Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log


  • This topic is locked This topic is locked
1 reply to this topic

#1 francd1

francd1

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 18 March 2005 - 04:01 AM

Please find below a copy of my latest HJT log. I ran HJT some time ago and managed to remove most of the problem registry keys and since changing to Mozilla and installing zone alarm I've had no further internet problems.
My PC has been acting up alot recently though, I've posted details in the WinXP OS forum but will provide a few details here in case they are relevant.
The PC fails regularly fails to find the OS on bootup, it looks like the HDD is not initiating properly, when I do finally manage to get in the HDD whirs and clicks and then usually freezes, after a short while I get a blue screen with a physical memory dump message.
I'm not sure if the HDD is trying to start up an application or something as part of the virus. I have noticed that the BIOS settings for the primary driver are set to NONE, I'm change this to USER each time and boot up usually works when I do. I'm not sure how this got changed to NONE, it may have been me and unfortunately I haven't managed a proper shutdown (the system always crashes) which I guess would save the settings. Can you tell me what the BIOS settings should be?

Hijack This Log is:

Logfile of HijackThis v1.99.1
Scan saved at 12:34:23, on 17/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\apiaa.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\atlkl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D4FD3E7F-134B-3265-8C6A-C70ABD1A2E09} - C:\WINDOWS\system32\winpn.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [atlkl.exe] C:\WINDOWS\system32\atlkl.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Workstation NetLogon Service ( 6Q'8) - Unknown owner - C:\WINDOWS\apiaa.exe

Any help with the HJT log and HDD problems would be much appreciated.

BC AdBot (Login to Remove)

 


#2 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:02:52 AM

Posted 18 March 2005 - 07:12 AM

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please download About:Buster from here: http://www.downloads.subratam.org/AboutBuster.zip Once it is downloaded extract it to
c:\aboutbuster. then launch the program. press check for update. download the updates, then close about buster. We will use that program later in this process.

Reboot your computer into Safe Mode and follow these steps:

Step 1:

Click on start, then control panel, then administrative programs, then services. Look for a service called Workstation NetLogon Service. Double click on the that service and click stop and then set the startup to disabled.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
C:\WINDOWS\apiaa.exe
C:\WINDOWS\system32\atlkl.exe


Step 3:
I now need you to delete the following files:
C:\WINDOWS\apiaa.exe
C:\WINDOWS\system32\atlkl.exe
C:\WINDOWS\system32\vgell.dll
C:\WINDOWS\system32\winpn.dll


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 4:
Then run hijackthis. Put a checkmark next to each of these entries :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vgell.dll/sp.html#48201
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D4FD3E7F-134B-3265-8C6A-C70ABD1A2E09} - C:\WINDOWS\system32\winpn.dll
O4 - HKLM\..\Run: [atlkl.exe] C:\WINDOWS\system32\atlkl.exe

O23 - Service: Workstation NetLogon Service ( 6Q'8) - Unknown owner - C:\WINDOWS\apiaa.exe



then close all other running programs and program windows
and press the button fix checked


Step 5:

In the next step we are going to remove a service that gets installed by this malware.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Workstation NetLogon Service

If Workstation NetLogon Service exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Workstation NetLogon Service

If LEGACY_Workstation NetLogon Service exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.


Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.

Step 7:

Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Step 8:
Reboot your computer back to normal mode so that we can see if we need to restore some deleted files:
  • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
  • If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.
  • Open IE, go to Tools>Internet Options>then click on the security tab, then click on custon label. Check the following settings:
  • Download Signed ActiveX controls-set to Prompt.
  • Download Un-Signed ActiveX controls-set to Disable.
  • Initialize and script ActiveX controls marked as unsafe-set to disable.
Step 9:

Run an online antivirus scan at:

http://housecall.antivirus.com/

download this file:
http://ralphcaddell.com/Uploads/deldomains.zip
unzip it and doubleclick on deldomains.inf
to remove the trusted zone entries

Reboot and post a new log
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users