Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Tim


  • This topic is locked This topic is locked
1 reply to this topic

#1 thinson

thinson

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 07 July 2004 - 01:57 PM

Trying to help a friend who's machine is infected badly. Have used both Ad-Aware and Spybot. Please help

Logfile of HijackThis v1.97.7
Scan saved at 2:47:40 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\apila.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\ScanSoft\TEXTBR~1\Bin\INSTAN~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\addkj32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Ares\ares.exe
C:\Documents and Settings\Brian Rubino\Application Data\pbtu.exe
C:\WINDOWS\System32\NDrv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Brian Rubino\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qruhe.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qruhe.dll/index.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qruhe.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qruhe.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qruhe.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qruhe.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net
O2 - BHO: (no name) - {2793A518-B131-6A45-A669-D11F76853A3C} - C:\WINDOWS\netvi.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\ScanSoft\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [addkj32.exe] C:\WINDOWS\addkj32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\ares.exe" -h
O4 - HKCU\..\Run: [Cpea] C:\Documents and Settings\Brian Rubino\Application Data\pbtu.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [apila.exe] C:\WINDOWS\system32\apila.exe
O4 - HKLM\..\RunOnce: [atlfa.exe] C:\WINDOWS\system32\atlfa.exe
O4 - HKLM\..\RunOnce: [d3tc.exe] C:\WINDOWS\d3tc.exe
O4 - HKLM\..\RunOnce: [msyr32.exe] C:\WINDOWS\msyr32.exe
O4 - HKLM\..\RunOnce: [ntnx.exe] C:\WINDOWS\system32\ntnx.exe
O4 - HKLM\..\RunOnce: [cree32.exe] C:\WINDOWS\system32\cree32.exe
O4 - HKLM\..\RunOnce: [winui.exe] C:\WINDOWS\system32\winui.exe
O4 - HKLM\..\RunOnce: [netpg32.exe] C:\WINDOWS\system32\netpg32.exe
O4 - HKLM\..\RunOnce: [winqn32.exe] C:\WINDOWS\winqn32.exe
O4 - HKLM\..\RunOnce: [ntmz.exe] C:\WINDOWS\system32\ntmz.exe
O4 - HKLM\..\RunOnce: [msvt.exe] C:\WINDOWS\system32\msvt.exe
O4 - HKLM\..\RunOnce: [systv32.exe] C:\WINDOWS\system32\systv32.exe
O4 - HKLM\..\RunOnce: [d3gb32.exe] C:\WINDOWS\d3gb32.exe
O4 - HKLM\..\RunOnce: [winij32.exe] C:\WINDOWS\system32\winij32.exe
O4 - HKLM\..\RunOnce: [ipcs.exe] C:\WINDOWS\system32\ipcs.exe
O4 - HKLM\..\RunOnce: [netmo32.exe] C:\WINDOWS\netmo32.exe
O4 - HKLM\..\RunOnce: [ipga.exe] C:\WINDOWS\ipga.exe
O4 - HKLM\..\RunOnce: [ntaj.exe] C:\WINDOWS\system32\ntaj.exe
O4 - HKLM\..\RunOnce: [appba32.exe] C:\WINDOWS\appba32.exe
O4 - HKLM\..\RunOnce: [addgl.exe] C:\WINDOWS\system32\addgl.exe
O4 - HKLM\..\RunOnce: [winec.exe] C:\WINDOWS\winec.exe
O4 - HKLM\..\RunOnce: [apiln.exe] C:\WINDOWS\system32\apiln.exe
O4 - HKLM\..\RunOnce: [mfcoi.exe] C:\WINDOWS\mfcoi.exe
O4 - HKLM\..\RunOnce: [atlck32.exe] C:\WINDOWS\atlck32.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {11010101-1001-1111-1000-110164567732} - ms-its:mhtml:file://C:MAIN.MHT!http://www.008i.com//x//f//10213//inst.chm::/f10213.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:34 PM

Posted 07 July 2004 - 03:18 PM

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Step 1:


Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

C:\WINDOWS\system32\apila.exe
C:\WINDOWS\addkj32.exe
C:\Documents and Settings\Brian Rubino\Application Data\pbtu.exe
C:\WINDOWS\System32\NDrv.exe

Step 3:
I now need you to delete the following files:

C:\WINDOWS\system32\apila.exe
C:\WINDOWS\addkj32.exe
C:\Documents and Settings\Brian Rubino\Application Data\pbtu.exe
C:\WINDOWS\System32\NDrv.exe
The file from the services above.
C:\WINDOWS\qruhe.dll
C:\Documents and Settings\Brian Rubino\Application Data\pbtu.exe
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\system32\atlfa.exe
C:\WINDOWS\msyr32.exe
C:\WINDOWS\d3tc.exe
C:\WINDOWS\system32\cree32.exe
C:\WINDOWS\system32\ntnx.exe
C:\WINDOWS\system32\winui.exe
C:\WINDOWS\system32\netpg32.exe
C:\WINDOWS\winqn32.exe
C:\WINDOWS\system32\msvt.exe
C:\WINDOWS\system32\ntmz.exe
C:\WINDOWS\system32\systv32.exe
C:\WINDOWS\d3gb32.exe
C:\WINDOWS\system32\winij32.exe
C:\WINDOWS\netmo32.exe
C:\WINDOWS\system32\ipcs.exe
C:\WINDOWS\ipga.exe
C:\WINDOWS\system32\ntaj.exe
C:\WINDOWS\appba32.exe
C:\WINDOWS\system32\addgl.exe
C:\WINDOWS\winec.exe
C:\WINDOWS\system32\apiln.exe
C:\WINDOWS\mfcoi.exe
C:\WINDOWS\atlck32.exe

Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 4:
Then run hijackthis and fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qruhe.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qruhe.dll/index.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qruhe.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qruhe.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qruhe.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qruhe.dll/sp.html#10213
O2 - BHO: (no name) - {2793A518-B131-6A45-A669-D11F76853A3C} - C:\WINDOWS\netvi.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O4 - HKLM\..\Run: [addkj32.exe] C:\WINDOWS\addkj32.exe
O4 - HKCU\..\Run: [Cpea] C:\Documents and Settings\Brian Rubino\Application Data\pbtu.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKLM\..\RunOnce: [apila.exe] C:\WINDOWS\system32\apila.exe
O4 - HKLM\..\RunOnce: [atlfa.exe] C:\WINDOWS\system32\atlfa.exe
O4 - HKLM\..\RunOnce: [d3tc.exe] C:\WINDOWS\d3tc.exe
O4 - HKLM\..\RunOnce: [msyr32.exe] C:\WINDOWS\msyr32.exe
O4 - HKLM\..\RunOnce: [ntnx.exe] C:\WINDOWS\system32\ntnx.exe
O4 - HKLM\..\RunOnce: [cree32.exe] C:\WINDOWS\system32\cree32.exe
O4 - HKLM\..\RunOnce: [winui.exe] C:\WINDOWS\system32\winui.exe
O4 - HKLM\..\RunOnce: [netpg32.exe] C:\WINDOWS\system32\netpg32.exe
O4 - HKLM\..\RunOnce: [winqn32.exe] C:\WINDOWS\winqn32.exe
O4 - HKLM\..\RunOnce: [ntmz.exe] C:\WINDOWS\system32\ntmz.exe
O4 - HKLM\..\RunOnce: [msvt.exe] C:\WINDOWS\system32\msvt.exe
O4 - HKLM\..\RunOnce: [systv32.exe] C:\WINDOWS\system32\systv32.exe
O4 - HKLM\..\RunOnce: [d3gb32.exe] C:\WINDOWS\d3gb32.exe
O4 - HKLM\..\RunOnce: [winij32.exe] C:\WINDOWS\system32\winij32.exe
O4 - HKLM\..\RunOnce: [ipcs.exe] C:\WINDOWS\system32\ipcs.exe
O4 - HKLM\..\RunOnce: [netmo32.exe] C:\WINDOWS\netmo32.exe
O4 - HKLM\..\RunOnce: [ipga.exe] C:\WINDOWS\ipga.exe
O4 - HKLM\..\RunOnce: [ntaj.exe] C:\WINDOWS\system32\ntaj.exe
O4 - HKLM\..\RunOnce: [appba32.exe] C:\WINDOWS\appba32.exe
O4 - HKLM\..\RunOnce: [addgl.exe] C:\WINDOWS\system32\addgl.exe
O4 - HKLM\..\RunOnce: [winec.exe] C:\WINDOWS\winec.exe
O4 - HKLM\..\RunOnce: [apiln.exe] C:\WINDOWS\system32\apiln.exe
O4 - HKLM\..\RunOnce: [mfcoi.exe] C:\WINDOWS\mfcoi.exe
O4 - HKLM\..\RunOnce: [atlck32.exe] C:\WINDOWS\atlck32.exe
O16 - DPF: {11010101-1001-1111-1000-110164567732} - ms-its:mhtml:file://C:MAIN.MHT!http://www.008i.com//x//f//10213//inst.chm::/f10213.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab


Step 5:

In the next step we are going to remove a service that gets installed by this malware. The service will always start with __NS_Service. For the purposes of this step, we will assume that it is called NS_Service_3 but may be called something differently on your computer.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3

If __NS_Service_3 exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3

If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.


Step 6:

Please down About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip

Once it is download, please run the tool. When the tool is open press ok and then start. In the field labeled "Input in here..." enter the following:

res://hbsax.dll/index.html

Then press the OK button. The program will start to delete the various elements of this malware.

When it completed move on to step 7.

Step 7:

Restore files deleted by this malware.
  • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
  • If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users