Yet Another "Only the Best" hijacker issue

Discussion in 'Malware Help (A Specialist Will Reply)' started by Andrew Hazen, Feb 12, 2005.

  1. Andrew Hazen

    Andrew Hazen Private E-2

    Hi folks,
    I lost my entire work day yesterday fighting this (*&&^*^%*& on my laptop!

    I have run the following, both in regular and safe mode:
    Microsoft AnitSpyware Beta
    AdAware SE Plus
    SpybotSearch&Destroy
    AboutBuster
    CWShredder
    Kill2Me
    HSRemove

    I have used HijackThis and "fixed" everything that did not look vaguely "authentic" (ie. from Microsoft, Adobe, or similar company)

    Items in the HijackLog of which I am still suspicious include the following:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\lsass.exe
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
    O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.124.130 (HKLM)

    Any and all assistance greatly appreciated!

    Thanks in Advance,

    Andrew Hazen
    Toronto
     
    Andrew Hazen, Feb 12, 2005
    #1
  2. Andrew Hazen

    Andrew Hazen Private E-2

    As a follow up, my spyware is now coming up clean in SafeMode, and the only suspicious stuff showing in HJT log is that *.XXXXXXX keeps getting into the Internet Safe Zone in IE. I tell HJT to fix it, and keeps coming back!

    Any suggestions?

    Thanks,

    Andrew.
     
    Andrew Hazen, Feb 12, 2005
    #2
  3. Andrew Hazen

    Andrew Hazen Private E-2

    Now when I reboot, I am getting system popups saying that certain files, which look to be malicious cannot be found in the winnt/system32 directory. While it is no doubt a good thing that they can't be found, I'm wondering what the hell is in there looking for them at boot time??

    Arrrgghh!!
     
    Andrew Hazen, Feb 12, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do not have an only the best hijack so why did you use that title.

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)
    Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

    Then run HJT and fix any O15 lines you see.

    None of the other items you mentioned are problems. They are valid applications.
     
    chaslang, Feb 12, 2005
    #4
  5. Andrew Hazen

    Andrew Hazen Private E-2

    Thanks, I'll try this. It definitely started out as a "Only the Best" hijack as I was getting those annoying "Only the Best" popups as soon as I rebooted and opened a browser.

    I started looking through my registry yesterday to try to get rid of the Trusted Zone implants, so I will definitely use your code to complete that.

    However, an IT friend of mine suggested that the source of all this might be hiding in a ".tmp" file somewhere that is getting restored at every reboot and recreating the crap in winnt/system32 with new random file names.

    Any idea how I would track that down and purge it?

    Thanks for all your help!

    --Andrew Hazen
     
    Andrew Hazen, Feb 13, 2005
    #5
  6. Andrew Hazen

    Andrew Hazen Private E-2

    Chas,
    I used your move.reg and reran HJK. I'm not getting the Trusted Zone items, but I am still getting an unknown browser helper that gets a new name everytime. Below is the current HJK log. Any ideas how to root this (*&*()^& out?

    Logfile of HijackThis v1.99.0
    Scan saved at 11:06:08 AM, on 02/13/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Unrequested inline log deleted
     
    Last edited by a moderator: Feb 13, 2005
    Andrew Hazen, Feb 13, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have never gone thru our sticky threads I can now see or you would not be posting an HJT log and also posting it incorrectly.

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Feb 13, 2005
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds