updates since then. Also see below for new results that DON'T show it.

My Spybot version was only v1.3.6.50 but the updater only seems to look for new virus definitions, I had to go to the safer networking website to discover there was a v2 available.

Downloaded and installed v2.1.20-SR1

I just did a new scan with that, and it found LOTS of tracking cookies that v1.36.50 had missed, but "Anchor.hss" is no longer showing up in the results.

I then allowed Spybot to fix all the tracking cookies and after that I ran ANOTHER scan.

That one came up with ONE result, but when I click on "show results" the list is completely empty, so what is this single result that I can't see?

Zenobia
2013-06-28, 03:07
No,I don't believe the first two people before you is a case of a false positive.In salenai's case,though it is called Anchor.hss,the registry key indicated in his logfile is:
HKEY_USERS\S-1-5-21-3878205609-505246965-1532686573-1001\Software\Conduit
and while it is in a different location,there is a conduit registry key listed in the malware removal guide here:
http://forums.spybot.info/showthread.php?68808-Manual-Removal-Guide-for-Anchor-Hss
So,it would most likely be as intended,unless a false positive crept into the malware removal guide.(I'm unsure why the anchor.hss pups detection shows up in older versions of Spybot,and not the new one,though.)

hookup indicated that they have hotspot shield installed,so it should be safe to assume their detection is not a false positive,either.

The detection on yours might be something else entirely,though.Your logfile would have to be looked at to tell.
Even though you uninstalled Spybot 1.3,I think your older logfiles should still be available unless you removed them yourself.
They would be at:
Windows 95 or 98: C:\Windows\Aplication Data\Spybot – Search & Destroy\
Windows ME: C:\Windows\All Users\Application Data\Spybot – Search & Destroy\
Windows NT, 2000 or XP: C:\Documents and Settings\All Users\Application Data\Spybot – Search & Destroy\
Windows Vista,7 or 8:Windows Vista: C:\ProgramData\Spybot – Search & Destroy\
If Application Data or Program Files(whichever applies to you) isn't visible,then please see here:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/
They'd be available with the date of the time you did your scan in the name.For an example,it would look somewhat similar to this:
Checks.130626-0339.txt

If you think the Anchor.hss detection in your logfile may be a false positive,you follow this post:
http://forums.spybot.info/showthread.php?19117-How-to-report-possible-False-Positives
Then you can ask about it in here:
http://forums.spybot.info/forumdisplay.php?16-False-Positives

As for the single result you could not see in the newer Spybot,it might be available in a checks logfile also.Since the name of the folder in application data/program data is Spybot - Search & Destroy,and not Spybot - Search & Destroy 2,I assume when an older version is uninstalled,logfiles from older versions stay in that folder.So while you are in that area looking for your logfile from Spybot 1.3,you can also look for the checks logfile from the date you did that scan and open it as well,and see if it shows you what was found. :)

salenai
2013-07-03, 01:20
No,I don't believe the first two people before you is a case of a false positive.In salenai's case,though it is called Anchor.hss,the registry key indicated in his logfile is:
HKEY_USERS\S-1-5-21-3878205609-505246965-1532686573-1001\Software\Conduit
and while it is in a different location,there is a conduit registry key listed in the malware removal guide here:
http://forums.spybot.info/showthread.php?68808-Manual-Removal-Guide-for-Anchor-Hss
So,it would most likely be as intended,unless a false positive crept into the malware removal guide.(I'm unsure why the anchor.hss pups detection shows up in older versions of Spybot,and not the new one,though.)

hookup indicated that they have hotspot shield installed,so it should be safe to assume their detection is not a false positive,either.

The detection on yours might be something else entirely,though.Your logfile would have to be looked at to tell.
Even though you uninstalled Spybot 1.3,I think your older logfiles should still be available unless you removed them yourself.
They would be at:
Windows 95 or 98: C:\Windows\Aplication Data\Spybot – Search & Destroy\
Windows ME: C:\Windows\All Users\Application Data\Spybot – Search & Destroy\
Windows NT, 2000 or XP: C:\Documents and Settings\All Users\Application Data\Spybot – Search & Destroy\
Windows Vista,7 or 8:Windows Vista: C:\ProgramData\Spybot – Search & Destroy\
If Application Data or Program Files(whichever applies to you) isn't visible,then please see here:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/
They'd be available with the date of the time you did your scan in the name.For an example,it would look somewhat similar to this:
Checks.130626-0339.txt

If you think the Anchor.hss detection in your logfile may be a false positive,you follow this post:
http://forums.spybot.info/showthread.php?19117-How-to-report-possible-False-Positives
Then you can ask about it in here:
http://forums.spybot.info/forumdisplay.php?16-False-Positives

As for the single result you could not see in the newer Spybot,it might be available in a checks logfile also.Since the name of the folder in application data/program data is Spybot - Search & Destroy,and not Spybot - Search & Destroy 2,I assume when an older version is uninstalled,logfiles from older versions stay in that folder.So while you are in that area looking for your logfile from Spybot 1.3,you can also look for the checks logfile from the date you did that scan and open it as well,and see if it shows you what was found. :)

Hi guys, I am back, the problem kept coming back, so I reinstalled windows.
I let it update and download all the service packs, I downloaded all the previously mentioned antivirus/antispyware/antimalware software, scanned my computer with everything, everything was clear. Then day or so later I found 2! anchor.hss entries! I deleted both through spybot, and I also managed to delete the register folders anchor.hss appeared in.
There was nothing to be found for a day or so. Then next day, I found another location, and at different place again, Hkeyusers, etc., not sure where exactly. But it was a different location than the previous ones.
ALSO I think I know what anchor.hss does. Before reinstallation, my system restored itself to previous point, like, it deleted my keyboard language change option, wallpaper, removed icons from my task bar and set them to default, also I had mozilla firefox set as default browsret, it removed that option, removed my set screen resolution.
This is why I decided to reinstall windows. It formatted C. Now, after reinstallation, and these found entries (that I mentioned in the first section of this post), it AGAIN restored system to previous state. Also, when it restored back to previous state this time, I received a message saying that vprotect application has stopped working.

Do you Zenobia or anyone else know how to deal with this problem?:/ I am getting really desperate now.
Thanks!

Zenobia
2013-07-03, 07:25
Welcome back.Sorry to hear of all your troubles,but that detection should not cause problems as serious as all that.Hotspot Shield is VPN software that is adware supported when it's the free version. :)
There is a wikipedia page about it here:
http://en.wikipedia.org/wiki/AnchorFree

vProtect should be related to AVG:
http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=185252

As you are getting the Anchor.HSS detection,and do not have hotspot shield installed,I think it would be best if you go to the false positives forums and see if they can find out what's up.
There is a sticky topic here to show what you need to give for info:
http://forums.spybot.info/showthread.php?19117-How-to-report-possible-False-Positives
False positives:
http://forums.spybot.info/forumdisplay.php?16-False-Positives

spybotsandra
2013-07-03, 13:07
Hello,

It seems like you are running an old version of Spybot - Search & Destroy.
This means it won't provide the protection that is actually available.
You will have to switch to Spybot - Search & Destroy 2 to get our full offer.
Please uninstall the older version of Spybot - Search & Destroy before installing the new version.
In order to uninstall Spybot-S&D, please consider the following link (http://www.safer-networking.org/faq/how-to-uninstall/).
Then download the new version of Spybot - Search & Destroy.
You will find links to several download locations (http://www.safer-networking.org/mirrors/) on our website.

Best regards
Sandra
Team Spybot

hookup
2013-07-04, 21:03
Alright,the reason I asked is because I saw this about sdcleaner in the forum a little while back. :)
http://forums.spybot.info/showthread.php?68789-Why-won-t-Spybot-remove-Delta-Toolbar
But,since I don't see sdcleaner listed in salenai's logfile or anything I know to be the equivalent,I'd assume that doesn't apply to you or him,since you both have Spybot 1.6.2.
(unless there was something like sdcleaner.exe in Spybot 1.6.2 and it was called something else that I cannot remember.I'm not sure,so I'll just squint suspiciously at sdmain.exe since I can't quite remember what it was,and move on.No need to concern yourself with this,btw,I'm just rambling out loud a little.) :D:

Anchor.hss is in the pups category,so I'll show you this page explaining those:
http://www.safer-networking.org/faq/pups/
If you've decided after reading the above that you would like to no longer have hotspot shield,then you might like to consider removing it from add/remove programs.
If the two entries are still found after that when you scan with Spybot,then you could ask for help in malware removal:
This is the before you post sticky topic:
http://forums.spybot.info/showthread.php?288-quot-BEFORE-You-POST-quot-(Please-read-this-Procedure-Before-Requesting-Assistance)
And this is malware removal:
http://forums.spybot.info/forumdisplay.php?22-Malware-Removal


Today I went to Control Panel to uninstall Hotspot Shield. I had noticed that the icon for it on my desktop looked different for some reason. I clicked uninstall in CP and a window popped up saying that I had already uninstalled HSS, even though I had not done so previously. I deleted the icon in CP and ran another Spybot scan. This time the hss pup did not show up in the scan. Kind of strange considering that I did not knowingly uninstall Hotspot Shield. I guess I am cured or am I ?

spybotsandra
2013-07-05, 12:57
Hello,

Seems like the problem is solved.
We also have issued more improved detection rules for Anchor.HSS with one of our latest updates.

Best regards
Sandra
Team Spybot