Jump to content


Photo

Home Search Assistent Hijack


  • Please log in to reply
15 replies to this topic

#1 Cat33

Cat33

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 June 2004 - 03:27 PM

I have been infected with the "Home Search" hijack. I have been studying the logs for the past couple of days, to no avail. I ran the updated (today) versions of SpyBot and Ad-Aware, plus Hijack this. Could you review this HJT log and offer some suggestions? I know this is keeping you busy, but any advise would save me!

Logfile of HijackThis v1.97.7
Scan saved at 4:22:12 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\atldg32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\atlsd32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 14 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aahbg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aahbg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\aahbg.dll/sp.html#96676
O2 - BHO: (no name) - {8EFF90B9-3485-5ED1-3013-E336455EB78D} - C:\WINDOWS\system32\javatv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [atldg32.exe] C:\WINDOWS\atldg32.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.c...tall/invRTC.CAB

#2 Cat33

Cat33

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 June 2004 - 05:15 PM

Sorry, I rebooted.... here is the newest HJT log. Also, my AVG6 antivirus is starting to tell me I have the "Downloader.Agent.BF" Trojan. The files that are infected are popping up constantly. PLEASE HELP!

Logfile of HijackThis v1.97.7
Scan saved at 6:09:18 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\WINDOWS\system32\ntke32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 14 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aahbg.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://aahbg.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://aahbg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aahbg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://aahbg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\aahbg.dll/sp.html#96676
O2 - BHO: (no name) - {8EFF90B9-3485-5ED1-3013-E336455EB78D} - C:\WINDOWS\system32\javatv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [atldg32.exe] C:\WINDOWS\atldg32.exe
O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.c...tall/invRTC.CAB

#3 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 22 June 2004 - 05:29 PM

Hello, Please download my tool called about:buster from

http://tools.zerosre...AboutBuster.zip
Unzip it to your desktop.

Now start Hijack this and tick the boxes next to these items..


O2 - BHO: (no name) - {8EFF90B9-3485-5ED1-3013-E336455EB78D} - C:\WINDOWS\system32\javatv.dll
O4 - HKLM\..\Run: [atldg32.exe] C:\WINDOWS\atldg32.exe
O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe


Now close ALL windows and hit fix checked.
Do not open internet explorer to come back here until after running my tool.

Start about:buster and hit start. In the first white box input this -
res://aahbg.dll/index.html#96676

Now hit ok. Restart your computer and post the report and a new Hijack this log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#4 Cat33

Cat33

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 June 2004 - 05:51 PM

Sorry, I did not post the AboutBuster log. I rebooted, and ran another HJT session. Please tell me what to put in AboutBuster this time. Also..it seems the downloader trojan is replicating at a fast pace. I get a virus warning every 10 seconds. (****32.exe) files are being infected. Thanks for the help.

Logfile of HijackThis v1.97.7
Scan saved at 6:46:38 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\ntke32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 15 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {AA3AF481-F482-8D24-5C5D-3A042558A16E} - C:\WINDOWS\system32\appzn.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.c...tall/invRTC.CAB

#5 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 22 June 2004 - 05:54 PM

Hmm looks like the infection went away. But do this..

Open Hijack this and tick the boxes next to these


O2 - BHO: (no name) - {AA3AF481-F482-8D24-5C5D-3A042558A16E} - C:\WINDOWS\system32\appzn.dll
O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe


Then rerun About:Buster and enter this res://appzn.dll
I shouldnt use the bho as the text but we'll try it. After this post the report and a new log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#6 Cat33

Cat33

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 June 2004 - 06:09 PM

.dll File not found, Continuing fix
Removed! : C:\WINDOWS\alebc.dll
Removed! : C:\WINDOWS\etqli.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

Logfile of HijackThis v1.97.7
Scan saved at 7:05:47 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\ntke32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 16 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {4D1B1005-4C66-86D2-0123-8C1F255C711B} - C:\WINDOWS\system32\crvw32.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.c...tall/invRTC.CAB

#7 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 22 June 2004 - 06:11 PM

Looks good

Tick the boxes next to these last items...


O2 - BHO: (no name) - {4D1B1005-4C66-86D2-0123-8C1F255C711B} - C:\WINDOWS\system32\crvw32.dll
O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe


Now delete these files...


C:\WINDOWS\system32\crvw32.dll
C:\WINDOWS\system32\ntke32.exe

Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#8 Cat33

Cat33

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 June 2004 - 06:17 PM

Did you mean from the computer or just from HJT? I fixed the two files in HJT, below is the new log. I did not re-boot.

Logfile of HijackThis v1.97.7
Scan saved at 7:15:46 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\ntke32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 17 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\alebc.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://alebc.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://alebc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\alebc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://alebc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\alebc.dll/sp.html#96676
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunOnce: [d3vc.exe] C:\WINDOWS\system32\d3vc.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.c...tall/invRTC.CAB

#9 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 22 June 2004 - 06:21 PM

Uh oh this can't be good. You were reinfected :-/. Ok lets try this again.

Ok first move Hijack this to a permanent folder such as C:\Hjt

Then
1) Tick the boxes next to these items.

O4 - HKLM\..\RunOnce: [d3vc.exe] C:\WINDOWS\system32\d3vc.exe

2) Start about:buster and paste this in res://alebc.dll/index.html#96676[/B]
3) Let it run and paste the report into a text file or somewhere where you can get it later.
4) Restart your computer and rerun Hjt fixing all random entries. Then post the report and a new Hjt log.

Edited by RubbeR DuckY, 22 June 2004 - 06:22 PM.

Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#10 Jinto

Jinto

    Member

  • New Member
  • Pip
  • 2 posts

Posted 22 June 2004 - 06:25 PM

NM

Edited by Jinto, 22 June 2004 - 06:28 PM.


#11 Cat33

Cat33

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 June 2004 - 06:40 PM

Okay, I ran About:Buster, saved the results, then re-booted and ran HJT. Below are the logs. Something is replicating on my computer, because every 10 seconds, a new file is being infected with Downloader.Agent


.dll File could not be opened... Continuing
Removed! : C:\WINDOWS\d3al32.exe
Removed! : C:\WINDOWS\sdkqa32.exe
Removed! : C:\WINDOWS\winau32.exe
Removed! : C:\WINDOWS\alebc.dll
Removed! : C:\WINDOWS\ifght.dll
Removed! : C:\WINDOWS\ntfx.dll
Removed! : C:\WINDOWS\apljd.dat
Removed! : C:\WINDOWS\etqli.dat
Removed! : C:\WINDOWS\ewuwn.dat
Removed! : C:\WINDOWS\ifght.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

Logfile of HijackThis v1.97.7
Scan saved at 7:36:09 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\ntke32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\HijackThis.exe

O2 - BHO: (no name) - {7DB27A26-99E5-D3F2-DE5E-69D6A77FC596} - C:\WINDOWS\ntfx.dll (file missing)
O2 - BHO: (no name) - {B8A40086-20B8-C1F2-809A-00534310B657} - C:\WINDOWS\system32\apprw.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.c...tall/invRTC.CAB

#12 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 22 June 2004 - 06:47 PM

Ok, i really dont know how to proceed right now. If we fix the remaining objects the hijack comes back. Try this. Print these directions out or save them somewhere. You will be working with all windows closed.

Tick the box next to these. Make sure all windows are closed and then hit fix checked.

O2 - BHO: (no name) - {7DB27A26-99E5-D3F2-DE5E-69D6A77FC596} - C:\WINDOWS\ntfx.dll (file missing)
O2 - BHO: (no name) - {B8A40086-20B8-C1F2-809A-00534310B657} - C:\WINDOWS\system32\apprw.dll
O4 - HKLM\..\Run: [ntke32.exe] C:\WINDOWS\system32\ntke32.exe

Then startup about:buster and input this. Remember all windows closed.

res://apprw.dll

Then restart your computer and startup about:buster again. Again type in the above. This is just to make sure everything is gone. Also startup Hijack this and check if the items above are gone. Once you have done that, id say its safe to open internet explorer. Create a new Hijack this log and any reports you saved during this procedure.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#13 Cat33

Cat33

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 June 2004 - 07:08 PM

Before reboot:

Removed! : C:\WINDOWS\addav.exe
Removed! : C:\WINDOWS\msof32.exe
Removed! : C:\WINDOWS\sdkrb32.exe
Removed! : C:\WINDOWS\alebc.dll
Removed! : C:\WINDOWS\ozguo.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

AFTER REBOOT:

.dll File not found, Continuing fix
Removed! : C:\WINDOWS\alebc.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

Logfile of HijackThis v1.97.7
Scan saved at 8:05:39 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CFFB24E5-B865-4E6D-AC90-78A335C19F29} (RTC_20040215.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DF9D016B-4188-4272-B337-71C4289485F0} (RTC_20040515.RTC) - http://www.iastore.c...tall/invRTC.CAB
O16 - DPF: {F1BBBD40-128F-47DF-9735-DAFED6558334} (RTC_20040401.RTC) - http://www.iastore.c...tall/invRTC.CAB

#14 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 23 June 2004 - 07:23 PM

Looks clean :).

Good job following directions. :thumbsup:
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#15 Cat33

Cat33

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 24 June 2004 - 06:22 AM

It seems I have been clean for 24hrs. ! I also ran AVG6 and wrote down all the "virus infected files" . My AVG could not remove them, so I wrote them down and ran a file search and deleted them from there. I guess I got rid of it, it doesn't show up anymore. Please tell me I am right. It was the Downloader.Agent trojan.

One point I would like to make ... Each time I re-booted, I turned off System Restore. This, and your program are the only thing I did different. That program is really good. Thanks again for your time and patience.

#16 Cat33

Cat33

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 24 June 2004 - 01:41 PM

Now it seems I have not gotten rid of the virus after all. Some off the .dll and .exe files are showing up as viruses by AVG6. I cant let the program get rid of it. Is there a parent file that is replicating the virus that I can manually delete? What logs would you like to see?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button