HSA (Only the Best) and systj32.exe

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dmb06851, Sep 19, 2005.

  1. dmb06851

    dmb06851 Specialist

    Some days ago ZoneAlarm started telling me, on XP Home, that "systj32.exe was trying to access the internet". This has happened quite a few times. There was also a separate alert which mentioned "glb3.tmp", but I saw this only once.
    Since I don't know what systj32.exe is I have denied access.

    "Only the Best" has appeared on my system too but I can't say whether this was coincidental with the the start of systj32.exe's attempts to access the net.

    I have read "When all else fails - Generic Solution to HSA (Only the Best) & About:Blank hijack" and followed the instructions, as follows.

    Bit Defender in normal mode (I can't connect to the net in Safe mode) says everything is clean.

    First scan with RavAntivirus produced this:

    Scan started at 18/09/2005 22:51:54

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\Documents and Settings\David Bridgen\My Documents\Graphics\pixie.exe->(UPXW) - Win32/Gigex.A@mm -> Suspicious
    C:\Program Files\Nattyware\Pixie\pixie.exe->(UPXW) - Win32/Gigex.A@mm -> Suspicious
    C:\Program Files\WinRAR\Uninstall.exe - Backdoor:Win32/Poebot.E -> Suspicious

    Scanned
    ============================
    Objects: 141457
    Directories: 8429
    Archives: 4307
    Size(Kb): -470849
    Infected files: 0

    Found
    ============================
    Viruses found: 0
    Suspicious files: 3
    Disinfected files: 0
    Mail files: 724


    While that scan was being executed ZoneAlarm warned of "Dangerous Behaviour" "c:\windows\system32\systj32.exe (systj32.exe) event=2 subevent=2 class=2" ..... whatever that means. I denied it.


    The "pixie" mentioned is the colour identifying application - apparently there are other appliations too.
    I uninstalled it and then deleted the Nattyware folder. I forgot about the thing in WinRAR folder.

    I then scanned with Bit Defender again. Clean.

    And then with RavAntivrus again. The report was as follows:



    Scan started at 19/09/2005 14:53:42

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\Program Files\WinRAR\Uninstall.exe - Backdoor:Win32/Poebot.E -> Suspicious

    Scanned
    ============================
    Objects: 141267
    Directories: 8382
    Archives: 4302
    Size(Kb): -532743
    Infected files: 0

    Found
    ============================
    Viruses found: 0
    Suspicious files: 1
    Disinfected files: 0
    Mail files: 725




    I unsinstalled WinRAR and then deleted its folder with whatever else was left in it.

    During this second RavAntvirus scan I had another alert from ZoneAlarm that systj32.exe was trying to gain access to the internet. I denied it.

    I then ran Stinger. Clean.

    And then CCleaner.

    And then AdAware SE Plus (plus VX2).

    The log for that run is as follows:




    Ad-Aware SE Build 1.06r1
    Logfile Created on:19 September 2005 21:29:19
    Using definitions file:SE1R66 14.09.2005
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    References detected during the scan:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    CoolWebSearch(TAC index:10):25 total references
    MRU List(TAC index:0):2 total references
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Ad-Aware SE Settings
    ===========================
    Set : Search for negligible risk entries
    Set : Search for low-risk threats
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep-scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan my Hosts file

    Extended Ad-Aware SE Settings
    ===========================
    Set : Unload recognized processes & modules during scan
    Set : Ignore spanned files when scanning cab archives
    Set : Scan registry for all users instead of current user only
    Set : Always try to unload modules before deletion
    Set : During removal, unload Explorer and IE if necessary
    Set : Let Windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Block pop-ups aggressively
    Set : Automatically select problematic objects in results lists
    Set : Include basic Ad-Aware settings in log file
    Set : Include additional Ad-Aware settings in log file
    Set : Include reference summary in log file
    Set : Include alternate data stream details in log file
    Set : Show splash screen
    Set : Backup current definitions file before updating
    Set : Play sound at scan completion if scan locates critical objects


    19-09-2005 21:29:19 - Scan started. (Full System Scan)

    MRU List Object Recognized!
    Location: : C:\Documents and Settings\David Bridgen\recent
    Description : list of recently opened documents


    MRU List Object Recognized!
    Location: : S-1-5-21-1123561945-1957994488-1060284298-1004\software\microsoft\windows media\wmsdk\general
    Description : windows media sdk


    Listing running processes
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ProcessID : 348
    ThreadCreationTime : 19-09-2005 10:25:40
    BasePriority : Normal


    #:2 [csrss.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ProcessID : 408
    ThreadCreationTime : 19-09-2005 10:25:47
    BasePriority : Normal


    #:3 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ProcessID : 432
    ThreadCreationTime : 19-09-2005 10:25:48
    BasePriority : High


    #:4 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 476
    ThreadCreationTime : 19-09-2005 10:25:49
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : services.exe

    #:5 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 488
    ThreadCreationTime : 19-09-2005 10:25:50
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : lsass.exe

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 632
    ThreadCreationTime : 19-09-2005 10:25:52
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:7 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 692
    ThreadCreationTime : 19-09-2005 10:25:52
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:8 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 748
    ThreadCreationTime : 19-09-2005 10:25:53
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:9 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 816
    ThreadCreationTime : 19-09-2005 10:25:54
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:10 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 840
    ThreadCreationTime : 19-09-2005 10:25:54
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:11 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1132
    ThreadCreationTime : 19-09-2005 10:26:03
    BasePriority : Normal
    FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
    ProductVersion : 5.1.2600.2696
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : spoolsv.exe

    #:12 [d3wt.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1296
    ThreadCreationTime : 19-09-2005 10:26:07
    BasePriority : Normal


    #:13 [avgamsvr.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID : 1316
    ThreadCreationTime : 19-09-2005 10:26:09
    BasePriority : Normal
    FileVersion : 7,1,0,321
    ProductVersion : 7.1.0.321
    ProductName : AVG Anti-Virus System
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Alert Manager
    InternalName : avgamsvr
    LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
    OriginalFilename : avgamsvr.EXE

    #:14 [avgupsvc.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID : 1368
    ThreadCreationTime : 19-09-2005 10:26:11
    BasePriority : Normal
    FileVersion : 7,1,0,321
    ProductVersion : 7.1.0.321
    ProductName : AVG 7.0 Anti-Virus System
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Update Service
    InternalName : avgupsvc
    LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
    OriginalFilename : avgupdsvc.EXE

    #:15 [sagent2.exe]
    FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
    ProcessID : 1424
    ThreadCreationTime : 19-09-2005 10:26:13
    BasePriority : Normal
    FileVersion : 2, 2, 0, 0
    ProductVersion : 1, 0, 0, 0
    ProductName : EPSON Bidirectional Printer
    CompanyName : SEIKO EPSON CORPORATION
    FileDescription : EPSON Printer Status Agent
    InternalName : SAgent2
    LegalCopyright : Copyright (C) SEIKO EPSON CORP. 2000-2001
    OriginalFilename : SAgent2.exe

    #:16 [gcasserv.exe]
    FilePath : C:\Program Files\Microsoft AntiSpyware\
    ProcessID : 1500
    ThreadCreationTime : 19-09-2005 10:26:14
    BasePriority : Idle
    FileVersion : 1.00.0615
    ProductVersion : 1.00.0615
    ProductName : Microsoft AntiSpyware (Beta 1)
    CompanyName : Microsoft Corporation
    FileDescription : Microsoft AntiSpyware Service
    InternalName : gcasServ
    LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
    LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet(tm) is a trademark of Microsoft Corporation.
    OriginalFilename : gcasServ.exe

    #:17 [tcpsvcs.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1504
    ThreadCreationTime : 19-09-2005 10:26:14
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : TCP/IP Services Application
    InternalName : TCPSVCS.EXE
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : TCPSVCS.EXE

    #:18 [snmp.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1548
    ThreadCreationTime : 19-09-2005 10:26:16
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : SNMP Service
    InternalName : snmp.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : snmp.exe

    #:19 [gcasdtserv.exe]
    FilePath : C:\Program Files\Microsoft AntiSpyware\
    ProcessID : 1644
    ThreadCreationTime : 19-09-2005 10:26:19
    BasePriority : Normal
    FileVersion : 1.00.0615
    ProductVersion : 1.00.0615
    ProductName : Microsoft AntiSpyware (Beta 1)
    CompanyName : Microsoft Corporation
    FileDescription : Microsoft AntiSpyware Data Service
    InternalName : gcasDtServ
    LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
    LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet(tm) is a trademark of Microsoft Corporation.
    OriginalFilename : gcasDtServ.exe

    #:20 [wrsssdk.exe]
    FilePath : C:\Program Files\Webroot\Spy Sweeper\
    ProcessID : 1648
    ThreadCreationTime : 19-09-2005 10:26:19
    BasePriority : Normal
    FileVersion : 1,0,3,232
    ProductVersion : 1, 0
    ProductName : Spy Sweeper SDK
    CompanyName : Webroot Software, Inc.
    FileDescription : Spy Sweeper SDK
    LegalCopyright : Copyright (C) 2002 - 2004, All Rights Reserved.
    LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.
    OriginalFilename : SpySweeper.exe

    #:21 [pupxpman.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 276
    ThreadCreationTime : 19-09-2005 10:26:55
    BasePriority : Normal
    FileVersion : 1.04.0347
    ProductVersion : 1.04.0347
    ProductName : PwrUpManager
    CompanyName : ashampoo GmbH & Co. KG
    FileDescription : Ashampoo PowerUp XP
    InternalName : pupxpman
    LegalCopyright : ashampoo GmbH & Co. KG
    OriginalFilename : pupxpman.exe

    #:22 [jusched.exe]
    FilePath : C:\Program Files\Java\jre1.5.0_04\bin\
    ProcessID : 596
    ThreadCreationTime : 19-09-2005 10:27:00
    BasePriority : Normal


    #:23 [ctfmon.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 924
    ThreadCreationTime : 19-09-2005 10:27:07
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : CTF Loader
    InternalName : CTFMON
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : CTFMON.EXE

    #:24 [drst.exe]
    FilePath : C:\Program Files\SpeedTouch\Dr SpeedTouch\
    ProcessID : 1008
    ThreadCreationTime : 19-09-2005 10:27:09
    BasePriority : Normal


    #:25 [wkcalrem.exe]
    FilePath : C:\Program Files\MSWorks\Calendar\
    ProcessID : 2304
    ThreadCreationTime : 19-09-2005 10:28:28
    BasePriority : Normal
    FileVersion : 1,0,1,1921
    ProductVersion : 1,0,1,1921
    ProductName : Microsoft Works
    CompanyName : Microsoft Corporation
    FileDescription : Microsoft Works Calendar Advise/Reminder Server
    InternalName : Advise Server
    LegalCopyright : Copyright © 1998
    OriginalFilename : WKCALREM.EXE

    #:26 [sgmain.exe]
    FilePath : C:\Program Files\SpywareGuard\
    ProcessID : 2428
    ThreadCreationTime : 19-09-2005 10:28:42
    BasePriority : Normal
    FileVersion : 2.02.0001
    ProductVersion : 2.02.0001
    ProductName : SpywareGuard
    FileDescription : SpywareGuard
    InternalName : sgmain
    LegalCopyright : Copyright (C) 2002-2003 Javacool Software LLC
    OriginalFilename : sgmain.exe
    Comments : SpywareGuard

    #:27 [sgbhp.exe]
    FilePath : C:\Program Files\SpywareGuard\
    ProcessID : 2512
    ThreadCreationTime : 19-09-2005 10:29:20
    BasePriority : Normal
    FileVersion : 2.02.0001
    ProductVersion : 2.02.0001
    ProductName : SG Browser Hijacking Protection
    FileDescription : SG Browser Hijacking Protection
    InternalName : sgbhp
    LegalCopyright : Copyright (C) 2002-2003 Javacool Software LLC.
    OriginalFilename : sgbhp.exe
    Comments : SG Browser Hijacking Protection

    #:28 [mantispm.exe]
    FilePath : C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\
    ProcessID : 2840
    ThreadCreationTime : 19-09-2005 10:30:26
    BasePriority : Normal
    FileVersion : 4, 7, 0, 5831
    ProductVersion : 4, 7, 0, 5831
    FileDescription : Spam Filter
    InternalName : mantispm.exe
    LegalCopyright : (c) 2002-2004
    OriginalFilename : mantispm.exe

    #:29 [alg.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 2920
    ThreadCreationTime : 19-09-2005 10:30:34
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Application Layer Gateway Service
    InternalName : ALG.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : ALG.exe

    #:30 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 2184
    ThreadCreationTime : 19-09-2005 10:48:50
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:31 [iexplore.exe]
    FilePath : C:\Program Files\Internet Explorer\
    ProcessID : 2412
    ThreadCreationTime : 19-09-2005 11:02:52
    BasePriority : Normal
    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 6.00.2900.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : IEXPLORE.EXE

    #:32 [findfast.exe]
    FilePath : C:\Program Files\Microsoft Office\Office\
    ProcessID : 2912
    ThreadCreationTime : 19-09-2005 17:31:34
    BasePriority : Normal


    #:33 [explorer.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 4644
    ThreadCreationTime : 19-09-2005 17:41:24
    BasePriority : Normal
    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 6.00.2900.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : EXPLORER.EXE

    #:34 [wscntfy.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 6140
    ThreadCreationTime : 19-09-2005 20:21:00
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows Security Center Notification App
    InternalName : wscntfy.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : wscntfy.exe

    #:35 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Plus\
    ProcessID : 4584
    ThreadCreationTime : 19-09-2005 20:28:39
    BasePriority : Normal
    FileVersion : 6.2.0.237
    ProductVersion : SE 106
    ProductName : Lavasoft Ad-Aware SE
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-Aware SE Core application
    InternalName : Ad-Aware.exe
    LegalCopyright : Copyright © Lavasoft AB Sweden
    OriginalFilename : Ad-Aware.exe
    Comments : All Rights Reserved

    Memory scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 2


    Started registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

    Registry Scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 1
    Objects found so far: 3


    Started deep registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Deep registry scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 3


    Started Tracking Cookie scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


    Tracking cookie scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 3



    Deep scanning and examining files (C:)
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Disk Scan Result for C:\
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 3


    Performing conditional scans...
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\urlsearchhooks

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\hsa

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\hsa
    Value : UninstallString

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\se

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\se
    Value : UninstallString

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\sw

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\sw
    Value : UninstallString

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
    Value : Start

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
    Value : ErrorControl

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
    Value : ImagePath

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
    Value : DisplayName

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
    Value : ObjectName

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
    Value : FailureActions

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\downloadmanager

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\main
    Value : Enable Browser Extensions

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\new windows
    Value : PopupMgr

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\main
    Value : Search Page

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft
    Value : set

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\main
    Value : Search Bar

    CoolWebSearch Object Recognized!
    Type : RegData
    Data : no
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\main
    Value : Use Search Asst
    Data : no

    CoolWebSearch Object Recognized!
    Type : RegData
    Data : about:blank
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\main
    Value : Start Page
    Data : about:blank

    CoolWebSearch Object Recognized!
    Type : RegData
    Data : no
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\main
    Value : Use Search Asst
    Data : no

    CoolWebSearch Object Recognized!
    Type : RegData
    Data : about:blank
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\main
    Value : Start Page
    Data : about:blank

    Conditional scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 24
    Objects found so far: 27

    21:57:44 Scan Complete

    Summary Of This Scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Total scanning time:00:28:24.691
    Objects scanned:238597
    Objects identified:25
    Objects ignored:0
    New critical objects:25




    I then ran the other programs mentioned in the "How to".


    So, I'm still stuck with "Only the Best".

    I have read "When all else fails - Generic Solution to HSA (Only the Best) & About:Blank hijack" but it's above my head.

    As you say " ... HicackThis ... is for advanced users, so if you do not understand how to use it, you do not need it...."

    Can someone help please?

    And what is systj32.exe ? Good. Bad. If the latter, how do I get rid of it?
     
    dmb06851, Sep 19, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The systj32.exe is part of the HSA hijacker. And so is another process shown in your Ad-Aware log:
    Did you do step 2 of the READ ME FIRST? If not, please do so.
    Did you also run about:Buster and HSremove where indicated? If not, please do so.
    And then continue with below.


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Sep 19, 2005
    #2
  3. dmb06851

    dmb06851 Specialist

    Regarding step 2 .....

    Workstation NetLogon Service is present.
    Right clicking produces a notice:

    Services.
    Configuration Manager: A required entry in the register is missing or an attempt to write to the registry failed.

    Then, after clicking on OK:

    Services.
    The system cannot find the file specified.



    about:Buster .....

    Pressing Update produces "Run-time error '5': Invalid procedure call or argument".
    I have deleted all three files and re-downloaded from all the download sites you list - the author's doesn't work - but I still get the same results.


    HSremove runs ok. Nothing found.


    A new (today) problem is AVG Resident Shield telling me that a virus has been detected:

    "windows\system32\vwlsl.dll
    Trojan horse Startpage. 19A0"

    I click the "Heal" button, the program heals it but it reappears.



    The HijackThis file is attached.
     

    Attached Files:

    dmb06851, Sep 20, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must make sure you put about:Buster in its own folder with no other programs installed there.

    I find it strange that HSremove would indicate nothing found. It has a bug and always finds 8 problems even on clean systems.

    You need to disable Spybot - Search & Destroy's TeaTimer as it will get in our way.

    To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
    Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
    Now quit Spybot!

    I do not see the correct O16 lines for BitDefender and RavAntivirus being in your HJT log. Did you edit your HJT log or are you using HJT filtering to hide known lines? Are you sure they were run completely? Some Bitdefender info shows in the O9 section but not in the O16 section.
     
    Last edited: Sep 20, 2005
    chaslang, Sep 20, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\sysbm.exe
    C:\WINDOWS\system32\d3wt.exe


    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vwlsl.dll/sp.html#10001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vwlsl.dll/sp.html#10001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vwlsl.dll/sp.html#10001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vwlsl.dll/sp.html#10001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vwlsl.dll/sp.html#10001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vwlsl.dll/sp.html#10001
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vwlsl.dll/sp.html#10001
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {5401DC8A-1A4C-4EDC-9555-CC66BBEDCDF4} - C:\WINDOWS\iepm.dll
    O4 - HKLM\..\Run: [ipny.exe] C:\WINDOWS\ipny.exe
    O4 - HKLM\..\Run: [systj32.exe] C:\WINDOWS\system32\systj32.exe
    O4 - HKLM\..\Run: [sysbm.exe] C:\WINDOWS\system32\sysbm.exe
    O4 - Startup: Reboot.exe
    O4 - Global Startup: Reboot.exe
    O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O15 - Trusted Zone: http://www.davidbridgen.com

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\iepm.dll
    C:\WINDOWS\ipny.exe
    C:\WINDOWS\system32\systj32.exe
    C:\WINDOWS\system32\sysbm.exe
    C:\WINDOWS\system32\d3wt.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Now reboot in normal mode and post a new HJT log.

    Do not power down or reboot your PC after posting this HJT log. HSA hijackers can mutate and spread at power down and reboots. So any kind of reboot could make the symptoms change and make any suggested fixes incorrect.
     
    chaslang, Sep 20, 2005
    #5
  6. dmb06851

    dmb06851 Specialist

    Thank you Chas for your last two posts in this thread.

    Regarding the penultimate one.
    Okay, about:Buster is now in its own folder.
    Yes, HSremove did report "8 items removed" when run again. I think I misread the results the first time.
    Spybot's TeaTimer is now disabled.
    No, I didn't edit the HJT log. I wouldn't be so presumptuous. And yes, I am sure that Bit Defender and RavAntivirus ran completely. I haven't seleted any HJT filtering.

    Regarding your last post.
    Sorry, I'm using XP Home and system Restore is disabled and viewing of hidden files is enabled.

    I did another scan according to the READ ME FIRST tutorial but in normal mode again since I can't connect to the Internet in safe mode.

    Bit Defender, no problems found.

    RAVAntivirus. No viruses.

    Stinger. Clean.

    Disconnected from Internet.

    CCleaner run.

    AdAware run. Nasty items deleted.

    VX2 run. System clean.

    Spybot run. 6 problems fixed.

    CWshredder run. CoolWeb not found.

    Kill2me run. ..... after which My Documents was opened. Why?

    about:Buster run after downloading the missing 'comctl32.ocx' file. No ads found. No files found.
    But note that I couldn't update beforehand. I was advised that "An error has occurred while updating."

    HSremove run.
    Six processes "Done", and the phantom "8 items removed." Removal complete.

    Then I ran HJT again.
    I couldn't see two of the O4 entries referred to in your post.

    Then rebooted in safe mode.

    I couldn't see c:\windows\iepm.dll, c:\windows\ipny.exe, or c:\windows\system32\sysbm.exe.

    I had previously deleted c:\windows\system32\systj32.exe after you said that it was part of the HSA hijacker.

    I then ran CCleaner again, deleted the prefetch files, reset the web settings and rebooted normally.

    The subsequent HJT log is attached.

    Thank you for your perseverance Chas.
     

    Attached Files:

    dmb06851, Sep 22, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay I hope you followed my instructions and did not power down or reboot after posting your log. If you did not, the below may be a waste of time.

    One of the Services mentioned in step 2 of the READ ME FIRST is now running:
    O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ipzx.exe

    You need to follow the instructions in step 2 of the READ ME to stop and disable this service. Inf fact I will repeat them here and also add some more steps to use HJT to delete the service.


    You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

    Okay, unplug your internet connection and exit browsers now!!!!


    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    On the page that opens, scroll down to Remote Procedure Call (RPC) Helper ...then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    Remote Procedure Call (RPC) Helper

    If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
    The short name actually begins with a space character so make sure you type the space before cutting and pasting in the string. You will need to cut and paste the short name since the characters are not easily typed.

    Now exit HijackThis.

    Now restart HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

    C:\WINDOWS\system32\ipzx.exe
    C:\WINDOWS\system32\ipfv32.exe


    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):

    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {B2561711-375A-C5C2-DBF9-4F87C6CDEC0E} - C:\WINDOWS\system32\javafr.dll
    O4 - HKLM\..\Run: [ipfv32.exe] C:\WINDOWS\system32\ipfv32.exe
    O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ipzx.exe



    Then exit HJT after clicking FIX

    Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others. If not sure, if they are bad or good, do nothing except write the filenames down and tell me what they are later.):
    C:\WINDOWS\system32\javafr.dll
    C:\WINDOWS\system32\ipfv32.exe
    C:\WINDOWS\system32\ipzx.exe


    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

    - Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

    - NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

    - After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

    - Now use the same procedure as above to try to delete any files that would not delete in the above step. Note any that still do not delete and continue.

    - Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

    - Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

    - Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot into normal mode.)

    - Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    - Plug your cable to the internet back in now.

    - Open and close a couple of IE sessions and then with IE closed get a new HJT log.

    - Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

    Let me know anything else that you notice.

    Do not power down or reboot your PC after posting this HJT log. Make sure to acknowledge these instructions so I know that you will not be rebooting or powering down.
     
    chaslang, Sep 22, 2005
    #7
  8. dmb06851

    dmb06851 Specialist

    Sorry Chas, I did reboot after posting the last HJT log so I guess that negates what you said in the last post.

    Okay, what shall I do now?
     
    dmb06851, Sep 22, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Post a new log and make sure that from now on you follow those directions. Not doing so, will just make it take much longer or impossible to fix.
     
    chaslang, Sep 22, 2005
    #9
  10. dmb06851

    dmb06851 Specialist

    Sorry about the hiccup last night. AVG was running and had responded in the afirmative when asked if I wanted to re-start after it eliminated something. AVG is disabled for the time being.

    I went throught the whole procedure again.

    System restore is still off.
    Everything has been done in normal mode, not safe.

    BitDefender - no problems found.
    RavAntivirus - no viruses found.

    Disconnected from Internet.

    CCleaner.
    AdAware - 22 objects removed - have log saved.
    VX2 - system clean.
    Spybot - CoolWWWSearch.HomeSearch 1 entry
    CoolWWWSearch.SearchKlick 2 entries
    Shop At Home 1 entry
    Trek Blue Error Nuker 4 entries

    Removed all.

    CWShredder.
    Kill2Me. - after which "My Documents" was opened.
    aboutBuster - "Run-time error '5' "
    HSRemove = 8 items removed.
     

    Attached Files:

    dmb06851, Sep 23, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! It was not necessary to run all of those steps. You should only run what we ask you to run and you must run them in the order given. It does not look like you followed the steps in my last message as they were written. If you did then then where I said to Reset Web Settings, your home page should have been reset to www.majorgeeks.com as a start page. Please follow the directions as given and do not do anything else but what is given.

    You must use only one antivirus application so pick whether you want Antivir or AVG and uninstall the other. Do that now before continuing. Do not reboot if it requests that you reboot.

    What browser are you using to run Bitdefender and RAVantivirus online scans?

    I'm not sure what the problem is with using about:Buster. You said you did put it in its own folder. I wonder if you need the VB runtime files. Download and install this: Visual Basic Run Time See if about:Buster will run now.

    Copy the contents of the below Quote Box below to Notepad. Save it and Change the Save as Type to All Files and Save the file as fixHSA.reg Save this file on the desktop or anyplace you can easily find it. Then double-click on thefixHSA.reg file, and when it prompts to merge say yes.
    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\ipzx.exe
    C:\WINDOWS\system32\winil32.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {B2561711-375A-C5C2-DBF9-4F87C6CDEC0E} - C:\WINDOWS\system32\javafr.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (tell me what you find):
    C:\WINDOWS\system32\javafr.dll
    C:\WINDOWS\system32\ipzx.exe
    C:\WINDOWS\system32\winil32.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Sep 23, 2005
    #11
  12. dmb06851

    dmb06851 Specialist

    I had reset IE home page to Major Geeks, more than once, but it was reset.
    the AntiVirus Personal program has been uninstalled.
    My browser is IE6.
    VB runtime files downloaded and installed. aboutBuster still coughs up the "runtime error '5' " message.

    The three registry entries were copied and entered into the registry. Note, the system didn't say "merge", it said "add", which I did.

    System restore is still off.

    HJT. The two processes were killed.
    Looked for those eight lines but the first two weren't listed. Selected the other six. Exited IE browser and then Fixed them.

    Rebooted safe mode.
    First two items, javafr.dll and jpzx.exe, not found. Deleted winil32.exe.

    CCleaner run.

    Web settings reset, again.

    Reboot normal. HJT log attached.
     

    Attached Files:

    dmb06851, Sep 24, 2005
    #12
  13. dmb06851

    dmb06851 Specialist

    Addendum to last post.

    For the first 5 minutes or so after the last reboot, I couldn't do anything on the toolbar/quicklaunch/system tray area - nothing would respond to the mouse.
    SpywareGuard advise of IE current search page being changed from <none> to res://c:\windows\vyire.dll/sp.html#1001 and gave me the option of Resorting old value or keeping new. I chose restore.
    Same/similar thing with IE search bar, IE search page, IE default page, search bar and default search. I selected restore for each.
     
    dmb06851, Sep 24, 2005
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! That's useful info to know that you are resetting the web settings and that they were changed back. This time it partially took. Also it is useful to know about the info from SpywareGuard. It may become necessary to remove SpywareGuard though (we will see). Sometimes some of the programs that we used to protect us make it difficult to remove problems when they have already occurred. Especially when the protections programs actually do nothing to actually fix the root of the problem. What they windup doing is masking some of the symptoms so we cannot see what is really going on.

    You may still have some problems. Your HJT log does not show any running process but the two lines below should be fixed:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uyire.dll/sp.html#10001
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uyire.dll/sp.html#10001

    If SpywareGuard detects the above fix (it may) just tell it to accept the change.

    I think you have other problems hiding in the background. Too bad we cannot get About:Buster to run. Let's try the two below programs. They have proven to be useful in locating problem files related to the hijacker.

    1) Download TrojanHunter

    2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

    3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

    See if you can save a log from it so I can see what happened.


    Now let's continue the hunting:

    - run CCleaner before doing the below.

    - Download this trial version of Ewido Security Suite
    • Install ewido security suite
    • Launch ewido, there should be an icon on your desktop double-click it.
    • The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
    • After it completes the update, click the Scanner button

    Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

    Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

    Open up Ewido and do the following:
    • Click on Scanner
    • Then click Settings
    • Under What to Scan? Select Scan every file
    • Then click OK
    • Click on Complete System Scan and the scan will start.
    • Let the program scan the machine
    While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

    Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report
    • Save the report to your desktop or anyplace you will be able to find it to upload here.
    Reboot into normal mode and reconnect to the internet.

    Come back here and post the Ewido Scan Report.
     
    chaslang, Sep 24, 2005
    #14
  15. dmb06851

    dmb06851 Specialist

    HJT.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uyire.dll/sp.html#10001

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uyire.dll/sp.html#10001

    Both selected. Exit IE broswer. Fixed both. (SpywareGuard didn't respond.)

    TrojanHunter installed and updated, full scan on C. Cropped screen dump saved and attached.
    Note my mis-spelling of aboutBuster. Could that be the reason for its non-function?

    CCleaner run.

    Ewido installed and updated. Disconnected from 'phone line. Rebooted in safe mode. Every file/complete system scan. Report atached.

    Rebooted normal. System very slow, at least at first. Closed, via Task Manager, initial IE attempt to connect (wasn't responding.) Quick launch etc wouldn't respond to mouse for first couple of minutes.

    IE default page still MajorGeeks.
     

    Attached Files:

    dmb06851, Sep 25, 2005
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not post the Ewido log. Please attach it.

    How is your system running?
     
    chaslang, Sep 25, 2005
    #16
  17. dmb06851

    dmb06851 Specialist

    Sorry, here it is.

    I commented on the system at the end of the post.
     

    Attached Files:

    dmb06851, Sep 26, 2005
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Those comments sounded temporary. Are they still occurring?

    Reboot your PC and get a new HJT log to post and also check to see what problems you still have.
     
    chaslang, Sep 26, 2005
    #18
  19. dmb06851

    dmb06851 Specialist

    Hi Chas.

    The problem with mouse access to the quick launch and system tray seems to have gone.
    I did notice after this reboot that there was a lot of disc activity, the yellow l.e.d. on the PC being permanently lit for a while, after all the icons had appeared in the system tray.
    During this time a clock I have on the desktop halted its seconds increments for about 5 to 10 seconds at a time and then jumped forward.
    Task Manager shows the great majority of this activity is due to System Idle Process, CPU Usage up around 75 to 80%.
    This settles down to 3% minimum but shoots up to 90 to 100% every 10 seconds.
    I have no idea if this is useful information or not.

    The HJT log is attached.

    Thank you for all the time and effort which you are putting into this. I really appreciate it.
     

    Attached Files:

    dmb06851, Sep 26, 2005
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    System Idle Process is not a process. It is the time your computer is idle and it should normally be very high unless the CPU is very busy with some other processes.

    You log is clean. The only other item I wonder about (but I have no info on is):

    O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll

    Do you know what it is?

    You should look into working throught the steps in the below now:

    How to Protect yourself from malware!
     
    chaslang, Sep 26, 2005
    #20
  21. dmb06851

    dmb06851 Specialist

    No Chas, I have no idea what that line, O9 - Extra button, is.

    Once again thank you for your time and effort.
     
    dmb06851, Sep 27, 2005
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. That online.dll could be part of this webzone.dll stuff you have. Did you install this? Seems like it is used to put things into the Trusted or Restricted Zones.
     
    chaslang, Sep 27, 2005
    #22
  23. dmb06851

    dmb06851 Specialist

    Hi Chas.

    No, I didn't install it. Don't even know what "webzone" is. I'll do a search for it and see what that turns up.

    Oh, by the way, I tried Firefox some time ago but ditched it. I've re-installed it and using it now.
     
    dmb06851, Sep 27, 2005
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are your sure? Could it be part of PwrupTweakMe which you have installed?
     
    chaslang, Sep 27, 2005
    #24
  25. dmb06851

    dmb06851 Specialist

    dmb06851, Sep 27, 2005
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    OK! At least we know it is not malware related now!
     
    chaslang, Sep 27, 2005
    #26

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds