home search assistent, Agent.BF, Winshow.AN

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by isaac987, Jun 25, 2004.

  1. isaac987

    isaac987 Private E-2

    Just would like to ask you experts on how to get rid of home search assistent, AVG Professional resident shield keeps giving me warnings of Downloader.Agent.BF and Downloader.Winshow.AN are they related to home search assistent? They all appeared at same time on my PC.

    I have tried Ad-adware, Spybot, A Squared, Bazooka, Coolwebshredder, Webroot Spy Sweeper etc and they did not find anything. AVG told me to send them 2 files on my machine WINDOWS\netat32.exe and WINDOWS\system32\ntwy.exe in ZIP file format, I stupidly lost netat32.exe so if anybody finds it send it to Grisoft in ZIP form, I did send ntwy.exe and they made an update which detects it but I still cant seem to remove it for some reason :(

    I think this works for restoring your homepage and stopping search windows opening up (fingers crossed) at least it worked on mine I have XP Home. Go to Explorer, Tools, Internet Options, Advanced Settings, and unchecked 'Enable third-party browser extensions (requires restart)', booted into safe mode used ad-adware & spybot the ran Hijackthis deleted all references to the res://whatever.. usually at top first couple of columns, restarted in safe mode set my homepage back to the one I usually use & ran ad-aware, booted into normal start (slow and warning messages at first) and made sure to deny any requests to change homepage to what the trojan made it, restarted in normal mode ran spybot & ad-aware & spysweeper and so far so good worked for me anyway.

    I tried Advanced Uninstaller Pro to force remove home search assistent but no joy.

    Logfile of HijackThis v1.97.7
    Scan saved at 01:45:42, on 26/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\syseg32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Kenneth Isaac Smith\My Documents\Ad+spyware remove\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {F6F83E73-6795-7320-16EC-4C0B4FB983E7} - C:\WINDOWS\ntxc32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [javabx.exe] C:\WINDOWS\javabx.exe
    O4 - HKLM\..\Run: [syseg32.exe] C:\WINDOWS\syseg32.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKLM\..\RunOnce: [msss32.exe] C:\WINDOWS\system32\msss32.exe
    O4 - HKLM\..\RunOnce: [d3cw.exe] C:\WINDOWS\d3cw.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37922.7316203704
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{100F8A78-0188-48B7-889B-36FC88E9D5B6}: NameServer = 195.92.195.94 195.92.195.95
    O17 - HKLM\System\CS1\Services\Tcpip\..\{100F8A78-0188-48B7-889B-36FC88E9D5B6}: NameServer = 195.92.195.94 195.92.195.95

    THANKS FOR YOUR TIME!!!!! (sorry post so long)
     
    isaac987, Jun 25, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First let's try a simple approach before getting into the long one. From Control Panel, Add/Remove Programs see if you can uninstall Home Search Assistent and Winshow. I'm not sure how they will be named there or if they will even show.

    If that does not work, start reading through the following thread. It has worked many times.
    http://www.majorgeeks.com/vb/showthread.php?t=35165
     
    chaslang, Jun 25, 2004
    #2
  3. isaac987

    isaac987 Private E-2

    Hi Chas

    I have looked through that link but I have no idea what files to delete the files on that link do not have the same names as they do on mine.



    Ran AVG 7 Professional in safe mode and found a few things deleted them and ran it in DOS as well it found winshow and removed it, I ran it again in safe mode and it finds nothing but I still have the resident shield saying I have Downloader.Agent.BF (C:\WINDOWS\sdknc32.exe or d3pw32.exe or System\sdwy.exe etc etc an endless list of them!

    I also still have Home Shopping Assistent, Search Extender, Shopping Wizard, and WebFldrs XP in my Add or Remove Programs list that wont uninstall even with Advanced Uninstaller Pro using forced removal they still keep coming back.

    I have all the programs Ad-Adware, Spybot, A Squared, Bazooka, HijackThis, Coolwebshredder, Spysweeper, and of course AVG 7 all updated to date.

    I have probably messed everything up with trying to fix it but I did find a post that gave me back my homepage and things in general are a little better, by going to Explorer, Tools, Internet Options, Advanced, then unchecking where it says 'Enable third-party browser extensions (requires restart)' then into safe mode use Spybot + Ad-adware + Hijack and delete all references to the res://homepage (dll files) usually at top first couple of columns, restarted to safe mode again changed my homepage back to my own homepage then ran adware spybot etc, normal start and denied all requests to change homepage back to the res://whatever, restarted in normal mode ran spybot and adware and spysweeper and so far so good :)

    Also I have no idea what to delete in the Hijackthis log as I have no idea what files windows needs and what belong to the trojan.

    Logfile of HijackThis v1.97.7
    Scan saved at 00:06:58, on 27/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\syseg32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Kenneth Isaac Smith\My Documents\Ad+spyware remove\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {F6F83E73-6795-7320-16EC-4C0B4FB983E7} - C:\WINDOWS\ntxc32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [javabx.exe] C:\WINDOWS\javabx.exe
    O4 - HKLM\..\Run: [syseg32.exe] C:\WINDOWS\syseg32.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKLM\..\RunOnce: [ipdl.exe] C:\WINDOWS\system32\ipdl.exe
    O4 - HKLM\..\RunOnce: [ieir32.exe] C:\WINDOWS\ieir32.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37922.7316203704
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{100F8A78-0188-48B7-889B-36FC88E9D5B6}: NameServer = 195.92.195.94 195.92.195.95
    O17 - HKLM\System\CS1\Services\Tcpip\..\{100F8A78-0188-48B7-889B-36FC88E9D5B6}: NameServer = 195.92.195.94 195.92.195.95

    THANKS FOR YOUR TIME!
     
    isaac987, Jun 26, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you look for the Network Security Service as indicated in that link? If found did you note the path of the file it referred to and did you disable Network Security Service?

    The files in you log that are related to the orginal problem from your first HijaakThis log were:
    O2 - BHO: (no name) - {F6F83E73-6795-7320-16EC-4C0B4FB983E7} - C:\WINDOWS\ntxc32.dll
    O4 - HKLM\..\Run: [javabx.exe] C:\WINDOWS\javabx.exe
    O4 - HKLM\..\Run: [syseg32.exe] C:\WINDOWS\syseg32.exe
    O4 - HKLM\..\RunOnce: [msss32.exe] C:\WINDOWS\system32\msss32.exe
    O4 - HKLM\..\RunOnce: [d3cw.exe] C:\WINDOWS\d3cw.exe

    There were two new ones added in the second log you posted:
    O4 - HKLM\..\RunOnce: [ipdl.exe] C:\WINDOWS\system32\ipdl.exe
    O4 - HKLM\..\RunOnce: [ieir32.exe] C:\WINDOWS\ieir32.exe

    Disconnect from the internet, boot in safe mode and look for all of these files (remember they may be hidden as indicated in the Svengali thread I told you to look at) and delete them. Then fix the lines in the HijaakThis log. Do you remember what the original R0 and R1 lines were before you started trying to fix things?
     
    chaslang, Jun 26, 2004
    #4
  5. isaac987

    isaac987 Private E-2

    Hi Chas!!

    That Network Security Service is a mystery to me I don't seem to have it, I have XP Home and went to start, run, typed in services.msc, it went to Services (local) and I looked for it but it does not exist?

    I have the show hidden files and folders enabled.

    The lines I deleted from the Hijackthis log in my attempt to fix it and get my homepage back were:


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main, Search Page = res://C:\WINDOWS\rgfry.dll/sp.html#35759
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:WINDOWS\rgfry.dll/sp.html#25759
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rgfry.dll/sp.html#35759

    I will wait for your advice again before doing what you told me below, by the way thanks for your time!
     
    isaac987, Jun 26, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Issac,

    Go here to learn how to boot in safe mode if you don't know how: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
    But do not boot in safe mode yet. I just want you to know how to do it because later you will not be connected to the internet to read how.
    All right you may want to print this or save it to a text file on you PC before we get started because from this point on I want you to remain disconnected from the internet physically (if you use an analog modem just disconnect, if you have a permanent connection like DSL or Cable Modem, disconnect the ethernet cable into you PC. DO NOT RECONNECT UNTIL I TELL YOU TO!

    1) Disable system restore: http://www.majorgeeks.com/vb/showthread.php?t=31668 and then reboot.
    2) Click Start, Run, and enter in the Open box: notepad C:\WINDOWS\rgfry.dll and hit ok
    3) In notepad hit CTRL-A to select all and the hit the delete key to delete everything.
    4) Now save the empty file over writing the same file name.
    5) Now using Windows Explorer right click on rgfry.dll and select Properties and change the attributes to Read Only and click OK.
    6) Setup Win XP search options by doing the following: Click Start, Search, All files and folders, select More advance options, make sure the Seach system folders, Search hidden files and folders, and Search subfolders options are selected.
    7) Now shutdown all applications you can and run HijaakThis and have it fix (if still there, I'm listing things from both logs):
    O2 - BHO: (no name) - {F6F83E73-6795-7320-16EC-4C0B4FB983E7} - C:\WINDOWS\ntxc32.dll
    O4 - HKLM\..\Run: [javabx.exe] C:\WINDOWS\javabx.exe
    O4 - HKLM\..\Run: [syseg32.exe] C:\WINDOWS\syseg32.exe
    O4 - HKLM\..\RunOnce: [msss32.exe] C:\WINDOWS\system32\msss32.exe
    O4 - HKLM\..\RunOnce: [d3cw.exe] C:\WINDOWS\d3cw.exe
    O4 - HKLM\..\RunOnce: [ipdl.exe] C:\WINDOWS\system32\ipdl.exe
    O4 - HKLM\..\RunOnce: [ieir32.exe] C:\WINDOWS\ieir32.exe

    If you see an O4 line for rgfry.exe, delete it too.

    8) Boot in safe mode as indicated at the start.
    9) Delete the following files if found:
    C:\WINDOWS\ntxc32.dll
    C:\WINDOWS\javabx.exe
    C:\WINDOWS\syseg32.exe
    C:\WINDOWS\system32\msss32.exe
    C:\WINDOWS\d3cw.exe
    C:\WINDOWS\system32\ipdl.exe
    C:\WINDOWS\ieir32.exe

    I'm listing a few more to delete if you see them. They were not in your log but they are typical names used:
    C:\WINDOWS\addry32.exe
    C:\WINDOWS\system32\sysup32.exe
    C:\WINDOWS\system32\ipzn32.exe
    C:\WINDOWS\mfcfy.exe
    C:\WINDOWS\system32\ntht32.exe
    C:\WINDOWS\crtp.exe
    C:\WINDOWS\ipuk32.exe
    C:\WINDOWS\winyd32.exe
    C:\WINDOWS\apipq32.exe
    C:\WINDOWS\system32\sdkts32.exe


    Also look for all files being deleted in the c:\windows\prefetch folder too.
    If there, delete them.

    10) While in safe mode run HijaakThis and fix any R0 and R1 lines (if there) that look like this problem.

    11) Right click on your Internet Explorer icon and select Properties. Set you home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Clcik Delete Files select Delete all Offline content too, Click OK. When it finishes Click OK.

    12) Now run Ad-aware & SpyBot S&D and clean what they find.

    13) Go to Start > Run > regedit > Open HKEY_LOCAL_MACHINE\ SOFTWARE \ Microsoft\ Windows\ CurrentVersion \ Uninstall. Click the [+] next to uninstall. Scroll down until you see the NAMES of programs, not the numbers in {,}. Find:

    HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of assistant is wrong)
    SA = Search Assistant
    SW = Shopping Wizzard

    To double check, on the left pane, it will say what they are. Highlight one at a time, and hit your delete key. Once you delete all three, you may exit.

    14) Now reconnect your ethernet cable or analog modem.
    15) Now reboot normal mode and do not run anything but HijaakThis post a new log.
    16) Do some surfing and lets see how things look. If you run into a problem again, repost another HijaakThis log.
     
    chaslang, Jun 27, 2004
    #6
  7. isaac987

    isaac987 Private E-2

    Hi Chas

    My system restore turned off anyway and know how to get to safe mode. When I go to start, run, and type in C:\WINDOWS\rgfry.dll and hit OK it says that windows cannot find it! So should I just miss that and carry on from part 6 onwards of your advice below?

    My homepage seems to be ok so far, been a few days now and it has not returned to res://rgfry.dll/index.html (is this because of what I did in hijackthis deleting those lines and is this why the rgfry.dll is missing?). I have had no popups belonging to simply the best which I think is related either and it does not open a second page when I'm searching with google, it used to open a second page with the address: www.lookfor.cc/index.php?pin=35759. What does happen though is that AVG resident shield keeps giving me warnings of Downloader.Agent.Bf with all kinds of different .exe files.

    So will I carry on from step 6 below? Thanks for your time!!!!

    Logfile of HijackThis v1.97.7
    Scan saved at 18:42:15, on 27/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\syseg32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Kenneth Isaac Smith\My Documents\Ad+spyware remove\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {F6F83E73-6795-7320-16EC-4C0B4FB983E7} - C:\WINDOWS\ntxc32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [javabx.exe] C:\WINDOWS\javabx.exe
    O4 - HKLM\..\Run: [syseg32.exe] C:\WINDOWS\syseg32.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKLM\..\RunOnce: [winsf32.exe] C:\WINDOWS\winsf32.exe
    O4 - HKLM\..\RunOnce: [winul32.exe] C:\WINDOWS\system32\winul32.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37922.7316203704
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{100F8A78-0188-48B7-889B-36FC88E9D5B6}: NameServer = 195.92.195.94 195.92.195.95
    O17 - HKLM\System\CS1\Services\Tcpip\..\{100F8A78-0188-48B7-889B-36FC88E9D5B6}: NameServer = 195.92.195.94 195.92.195.95
     
    isaac987, Jun 27, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You left off notepad, the command to enter in the open box is "notepad C:\WINDOWS\rgfry.dll" without the quotes. If that still does note work because you cannot find the file. Do a file search to see if you can find it anywhere on you PC?

    If you do find it follow the previous steps (noting the directory change for that file).
    If you don't find it, continue from step 6 as you thought. BUT you need to add two more Hijaak This lines to fix and two more filenames now to the delete list because your system mutated again. The new HijaakThis lines are:
    O4 - HKLM\..\RunOnce: [winsf32.exe] C:\WINDOWS\winsf32.exe
    O4 - HKLM\..\RunOnce: [winul32.exe] C:\WINDOWS\system32\winul32.exe

    and the new filenames coming from the HijaakThis lines are:
    C:\WINDOWS\winsf32.exe
    C:\WINDOWS\system32\winul32.exe
     
    chaslang, Jun 27, 2004
    #8
  9. isaac987

    isaac987 Private E-2

    Hi Chas!

    So far so good been surfing a while and no AVG resident shield warnings, no popups, no pages opening up when I do a search, nothing now found when I run AVG full test etc. So far it seems fine, but have to give it time see if anything happens, keeping my fingers crossed.

    Sorry Im not very bright I forgot the 'notepad' bit so typed in notepad C:\WINDOWS\rgfry.dll and it came up with 'file not found do you want to create it' and I said 'no' and carried on to step 6 of your advice.

    Ran hijackthis and only found 3 lines from the list you gave me and deleted them:
    O2 - BHO: (no name) - {F6F83E73-6795-7320-16EC-4C0B4FB983E7} - C:\WINDOWS\ntxc32.dll
    O4 - HKLM\..\Run: [javabx.exe] C:\WINDOWS\javabx.exe
    O4 - HKLM\..\Run: [syseg32.exe] C:\WINDOWS\syseg32.exe

    Checked for the new lines you told me to delete from my last log and they were not there also checked for a line with rgfry on it and it was not there.

    Booted into safe mode and looked for all those files and didn't find a single one of them, searched manual and with windows search and advanced options selected etc. Looked in the prefetch folder and none of those files existed there either.

    Ran hijack while still in safe mode and no R0 or R1 lines that looked suspicious.

    Right clicked on explorer and my homepage was fine, deleted cookies, offline files etc

    Ran spybot and nothing, then ad-adware and it found 3 registry entries which it deleted!

    I went to regedit and looked for the names HSA SA and SW and they did not exist, I remember looking and finding them there when I was in normal mode except on mine it was HSA, SE (search extender), and SW.

    I booted back into normal mode and no warnings about missing files when windows loaded up, I made another hijackthis log, and so far everything is fine!! :) PS THANKS FOR YOUR TIME!!!!!

    Logfile of HijackThis v1.97.7
    Scan saved at 21:03:05, on 27/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Documents and Settings\Kenneth Isaac Smith\My Documents\Ad+spyware remove\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37922.7316203704
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    isaac987, Jun 27, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Issac, your welcome. The new log looks good! Let's keep it that way. ;)
     
    chaslang, Jun 28, 2004
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds