Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Home page switchedto "tnbqk:


  • This topic is locked This topic is locked
2 replies to this topic

#1 Richard1283

Richard1283

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Detroit
  • Local time:08:49 PM

Posted 01 August 2004 - 04:36 PM

Home page changed to tnbqk -

-- Scan 1 --------
About:Buster Version 2.0
Removed! : D:\WINDOWS\tnbqk.dat
Removed! : D:\WINDOWS\tnbqk.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.0
Removed! : D:\WINDOWS\tnbqk.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Logfile of HijackThis v1.98.0
Scan saved at 5:32:20 PM, on 8/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\brsvc01a.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\brss01a.exe
D:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Tablet.exe
D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\WINDOWS\Mixer.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\wuauclt.exe
D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\tnbqk.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tnbqk.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tnbqk.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\tnbqk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\tnbqk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tnbqk.dll/index.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: (no name) - {C0ABA3B1-1D31-5501-C7B5-68D02849D3DC} - D:\WINDOWS\ienz32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EPSON Stylus Photo 2200] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus Photo 2200" /O6 "USB003" /M "Stylus Photo 2200"
O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "D:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [yswlisb] D:\WINDOWS\System32\qabblh.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ctpo] D:\Documents and Settings\Richa\Application Data\toct.exe
O4 - HKCU\..\Run: [Avxnq] D:\WINDOWS\System32\kvbnd.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PhotoCAL Startup.lnk = D:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = D:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

BC AdBot (Login to Remove)

 


m

#2 ColdinCbus

ColdinCbus

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 02 August 2004 - 11:03 AM

Here is the fix for your PC. Please note that this fix will only work for this PC.

1. Download this tool called AboutBuster http://www.downloads.subratam.org/AboutBuster.zip

Unzip it to your desktop but don't run it yet.

2. Download and install adaware http://www.lavasoftusa.com/software/adaware/ Get the Free version. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You can now close the program.

3. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online.

4. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

5. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find any of the following services.

Network Security Service
Remote Procedure Call (RPC) Helper <-Please note the word Helper at the end
Workstation NetLogon Service

When you find one, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

6. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

7. Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\tnbqk.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tnbqk.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tnbqk.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\tnbqk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\tnbqk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tnbqk.dll/index.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C0ABA3B1-1D31-5501-C7B5-68D02849D3DC} - D:\WINDOWS\ienz32.dll
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "D:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [yswlisb] D:\WINDOWS\System32\qabblh.exe

Do you know what this program is?
O4 - HKCU\..\Run: [Ctpo] D:\Documents and Settings\Richa\Application Data\toct.exe

O4 - HKCU\..\Run: [Avxnq] D:\WINDOWS\System32\kvbnd.exe


and delete the following files if present.

D:\WINDOWS\tnbqk.dll
D:\WINDOWS\ienz32.dll
D:\WINDOWS\Downloaded Program Files\bridge.dll
D:\WINDOWS\System32\qabblh.exe
D:\Documents and Settings\Richa\Application Data\toct.exe <-if you don't know what it is and can't find it.
D:\WINDOWS\System32\kvbnd.exe
Also delete the file that was associated with the sevice you ended above

8. Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_3

If any are listed, right-click that entry in the right pane and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3

If you find it, right-click it in the right-pane and choose delete.

9. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

10. Scan with Adaware and let it remove any bad files found.

11. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

12. Reboot to normal mode, scan again with Hijack This and post a new log here.

13. NOTE:Two, possibly 3, files were also deleted from your computer and need to be replaced.

Control.exe
hosts (with no extension)
SDHelper.dll (if you are using Spybot Search & Destroy)

If control. exe is missing
Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
........................................................
14. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

15. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

#3 Richard1283

Richard1283
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Detroit
  • Local time:08:49 PM

Posted 03 August 2004 - 03:50 PM

That did it. Many Thanks!

Logfile of HijackThis v1.98.0
Scan saved at 4:45:59 PM, on 8/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\brsvc01a.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\brss01a.exe
D:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Tablet.exe
D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\WINDOWS\Mixer.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Messenger\msmsgs.exe
D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EPSON Stylus Photo 2200] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus Photo 2200" /O6 "USB003" /M "Stylus Photo 2200"
O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PhotoCAL Startup.lnk = D:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = D:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users