please help me check the hijack log file

[march]

Some sort of spyware changed my homepage etc. It also changed the registry. I corrected them. But once the IE runs again, they come back again. I used the hijackthis scanning the system in safe mode. I think there must be some program running with IE. I am not sure which one is it. So I attach the log file here and hope you guys could give me any clues. Thanks a lot.

[groovicus]

You have the latest, greatest new hijack out that is proving to be very difficult to fix. Deleting the BHO's will not do it, there is a mutating .dll with 2 matching executables that have to be killed, and when you try to boot into safe mode, the .dll's disappear, only to reappear on the next reboot. (or the one after that, or the one after that)

PM Grinler, I'm not sure how often he comes around any more, but he has been working with some others to develop a fix for it.

Cheers!!

[Relyt]

march,

edit: groovicus is on top of this new hijack, if that don't work here's some more info about how to read your log etc.

Soda_Popinsky wrote a great tutorial on this very subject. It is easy to follow and I have used it twice. It is located on the link below. The threads at AO are packed with a wealth of info. To access them, just use the search engine on the main page. Also, using www.google.com frequently will assist you as well.

http://www.antionline.com/showthread...hreadid=255989

Some additional info:

Here’s the run down: The ole hijacking, as it is called. There are free downloads that can and will eradicate your computer of these critters.

“CWShredder” is a tool to remove Coolwebsearch Here’s a link to a site to download it:

http://www.spywareinfo.com/~merijn/downloads.html

Additionally, if you don’t already have some software to combat other malware types you need to download some of those programs as well. Adaware and Spybot S & D are two such programs and I would use them both.

http://www.lavasoftusa.com/software/adaware/

http://www.safer-networking.org/index.php?page=download

You might also consider using another browser. Opera, Mozilla, Firefox by Mozilla, Netscape, Slim Browser, etc.


cheers

[march]

I forgot another thing: there is a Home Search Assistant entry showing up in the Add/Remove Programs Explore. If click the remove botton of it, it shows
"unable to open:http://looking-for.cc/uninstall/Home...Assistant.html".
Is there anyway to uninstall this program first?

[moxnix]

Originally posted here by march
I forgot another thing: there is a Home Search Assistant entry showing up in the Add/Remove Programs Explore. If click the remove botton of it, it shows
"unable to open:http://looking-for.cc/uninstall/Home...Assistant.html".
Is there anyway to uninstall this program first?

Yes......but one of them I know is not really recomended.
1. Boot up in Safe Mode and then try to delete the program with the Add/Remove program.
2. Go into your main storage (c: disk) to program files, find the folder this program is in and run the uninstall right from there. (It should have its own uninstall application)
3. In your program files, delete the folder that this program is stored in. (this is the one that is not really recommended, because it does not remove any .dll's or registry entries that may be associated with the program. It can cause you to lock up and or spontaniously reboot when ever another program is directed to use the deleted program.)

There are probably other, better methods, but I can't think of any at present, or don't know them.

[jinxy]

I'm very susspicious of this item:O4 - HKLM\..\RunServices: [Video Process] sysconf.exe

I'm thinking Agobot worm........????

[mmkhan]

http://www.spywareinfo.com/%7Emerijn/htlogtutorial.html

Here u will find a comprehensive 'HijackThis log tutorial' that will help u a lot .


Thanks

[groovicus]

Ok, I had a little time to look at your log, so let's see if we can kill this. You have a bit of a variant of this, so I'll do my best.

Control-alt-delete end task on these tasks:
ievl32.exe
ntxt.exe

-------------------------------

Please put HijackThis in its own folder. It likes to make backups,
and it is best to keep them all in one place.

*Click My Computer, then C:\
*In the menu bar, File->;New->;Folder.

That will create a folder named New Folder.

* Right click on the file and select 'rename'
* Rename to something like 'HJT' , and put your Hijackthis in there.

--------------------------------

Put a checkmark next to the following in HijackThis. Make sure all other windows and browsers are closed before clicking on “Fix Checked”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gefhn.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gefhn.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gefhn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gefhn.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gefhn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gefhn.dll/sp.html#96676
O2 - BHO: (no name) - {A9B24A9A-6451-6CEB-5B79-6F6736741E63} - C:\WINDOWS\system32\iexm32.dll
O4 - HKLM\..\Run: [ntxt.exe] C:\WINDOWS\system32\ntxt.exe
O4 - HKLM\..\RunOnce: [winie32.exe] C:\WINDOWS\winie32.exe
O4 - HKLM\..\RunOnce: [sdkdt.exe] C:\WINDOWS\sdkdt.exe
O4 - HKLM\..\RunOnce: [atlah.exe] C:\WINDOWS\system32\atlah.exe
O4 - HKLM\..\RunOnce: [ievl32.exe] C:\WINDOWS\ievl32.exe
O4 - HKLM\..\RunOnce: [atlfu.exe] C:\WINDOWS\atlfu.exe
O4 - HKLM\..\RunOnce: [apixf.exe] C:\WINDOWS\system32\apixf.exe
O4 - HKLM\..\RunOnce: [iegj.exe] C:\WINDOWS\iegj.exe
O4 - HKLM\..\RunOnce: [d3ny32.exe] C:\WINDOWS\d3ny32.exe
O4 - HKLM\..\RunOnce: [ipxt32.exe] C:\WINDOWS\ipxt32.exe
O4 - HKLM\..\RunOnce: [ntes32.exe] C:\WINDOWS\system32\ntes32.exe
O4 - HKLM\..\RunOnce: [netjf.exe] C:\WINDOWS\system32\netjf.exe
O4 - HKLM\..\RunOnce: [sdkxl.exe] C:\WINDOWS\sdkxl.exe
O4 - HKLM\..\RunOnce: [apier32.exe] C:\WINDOWS\system32\apier32.exe
O4 - HKLM\..\RunOnce: [atlsd.exe] C:\WINDOWS\atlsd.exe
O4 - HKLM\..\RunOnce: [ntha.exe] C:\WINDOWS\system32\ntha.exe
O4 - HKLM\..\RunOnce: [mfcgn32.exe] C:\WINDOWS\mfcgn32.exe
O4 - HKLM\..\RunOnce: [neter.exe] C:\WINDOWS\neter.exe
O4 - HKLM\..\RunOnce: [sdkut.exe] C:\WINDOWS\sdkut.exe
O4 - HKLM\..\RunOnce: [crtb.exe] C:\WINDOWS\system32\crtb.exe
O4 - HKLM\..\RunOnce: [appwd.exe] C:\WINDOWS\appwd.exe
O4 - HKLM\..\RunOnce: [ievo.exe] C:\WINDOWS\system32\ievo.exe
O4 - HKLM\..\RunOnce: [ntcq.exe] C:\WINDOWS\system32\ntcq.exe
O4 - HKLM\..\RunOnce: [winfl.exe] C:\WINDOWS\system32\winfl.exe
O4 - HKLM\..\RunOnce: [atlyh.exe] C:\WINDOWS\system32\atlyh.exe
O4 - HKLM\..\RunOnce: [netnk.exe] C:\WINDOWS\system32\netnk.exe
O4 - HKLM\..\RunOnce: [apiwt32.exe] C:\WINDOWS\apiwt32.exe
O4 - HKLM\..\RunOnce: [ipps32.exe] C:\WINDOWS\ipps32.exe
O4 - HKLM\..\RunOnce: [ntbm.exe] C:\WINDOWS\system32\ntbm.exe
O4 - HKLM\..\RunOnce: [ntea32.exe] C:\WINDOWS\ntea32.exe
O4 - HKLM\..\RunOnce: [sysya.exe] C:\WINDOWS\system32\sysya.exe
O4 - HKLM\..\RunOnce: [iefb32.exe] C:\WINDOWS\system32\iefb32.exe
O4 - HKLM\..\RunOnce: [ntiu.exe] C:\WINDOWS\system32\ntiu.exe


-----------------------------------------------

Boot into SAFE MODE by tapping the f8 key during boot up.
How to see Hidden files

Delete the following files:
C:\WINDOWS\system32\ntxt.exe
C:\WINDOWS\winie32.exe
C:\WINDOWS\sdkdt.exe
C:\WINDOWS\system32\atlah.exe
C:\WINDOWS\ievl32.exe
C:\WINDOWS\atlfu.exe
C:\WINDOWS\system32\apixf.exe
C:\WINDOWS\iegj.exe
C:\WINDOWS\d3ny32.exe
C:\WINDOWS\ipxt32.exe
C:\WINDOWS\system32\ntes32.exe
C:\WINDOWS\system32\netjf.exe
C:\WINDOWS\sdkxl.exe
C:\WINDOWS\system32\apier32.exe
C:\WINDOWS\atlsd.exe
C:\WINDOWS\system32\ntha.exe
C:\WINDOWS\mfcgn32.exe
C:\WINDOWS\neter.exe
C:\WINDOWS\sdkut.exe
C:\WINDOWS\system32\crtb.exe
C:\WINDOWS\appwd.exe
C:\WINDOWS\system32\ievo.exe
C:\WINDOWS\system32\ntcq.exe
C:\WINDOWS\system32\winfl.exe
C:\WINDOWS\system32\atlyh.exe
C:\WINDOWS\system32\netnk.exe
C:\WINDOWS\apiwt32.exe
C:\WINDOWS\ipps32.exe
C:\WINDOWS\system32\ntbm.exe
C:\WINDOWS\ntea32.exe
C:\WINDOWS\system32\sysya.exe
C:\WINDOWS\system32\iefb32.exe
C:\WINDOWS\system32\ntiu.exe

Reboot in normal mode

Please download TheKillbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\system32\ntxt.exe

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The filenameand path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

Reboot in normal mode and post a fresh log

EDIT: A new step

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3 (This may be different but will always start with __NS_Service)

If __NS_Service_3 exists , right click on it and choose delete from the menu.


Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3


If LEGACY___NS_Service_3
exists then right click on it and choose delete from the menu.

Reboot and post a last log

I apologize for the bumps. I just wanted to make sure that they knew there was an additional step.

[meeeeeee]

I'm very susspicious of this item:O4 - HKLM\..\RunServices: [Video Process] sysconf.exe

I'm thinking Agobot worm........????

Agobot, Gaobot.... the same I believe..... whatever the name... this is it. Good catch!

March, you need to run an online AV after and only after you do what Groovicus suggested. Here are a few you can choose from:

http://housecall.trendmicro.com/
http://www.bitdefender.com/scan/licence.php
http://www.ravantivirus.com/scan/
http://us.mcafee.com/root/mfs/default.asp?affid=294
http://www.pandasoftware.com/activescan/


Also, you are probably going to need to clean your hosts file. Here's a great link with tons of info on this:

http://www.dslreports.com/faq/10131

[march]

Hi there,
Thank you guys so much. The problem is fixed following the instruction of groovicus. But I did not delete the LEGACY _NT_Service entries in the registry and I don't get it why I need KILLBox. I found it just delete the files.
The virus is very tricky.Every time it runs, it adds a BHO entry and several RunOnce entries. And the program's name related to the BHO is changed every time. These files do not exist. I don't know how it works.
My experience is deleting that BHO entry and all the RunOnce entries.And also delete the several suspicious start items in the Run entries.
I attached the fresh HijackThis.log after the system is clean up.


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\HJKT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Video Process] sysconf.exe
O4 - HKLM\..\RunServices: [Video Process] sysconf.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\xmlspy\spy.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Edit with XML Spy (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab