Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

xysearch.biz/?wmid=3320


  • Please log in to reply
2 replies to this topic

#1 mms_services

mms_services

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 10 November 2004 - 05:18 AM

please help

Hi mms_services,
I've split your topic into a thread of your own. Every log and system is different, so please stick to this thread from now on to avoid confusion and to help you more effeciently. Someone will be with you shortly.---Papakid



I have the same hijack problem except the target site is http://xysearch.biz/?wmid=3320 and even after several hjt scan and fixes even under safe mode my homepage won't change and hijackthis still finds userinit.exe + 2 IE toolbars after I remove them.
I have installed several trojan removers and anti spyware tools without any succes.

Here is the log I get:

Logfile of HijackThis v1.97.7
Scan saved at 11:14:04, on 10/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: La Solution Ciel (L).lnk = C:\CIEL\STARTER.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab


I have also done a reglook in case it helps:


A reg_look by IMM
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(key has 0 subkeys and 7 value entries - last modified 11:55(UTC) 30/09/2002)
[AppInit_DLLs] = "" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(key has 4 subkeys and 31 value entries - last modified 09:56(UTC) 10/11/2004)
[Userinit] = "userinit.exe,TGBRFV_" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
(key has 0 subkeys and 5 value entries - last modified 11:55(UTC) 30/09/2002)
[Shell] = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" (REG_SZ)
----------------------------------------


I don't know what to do my homepage won't change and several trojans are sent to my computer, it also replaces my desktop by an active desktop page about security being compromised etc...

Edited by Papakid, 10 November 2004 - 09:16 AM.


BC AdBot (Login to Remove)

 


#2 mms_services

mms_services
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 10 November 2004 - 11:05 AM

As this malware infected my boss computer and we don't work tomorrow I won't be able to send more info or logs but will look forward on friday. I have a few experience in cleaning malware and just discovered this website, congrat you all about running it because it's been the best I've been looking trough so far.
I hope you can find some way to fix this, I looked trough services and registry but didn't find anything that looked odd as it may be a new version, there wasn't any pnp service...

Thank you for your help, work and time dedicated into fighting malwares

Edited by mms_services, 10 November 2004 - 11:05 AM.


#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 PM

Posted 11 November 2004 - 02:03 PM

Hi mms_services,

My apologies for not getting back to you earlier, even tho you won't be around today. And thanks for the kudos. :thumbsup: You are right, there is a new version of a-search.biz but I'm not sure if xysearch.biz is the same. A fix for the new a-search.biz has just been developed, so let's run thru it and see if it works. Please do the following:

First, you are running an outdated version of HijackThis. Please download the newest version (1.98.2) and unzip it to your C:\hijackthis folder. You can delete the old version--there is no uninstall.

HijackThis Download

Note, please read this carefully, as the steps do repeat a few times, but the last step does change a bit

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

Select the Delete on reboot option.


In the field labeled "Full path of file to delete" enter C:\WINDOWS\System32\TGBRFV_.exe

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.


Next In the field labeled "Full path of file to delete" enter C:\WINDOWS\System32\TGBRFV_5.dll

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.



Next In the field labeled "Full path of file to delete" enter C:\WINDOWS\System32\TGBRFV_.dll

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the YES button.


Your computer will now reboot and check to see if the file is gone.


When it reboots, fix these entries in hijackthis--put a checkmark by each entry, close all other windows and hit Fix Checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=Userinit.exe,

Reboot and post a new log.

Go into Internet Options and reset your homepage and let me know how that works.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users