• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Cat33

Home Search Assistent Hijack

16 posts in this topic

I have been infected with the "Home Search" hijack. I have been studying the logs for the past couple of days, to no avail. I ran the updated (today) versions of SpyBot and Ad-Aware, plus Hijack this. Could you review this HJT log and offer some suggestions? I know this is keeping you busy, but any advise would save me!

 

Logfile of HijackThis v1.97.7

Scan saved at 4:22:12 PM, on 6/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\system32\HPConfig.exe

C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\WINDOWS\atldg32.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\WINDOWS\system32\atlsd32.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 14 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aahbg.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aahbg.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\aahbg.dll/sp.html#96676

O2 - BHO: (no name) - {8EFF90B9-3485-5ED1-3013-E336455EB78D} - C:\WINDOWS\system32\javatv.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [atldg32.exe] C:\WINDOWS\atldg32.exe

O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

Share this post


Link to post
Share on other sites

Sorry, I rebooted.... here is the newest HJT log. Also, my AVG6 antivirus is starting to tell me I have the "Downloader.Agent.BF" Trojan. The files that are infected are popping up constantly. PLEASE HELP!

 

Logfile of HijackThis v1.97.7

Scan saved at 6:09:18 PM, on 6/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\system32\HPConfig.exe

C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\BellSouth\Connection Manager\CManager.exe

C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe

C:\WINDOWS\system32\ntke32.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 14 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aahbg.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://aahbg.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://aahbg.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aahbg.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://aahbg.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\aahbg.dll/sp.html#96676

O2 - BHO: (no name) - {8EFF90B9-3485-5ED1-3013-E336455EB78D} - C:\WINDOWS\system32\javatv.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [atldg32.exe] C:\WINDOWS\atldg32.exe

O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe

O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

Share this post


Link to post
Share on other sites

Hello, Please download my tool called about:buster from

 

http://tools.zerosrealm.com/AboutBuster.zip

Unzip it to your desktop.

 

Now start Hijack this and tick the boxes next to these items..

 

O2 - BHO: (no name) - {8EFF90B9-3485-5ED1-3013-E336455EB78D} - C:\WINDOWS\system32\javatv.dll

O4 - HKLM\..\Run: [atldg32.exe] C:\WINDOWS\atldg32.exe

O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe

 

Now close ALL windows and hit fix checked.

Do not open internet explorer to come back here until after running my tool.

 

Start about:buster and hit start. In the first white box input this -

res://aahbg.dll/index.html#96676

 

Now hit ok. Restart your computer and post the report and a new Hijack this log.

Share this post


Link to post
Share on other sites

Sorry, I did not post the AboutBuster log. I rebooted, and ran another HJT session. Please tell me what to put in AboutBuster this time. Also..it seems the downloader trojan is replicating at a fast pace. I get a virus warning every 10 seconds. (****32.exe) files are being infected. Thanks for the help.

 

Logfile of HijackThis v1.97.7

Scan saved at 6:46:38 PM, on 6/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\system32\HPConfig.exe

C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\WINDOWS\system32\ntke32.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\BellSouth\Connection Manager\CManager.exe

C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 15 for hijackthis.zip\HijackThis.exe

 

O2 - BHO: (no name) - {AA3AF481-F482-8D24-5C5D-3A042558A16E} - C:\WINDOWS\system32\appzn.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe

O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

Share this post


Link to post
Share on other sites

Hmm looks like the infection went away. But do this..

 

Open Hijack this and tick the boxes next to these

 

O2 - BHO: (no name) - {AA3AF481-F482-8D24-5C5D-3A042558A16E} - C:\WINDOWS\system32\appzn.dll

O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe

 

Then rerun About:Buster and enter this res://appzn.dll

I shouldnt use the bho as the text but we'll try it. After this post the report and a new log.

Share this post


Link to post
Share on other sites

.dll File not found, Continuing fix

Removed! : C:\WINDOWS\alebc.dll

Removed! : C:\WINDOWS\etqli.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

 

Logfile of HijackThis v1.97.7

Scan saved at 7:05:47 PM, on 6/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\system32\HPConfig.exe

C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\system32\ntke32.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\BellSouth\Connection Manager\CManager.exe

C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 16 for hijackthis.zip\HijackThis.exe

 

O2 - BHO: (no name) - {4D1B1005-4C66-86D2-0123-8C1F255C711B} - C:\WINDOWS\system32\crvw32.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe

O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

Share this post


Link to post
Share on other sites

Looks good

 

Tick the boxes next to these last items...

 

O2 - BHO: (no name) - {4D1B1005-4C66-86D2-0123-8C1F255C711B} - C:\WINDOWS\system32\crvw32.dll

O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe

 

Now delete these files...

 

C:\WINDOWS\system32\crvw32.dll

C:\WINDOWS\system32\ntke32.exe

Share this post


Link to post
Share on other sites

Did you mean from the computer or just from HJT? I fixed the two files in HJT, below is the new log. I did not re-boot.

 

Logfile of HijackThis v1.97.7

Scan saved at 7:15:46 PM, on 6/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\system32\HPConfig.exe

C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\system32\ntke32.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\BellSouth\Connection Manager\CManager.exe

C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 17 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\alebc.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://alebc.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://alebc.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\alebc.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://alebc.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\alebc.dll/sp.html#96676

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\RunOnce: [d3vc.exe] C:\WINDOWS\system32\d3vc.exe

O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

Share this post


Link to post
Share on other sites

Uh oh this can't be good. You were reinfected :-/. Ok lets try this again.

 

Ok first move Hijack this to a permanent folder such as C:\Hjt

 

Then

1) Tick the boxes next to these items.

 

O4 - HKLM\..\RunOnce: [d3vc.exe] C:\WINDOWS\system32\d3vc.exe

 

2) Start about:buster and paste this in res://alebc.dll/index.html#96676[/b]

3) Let it run and paste the report into a text file or somewhere where you can get it later.

4) Restart your computer and rerun Hjt fixing all random entries. Then post the report and a new Hjt log.

Edited by RubbeR DuckY

Share this post


Link to post
Share on other sites

Okay, I ran About:Buster, saved the results, then re-booted and ran HJT. Below are the logs. Something is replicating on my computer, because every 10 seconds, a new file is being infected with Downloader.Agent

 

 

.dll File could not be opened... Continuing

Removed! : C:\WINDOWS\d3al32.exe

Removed! : C:\WINDOWS\sdkqa32.exe

Removed! : C:\WINDOWS\winau32.exe

Removed! : C:\WINDOWS\alebc.dll

Removed! : C:\WINDOWS\ifght.dll

Removed! : C:\WINDOWS\ntfx.dll

Removed! : C:\WINDOWS\apljd.dat

Removed! : C:\WINDOWS\etqli.dat

Removed! : C:\WINDOWS\ewuwn.dat

Removed! : C:\WINDOWS\ifght.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

 

Logfile of HijackThis v1.97.7

Scan saved at 7:36:09 PM, on 6/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\system32\HPConfig.exe

C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\system32\ntke32.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\BellSouth\Connection Manager\CManager.exe

C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe

C:\HijackThis.exe

 

O2 - BHO: (no name) - {7DB27A26-99E5-D3F2-DE5E-69D6A77FC596} - C:\WINDOWS\ntfx.dll (file missing)

O2 - BHO: (no name) - {B8A40086-20B8-C1F2-809A-00534310B657} - C:\WINDOWS\system32\apprw.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe

O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

Share this post


Link to post
Share on other sites

Ok, i really dont know how to proceed right now. If we fix the remaining objects the hijack comes back. Try this. Print these directions out or save them somewhere. You will be working with all windows closed.

 

Tick the box next to these. Make sure all windows are closed and then hit fix checked.

 

O2 - BHO: (no name) - {7DB27A26-99E5-D3F2-DE5E-69D6A77FC596} - C:\WINDOWS\ntfx.dll (file missing)

O2 - BHO: (no name) - {B8A40086-20B8-C1F2-809A-00534310B657} - C:\WINDOWS\system32\apprw.dll

O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe

 

Then startup about:buster and input this. Remember all windows closed.

 

res://apprw.dll

 

Then restart your computer and startup about:buster again. Again type in the above. This is just to make sure everything is gone. Also startup Hijack this and check if the items above are gone. Once you have done that, id say its safe to open internet explorer. Create a new Hijack this log and any reports you saved during this procedure.

Share this post


Link to post
Share on other sites

Before reboot:

 

Removed! : C:\WINDOWS\addav.exe

Removed! : C:\WINDOWS\msof32.exe

Removed! : C:\WINDOWS\sdkrb32.exe

Removed! : C:\WINDOWS\alebc.dll

Removed! : C:\WINDOWS\ozguo.dll

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

 

AFTER REBOOT:

 

.dll File not found, Continuing fix

Removed! : C:\WINDOWS\alebc.dll

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

 

Logfile of HijackThis v1.97.7

Scan saved at 8:05:39 PM, on 6/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\system32\HPConfig.exe

C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\BellSouth\Connection Manager\CManager.exe

C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe

C:\HijackThis.exe

 

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.com/RTC/Install/invRTC.CAB

Share this post


Link to post
Share on other sites

It seems I have been clean for 24hrs. ! I also ran AVG6 and wrote down all the "virus infected files" . My AVG could not remove them, so I wrote them down and ran a file search and deleted them from there. I guess I got rid of it, it doesn't show up anymore. Please tell me I am right. It was the Downloader.Agent trojan.

 

One point I would like to make ... Each time I re-booted, I turned off System Restore. This, and your program are the only thing I did different. That program is really good. Thanks again for your time and patience.

Share this post


Link to post
Share on other sites

Now it seems I have not gotten rid of the virus after all. Some off the .dll and .exe files are showing up as viruses by AVG6. I cant let the program get rid of it. Is there a parent file that is replicating the virus that I can manually delete? What logs would you like to see?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0