viruses and trojans tired of fighting this

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by huney23451, Dec 21, 2004.

  1. huney23451

    huney23451 Private E-2

    i have done all the steps on the pages here as far as downloading everything and cleaning and am still having backdoor-cfg and some called windows.system32.services.exe shutting down the computer when i try to run adaware but was able to stop that when i used the shutdown -a post here but can some one please help me have the hjt log if you want me to post it.
     
    huney23451, Dec 21, 2004
    #1
  2. huney23451

    huney23451 Private E-2

    Edit by chaslang: Inline log changed to attachment
     

    Attached Files:

    • hjt.txt
      File size:
      9.4 KB
      Views:
      3
    Last edited by a moderator: Dec 21, 2004
    huney23451, Dec 21, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow guidelines for installing, using and posting HJT logs. No one requested that you post one. And you have it running from the wrong directory.


    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Dec 21, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    C:\WINDOWS\System32\?hkntfs.exe
    C:\Documents and Settings\john\Application Data\othb.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://213.159.117.134/index.php
    R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
    O4 - HKCU\..\Run: [Xsyzep] C:\WINDOWS\System32\?hkntfs.exe
    O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\john\Application Data\othb.exe
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.finefind.net
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: {04BE9E78-471C-6C2A-45D7-34841BC323C4} - http://82.179.166.72/1/gdnUS208.exe
    O16 - DPF: {11111111-1111-1111-1111-111111113457} -
    O16 - DPF: {11111111-1111-1111-1111-511111113457} -
    O16 - DPF: {11111111-1111-1111-1111-511111113458} -
    O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
    O16 - DPF: {2456741B-1567-7682-A355-939856783603} -
    O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalphon.com/dialer/in...ionale_ver4.CAB
    O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} - http://213.200.210.10/dl/101/US905_150.exe
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
    O23 - Service: Security Agent - Unknown - C:\WINDOWS\system32\scagent.exe (file missing)


    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\_h.html
    C:\WINDOWS\System32\?hkntfs.exe
    C:\Documents and Settings\john\Application Data\othb.exe
    C:\Program Files\Common files\SearchUpgrader <-- the whole directory


    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 21, 2004
    #4
  5. huney23451

    huney23451 Private E-2

    Ok i did what the last post told me to do but these two files i could not find in safe mode and when i ran the fix it i got one error on one of the fixes but can not find the clipboard it posted it to.


    C:\WINDOWS\System32\?hkntfs.exe
    C:\Documents and Settings\john\Application Data\othb.exe
     

    Attached Files:

    huney23451, Dec 21, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download the following tool: Pocket KillBox http://www.downloads.subratam.org/KillBox.zip

    Unzip it and run Pocket Killbox and choose the Delete on Reboot option.

    Enter each of these lines into the white box for Full Path of File to Delete one by one and then press the red X button. If it firsts asks to confirm the deletion after each entry is added and the red X is pressed, you need to click yes. But when it asks if you want to Reboot, Click No each time until the last of the four entries has been made. Then click yes to reboot.

    C:\WINDOWS\System32\TGBRFV_.exe
    C:\WINDOWS\System32\TGBRFV_5.dll
    C:\WINDOWS\System32\TGBRFV_.dll
    C:\WINDOWS\System32\TGBRFV_5.exe

    After KillBox has rebooted your system, restart HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xysearch.biz?wmid=1010
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_

    After clicking Fix, exit HJT and reboot again.

    Now after reboot create a new HJT log and post it here.
     
    chaslang, Dec 22, 2004
    #6
  7. huney23451

    huney23451 Private E-2

    ok i did those and here is the log.

    I wanted to say thank you for helping me with this it has been a great help.

    Tanya
     

    Attached Files:

    huney23451, Dec 24, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your log looks clean! How are things working now?
     
    chaslang, Dec 25, 2004
    #8
  9. huney23451

    huney23451 Private E-2

    things look good on the laptop but now fighting the desktop one have gone thru all the steps and gotten to the hjt this part if you would can you look at the log for me and tell me what i can do to fix this one i am doing this for friends so i have to do it as i go over to there house so i am attaching the log i have here and will wait for a reply then come back and fix it.

    thanks again

    Tanya
     

    Attached Files:

    huney23451, Dec 25, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\no\LOCALS~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\no\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [2EDJQQR467KL8M] C:\WINDOWS\System32\FqbOw5.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
    O16 - DPF: {027DBE03-C14A-263A-D49E-01CA0A052530} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {06B3C7C6-DD3A-6957-E0F3-39BE05E90827} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {087BC716-EFB0-2719-08BD-2EEC40F4BDF1} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {0981A59C-7E34-672D-EE60-7AD7134F899C} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {0C4D3708-E983-7E46-6441-18CA1564F14F} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {15E07DF0-E6C9-718B-E507-4CC17F708B4A} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {18ACBCF8-BC7B-5C09-B66E-136F359EC091} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {21BF1F8C-278E-3904-96AE-7233794E1E86} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {244A6F45-4F6C-10FD-6993-60814B2A030F} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {27DDCE37-0970-7D3F-DF96-44055F87E81E} - http://205.252.249.254/1/rdgUS1077.exe
    O16 - DPF: {28CBCAB6-A75B-5429-CEC4-04846E337369} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {2F259859-3A65-2E3E-5DD2-55E83687AEAE} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {2F367E17-0885-6B5C-F536-053F49D3382A} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {2FF3B4D2-95C5-255F-F582-5DBC347DFAA1} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {3484884F-B452-617C-F649-4A53755522E8} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {367BBD6F-FC6C-031F-D6C1-672E351E850C} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {460DB5FA-D54C-4DFB-5027-08EF4315C4B9} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {48EE1819-F6BD-2DF7-BC60-591C7134E60E} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {4C9DC8ED-A51D-2879-F7E9-3DD86530B113} - http://209.8.161.54/1/gdnUS897.exe
    O16 - DPF: {50589C6B-502A-6881-781B-52262C32E950} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {533C123B-6E30-2164-ED0F-1E7A593FE644} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {57EC6221-E5B1-07A6-1E59-58F90D04BD87} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {597BB577-2193-5AA7-D549-4E416754021B} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {59D05DEB-0689-6D3E-7028-66A571D5695D} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {5A1A450E-FE67-00EC-1E0B-632C6DB38AF3} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {6364E8EA-ADA2-1F1D-19E1-14DC18187455} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {666BE1EC-E580-0370-8AD9-29B44BE30FD1} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {66713414-DDA2-4D37-ED77-1F4340DE8168} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {6CB3289B-1F27-2BDA-2541-5F802A08D381} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {71A81BE7-7DF9-03B0-D88A-31F56268D28F} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {7768EA50-85C3-3A3E-9834-08B241ABF391} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {7E29500B-2719-4023-2D56-582B429338D0} - http://209.8.161.54/1/rdgUS897.exe
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
    O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - http://www.instantplugin.com/SexDownloader.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} - http://213.200.210.10/dl/101/US905_150.exe
    O23 - Service: Security Agent - Unknown - C:\WINDOWS\system32\scagent.exe (file missing)

    After clicking FIX exit HJT!

    Now Reset Web Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\ex.htm
    C:\WINDOWS\System32\FqbOw5.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 26, 2004
    #10
  11. huney23451

    huney23451 Private E-2

    ok did the desktop but when i got to last step and tried to find those two files they were not there ......and mcafee keeps finding this C:windows\system32\koneikcb.dll is infected by the StartPage-EH and can not be cleaned or deleted so how do i get rid of that and the backdoor-cfg one is still on the laptop and the stinger is not finding it the mcafee is but will not clean, delete or quartine it. here is the log for the desktop
     

    Attached Files:

    huney23451, Dec 27, 2004
    #11
  12. huney23451

    huney23451 Private E-2

    the laptop still also has the backdoor-cfb in C:\windows\System32\msk.dll
     
    huney23451, Dec 27, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please let's work only on on PC at a time. Jumping back and forth will only cause confusion. Right now we are working on your Desktop.

    I assume the last HJT log was for your Desktop?


    Click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:
    regsvr32 /u C:windows\system32\koneikcb.dll
    then click OK. If a dialog box confirming this action appears, click OK.

    Then reboot in safe mode and use Windows Explorer to locate and delete
    C:windows\system32\koneikcb.dll
     
    Last edited: Dec 27, 2004
    chaslang, Dec 27, 2004
    #13
  14. huney23451

    huney23451 Private E-2

    ok sorry about that i tried the fix on the desktop and when i hit enter it says library can not be found or something like that and when i tried to delete it it would not let me .......and i loaded the servicec pack 2 and its running like mollasses again should i uninstall the service pack 2 and just fix the virus and leave it alone?
     
    huney23451, Dec 28, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Installing XP SP2 was a bad idea. The upgrade does not usually work very well when there are any malware issues present.

    When you tried to delete that file, were you in safe mode?

    See this and try to take ownership of the file:
    http://support.microsoft.com/?kbid=308421

    Then try to delete it.
     
    chaslang, Dec 28, 2004
    #15
  16. huney23451

    huney23451 Private E-2

    ok i was able to take over the two files on the computers and delete them the desktop is still running slow but is better and the laptop is fast but loses connection to the router alot not sure it its still spyware or what is up with it.

    but wanted to thank you for helping me clear the junk off them

    Tanya
     
    huney23451, Jan 5, 2005
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Explain what you mean that it loses connection to the router alot. What is it that you see at this time?
     
    chaslang, Jan 5, 2005
    #17
  18. huney23451

    huney23451 Private E-2

    they use aol broandband and have two computers with a linksys wireless-g broabband router that is in the room with desktop the lap top is in the living room not more than 10 feet away from it but it seems to lose the connection alot saying that it pops up and shows there is no connection to it then you have to restart the computer to get it to pull a new connection it is a 2.4GHz router that shows there is still connection in there so not sure why its dropping so much.

    And now on the lap top i am getting the blue death screen after cleaning all those things off not often but once in a while.

    Tanya
     
    huney23451, Jan 10, 2005
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you enable SSID broadcast?
    Did you enable the WEP key and use 128bits?

    This could be an issue that you should be discussing in the Networking Forum. It is more than likely not a spyware issue. Try changing the channel you are using on the Router and the Wireless card too. You may be getting interference from something.
     
    chaslang, Jan 11, 2005
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds