Thread: Help with Browser Hijacker
View Single Post
Old 07-13-2005, 06:59 AM   #2 (permalink)
bry623
Manager, The Conversation Pit/Analyst, Security Team
 
bry623's Avatar
 
Join Date: Apr 2002
Location: NW Territory circa 1787
Posts: 11,692
OS: winxp pro sp2


Send a message via MSN to bry623
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.sfx.exe and uncompress the files to a folder on your the Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoftware.com/products/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\atljl.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WeatherBug - it's adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes/deletions listed below.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FE3D33D0-958B-2C94-A4A8-DB4A4566ED06} - C:\WINDOWS\system32\ieto32.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [netsw32.exe] C:\WINDOWS\netsw32.exe
O4 - HKLM\..\Run: [atljl.exe] C:\WINDOWS\atljl.exe
O4 - HKLM\..\RunOnce: [d3rx32.exe] C:\WINDOWS\system32\d3rx32.exe
O4 - HKLM\..\RunOnce: [sysny.exe] C:\WINDOWS\sysny.exe
O4 - HKLM\..\RunOnce: [systp.exe] C:\WINDOWS\systp.exe
O4 - HKLM\..\RunOnce: [netqn32.exe] C:\WINDOWS\netqn32.exe
O4 - HKLM\..\RunOnce: [apiwk32.exe] C:\WINDOWS\system32\apiwk32.exe
O4 - HKLM\..\RunOnce: [apiwm.exe] C:\WINDOWS\system32\apiwm.exe
O4 - HKLM\..\RunOnce: [crfy.exe] C:\WINDOWS\system32\crfy.exe
O4 - HKLM\..\RunOnce: [ntuu.exe] C:\WINDOWS\ntuu.exe
O4 - HKLM\..\RunOnce: [d3dc32.exe] C:\WINDOWS\system32\d3dc32.exe
O4 - HKLM\..\RunOnce: [appvl32.exe] C:\WINDOWS\system32\appvl32.exe
O4 - HKLM\..\RunOnce: [ntnt.exe] C:\WINDOWS\system32\ntnt.exe
O4 - HKLM\..\RunOnce: [cruq.exe] C:\WINDOWS\system32\cruq.exe
O4 - HKLM\..\RunOnce: [mssa32.exe] C:\WINDOWS\mssa32.exe
O4 - HKLM\..\RunOnce: [atlmf32.exe] C:\WINDOWS\system32\atlmf32.exe
O4 - HKLM\..\RunOnce: [msge.exe] C:\WINDOWS\system32\msge.exe
O4 - HKLM\..\RunOnce: [ieur32.exe] C:\WINDOWS\system32\ieur32.exe
O4 - HKLM\..\RunOnce: [crbc.exe] C:\WINDOWS\system32\crbc.exe
O4 - HKLM\..\RunOnce: [mfcjs32.exe] C:\WINDOWS\system32\mfcjs32.exe
O4 - HKLM\..\RunOnce: [msri32.exe] C:\WINDOWS\msri32.exe
O4 - HKLM\..\RunOnce: [apilu32.exe] C:\WINDOWS\system32\apilu32.exe
O4 - HKLM\..\RunOnce: [javajx.exe] C:\WINDOWS\javajx.exe
O4 - HKLM\..\RunOnce: [crya32.exe] C:\WINDOWS\system32\crya32.exe
O4 - HKLM\..\RunOnce: [ieip.exe] C:\WINDOWS\system32\ieip.exe
O4 - HKLM\..\RunOnce: [addqq.exe] C:\WINDOWS\system32\addqq.exe
O4 - HKLM\..\RunOnce: [javahz32.exe] C:\WINDOWS\javahz32.exe
O4 - HKLM\..\RunOnce: [mfcoz32.exe] C:\WINDOWS\system32\mfcoz32.exe
O4 - HKLM\..\RunOnce: [crww32.exe] C:\WINDOWS\system32\crww32.exe
O4 - HKLM\..\RunOnce: [wingw32.exe] C:\WINDOWS\system32\wingw32.exe
O4 - HKLM\..\RunOnce: [crhl32.exe] C:\WINDOWS\crhl32.exe
O4 - HKLM\..\RunOnce: [atlok32.exe] C:\WINDOWS\atlok32.exe
O4 - HKLM\..\RunOnce: [atlbf32.exe] C:\WINDOWS\system32\atlbf32.exe
O4 - HKLM\..\RunOnce: [ielk.exe] C:\WINDOWS\ielk.exe
O4 - HKLM\..\RunOnce: [ieez32.exe] C:\WINDOWS\system32\ieez32.exe
O4 - HKLM\..\RunOnce: [addun32.exe] C:\WINDOWS\addun32.exe
O4 - HKLM\..\RunOnce: [sysde.exe] C:\WINDOWS\system32\sysde.exe
O4 - HKLM\..\RunOnce: [d3qw.exe] C:\WINDOWS\system32\d3qw.exe
O4 - HKLM\..\RunOnce: [mssx.exe] C:\WINDOWS\system32\mssx.exe
O4 - HKLM\..\RunOnce: [addtd32.exe] C:\WINDOWS\system32\addtd32.exe
O4 - HKLM\..\RunOnce: [javaeu.exe] C:\WINDOWS\system32\javaeu.exe
O4 - HKLM\..\RunOnce: [mshq32.exe] C:\WINDOWS\mshq32.exe
O4 - HKLM\..\RunOnce: [netxw.exe] C:\WINDOWS\system32\netxw.exe
O4 - HKLM\..\RunOnce: [appms.exe] C:\WINDOWS\appms.exe
O4 - HKLM\..\RunOnce: [javapa32.exe] C:\WINDOWS\system32\javapa32.exe
O4 - HKLM\..\RunOnce: [addpo32.exe] C:\WINDOWS\system32\addpo32.exe
O4 - HKLM\..\RunOnce: [ipqt32.exe] C:\WINDOWS\ipqt32.exe
O4 - HKLM\..\RunOnce: [sysbl32.exe] C:\WINDOWS\sysbl32.exe
O4 - HKLM\..\RunOnce: [mshh32.exe] C:\WINDOWS\mshh32.exe
O4 - HKLM\..\RunOnce: [winub32.exe] C:\WINDOWS\winub32.exe
O4 - HKLM\..\RunOnce: [apptw32.exe] C:\WINDOWS\apptw32.exe
O4 - HKLM\..\RunOnce: [crvw32.exe] C:\WINDOWS\crvw32.exe
O4 - HKLM\..\RunOnce: [ntsw.exe] C:\WINDOWS\system32\ntsw.exe
O4 - HKLM\..\RunOnce: [javaix32.exe] C:\WINDOWS\javaix32.exe
O4 - HKLM\..\RunOnce: [ipgc.exe] C:\WINDOWS\ipgc.exe
O4 - HKLM\..\RunOnce: [mfcpa32.exe] C:\WINDOWS\mfcpa32.exe
O4 - HKLM\..\RunOnce: [ntdi32.exe] C:\WINDOWS\ntdi32.exe
O4 - HKLM\..\RunOnce: [ntqg32.exe] C:\WINDOWS\ntqg32.exe
O4 - HKLM\..\RunOnce: [syszt.exe] C:\WINDOWS\system32\syszt.exe
O4 - HKLM\..\RunOnce: [atlqo.exe] C:\WINDOWS\system32\atlqo.exe
O4 - HKLM\..\RunOnce: [ipjs32.exe] C:\WINDOWS\ipjs32.exe
O4 - HKLM\..\RunOnce: [crdo32.exe] C:\WINDOWS\system32\crdo32.exe
O4 - HKLM\..\RunOnce: [netqd.exe] C:\WINDOWS\system32\netqd.exe
O4 - HKLM\..\RunOnce: [ntdc32.exe] C:\WINDOWS\system32\ntdc32.exe
O4 - HKLM\..\RunOnce: [d3vk.exe] C:\WINDOWS\system32\d3vk.exe
O4 - HKLM\..\RunOnce: [appbj32.exe] C:\WINDOWS\appbj32.exe
O4 - HKLM\..\RunOnce: [addhe.exe] C:\WINDOWS\addhe.exe
O4 - HKLM\..\RunOnce: [netxu32.exe] C:\WINDOWS\netxu32.exe
O4 - HKLM\..\RunOnce: [appko.exe] C:\WINDOWS\appko.exe
O4 - HKLM\..\RunOnce: [iewi32.exe] C:\WINDOWS\system32\iewi32.exe
O4 - HKLM\..\RunOnce: [javasr.exe] C:\WINDOWS\javasr.exe
O4 - HKLM\..\RunOnce: [appgo32.exe] C:\WINDOWS\appgo32.exe
O4 - HKLM\..\RunOnce: [crxk.exe] C:\WINDOWS\system32\crxk.exe
O4 - HKLM\..\RunOnce: [ntod32.exe] C:\WINDOWS\ntod32.exe
O4 - HKLM\..\RunOnce: [apppu.exe] C:\WINDOWS\apppu.exe
O4 - HKLM\..\RunOnce: [sdkeb.exe] C:\WINDOWS\sdkeb.exe
O4 - HKLM\..\RunOnce: [apirw32.exe] C:\WINDOWS\apirw32.exe
O4 - HKLM\..\RunOnce: [mszm32.exe] C:\WINDOWS\mszm32.exe
O4 - HKLM\..\RunOnce: [ntpy.exe] C:\WINDOWS\ntpy.exe
O4 - HKLM\..\RunOnce: [winbo.exe] C:\WINDOWS\winbo.exe
O4 - HKLM\..\RunOnce: [ipyb.exe] C:\WINDOWS\system32\ipyb.exe
O4 - HKLM\..\RunOnce: [ntad32.exe] C:\WINDOWS\ntad32.exe
O4 - HKLM\..\RunOnce: [apihw32.exe] C:\WINDOWS\apihw32.exe
O4 - HKLM\..\RunOnce: [appns32.exe] C:\WINDOWS\appns32.exe
O4 - HKLM\..\RunOnce: [mfcvu32.exe] C:\WINDOWS\system32\mfcvu32.exe
O4 - HKLM\..\RunOnce: [netca.exe] C:\WINDOWS\netca.exe
O4 - HKLM\..\RunOnce: [apppl32.exe] C:\WINDOWS\system32\apppl32.exe
O4 - HKLM\..\RunOnce: [javapq.exe] C:\WINDOWS\system32\javapq.exe
O4 - HKLM\..\RunOnce: [crls32.exe] C:\WINDOWS\system32\crls32.exe
O4 - HKLM\..\RunOnce: [crxg.exe] C:\WINDOWS\system32\crxg.exe
O4 - HKLM\..\RunOnce: [netee.exe] C:\WINDOWS\system32\netee.exe
O4 - HKLM\..\RunOnce: [javazp32.exe] C:\WINDOWS\system32\javazp32.exe
O4 - HKLM\..\RunOnce: [atlwp.exe] C:\WINDOWS\system32\atlwp.exe
O4 - HKLM\..\RunOnce: [mfcsc32.exe] C:\WINDOWS\system32\mfcsc32.exe
O4 - HKLM\..\RunOnce: [d3bb32.exe] C:\WINDOWS\system32\d3bb32.exe
O4 - HKLM\..\RunOnce: [ipxb.exe] C:\WINDOWS\system32\ipxb.exe
O4 - HKLM\..\RunOnce: [iell32.exe] C:\WINDOWS\system32\iell32.exe
O4 - HKLM\..\RunOnce: [netou.exe] C:\WINDOWS\netou.exe
O4 - HKLM\..\RunOnce: [sdkvb32.exe] C:\WINDOWS\sdkvb32.exe
O4 - HKLM\..\RunOnce: [winha32.exe] C:\WINDOWS\system32\winha32.exe
O4 - HKLM\..\RunOnce: [apifg32.exe] C:\WINDOWS\system32\apifg32.exe
O4 - HKLM\..\RunOnce: [appmj.exe] C:\WINDOWS\appmj.exe
O4 - HKLM\..\RunOnce: [atlae32.exe] C:\WINDOWS\system32\atlae32.exe
O4 - HKLM\..\RunOnce: [sdkdl32.exe] C:\WINDOWS\sdkdl32.exe
O4 - HKLM\..\RunOnce: [appoa.exe] C:\WINDOWS\system32\appoa.exe
O4 - HKLM\..\RunOnce: [ntpi.exe] C:\WINDOWS\ntpi.exe
O4 - HKLM\..\RunOnce: [msjt32.exe] C:\WINDOWS\msjt32.exe
O4 - HKLM\..\RunOnce: [appmf.exe] C:\WINDOWS\appmf.exe
O4 - HKLM\..\RunOnce: [mfcyo32.exe] C:\WINDOWS\system32\mfcyo32.exe
O4 - HKLM\..\RunOnce: [sdkhg32.exe] C:\WINDOWS\sdkhg32.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\AWS
C:\WINDOWS\system32\hripo.dll
C:\WINDOWS\system32\ieto32.dll
C:\WINDOWS\UpdReg.EXE
C:\WINDOWS\netsw32.exe
C:\WINDOWS\atljl.exe
C:\WINDOWS\system32\d3rx32.exe
C:\WINDOWS\sysny.exe
C:\WINDOWS\systp.exe
C:\WINDOWS\netqn32.exe
C:\WINDOWS\system32\apiwk32.exe
C:\WINDOWS\system32\apiwm.exe
C:\WINDOWS\system32\crfy.exe
C:\WINDOWS\ntuu.exe
C:\WINDOWS\system32\d3dc32.exe
C:\WINDOWS\system32\appvl32.exe
C:\WINDOWS\system32\ntnt.exe
C:\WINDOWS\system32\cruq.exe
C:\WINDOWS\mssa32.exe
C:\WINDOWS\system32\atlmf32.exe
C:\WINDOWS\system32\msge.exe
C:\WINDOWS\system32\ieur32.exe
C:\WINDOWS\system32\crbc.exe
C:\WINDOWS\system32\mfcjs32.exe
C:\WINDOWS\msri32.exe
C:\WINDOWS\system32\apilu32.exe
C:\WINDOWS\javajx.exe
C:\WINDOWS\system32\crya32.exe
C:\WINDOWS\system32\ieip.exe
C:\WINDOWS\system32\addqq.exe
C:\WINDOWS\javahz32.exe
C:\WINDOWS\system32\mfcoz32.exe
C:\WINDOWS\system32\crww32.exe
C:\WINDOWS\system32\wingw32.exe
C:\WINDOWS\crhl32.exe
C:\WINDOWS\atlok32.exe
C:\WINDOWS\system32\atlbf32.exe
C:\WINDOWS\ielk.exe
C:\WINDOWS\system32\ieez32.exe
C:\WINDOWS\addun32.exe
C:\WINDOWS\system32\sysde.exe
C:\WINDOWS\system32\d3qw.exe
C:\WINDOWS\system32\mssx.exe
C:\WINDOWS\system32\addtd32.exe
C:\WINDOWS\system32\javaeu.exe
C:\WINDOWS\mshq32.exe
C:\WINDOWS\system32\netxw.exe
C:\WINDOWS\appms.exe
C:\WINDOWS\system32\javapa32.exe
C:\WINDOWS\system32\addpo32.exe
C:\WINDOWS\ipqt32.exe
C:\WINDOWS\sysbl32.exe
C:\WINDOWS\mshh32.exe
C:\WINDOWS\winub32.exe
C:\WINDOWS\apptw32.exe
C:\WINDOWS\crvw32.exe
C:\WINDOWS\system32\ntsw.exe
C:\WINDOWS\javaix32.exe
C:\WINDOWS\ipgc.exe
C:\WINDOWS\mfcpa32.exe
C:\WINDOWS\ntdi32.exe
C:\WINDOWS\ntqg32.exe
C:\WINDOWS\system32\syszt.exe
C:\WINDOWS\system32\atlqo.exe
C:\WINDOWS\ipjs32.exe
C:\WINDOWS\system32\crdo32.exe
C:\WINDOWS\system32\netqd.exe
C:\WINDOWS\system32\d3vk.exe
C:\WINDOWS\appbj32.exe
C:\WINDOWS\addhe.exe
C:\WINDOWS\netxu32.exe
C:\WINDOWS\appko.exe
C:\WINDOWS\system32\iewi32.exe
C:\WINDOWS\javasr.exe
C:\WINDOWS\appgo32.exe
C:\WINDOWS\system32\crxk.exe
C:\WINDOWS\ntod32.exe
C:\WINDOWS\apppu.exe
C:\WINDOWS\sdkeb.exe
C:\WINDOWS\apirw32.exe
C:\WINDOWS\mszm32.exe
C:\WINDOWS\ntpy.exe
C:\WINDOWS\winbo.exe
C:\WINDOWS\system32\ipyb.exe
C:\WINDOWS\ntad32.exe
C:\WINDOWS\apihw32.exe
C:\WINDOWS\appns32.exe
C:\WINDOWS\system32\mfcvu32.exe
C:\WINDOWS\netca.exe
C:\WINDOWS\system32\apppl32.exe
C:\WINDOWS\system32\javapq.exe
C:\WINDOWS\system32\crls32.exe
C:\WINDOWS\system32\crxg.exe
C:\WINDOWS\system32\netee.exe
C:\WINDOWS\system32\javazp32.exe
C:\WINDOWS\system32\atlwp.exe
C:\WINDOWS\system32\mfcsc32.exe
C:\WINDOWS\system32\d3bb32.exe
C:\WINDOWS\system32\ipxb.exe
C:\WINDOWS\system32\iell32.exe
C:\WINDOWS\netou.exe
C:\WINDOWS\sdkvb32.exe
C:\WINDOWS\system32\winha32.exe
C:\WINDOWS\system32\apifg32.exe
C:\WINDOWS\appmj.exe
C:\WINDOWS\system32\atlae32.exe
C:\WINDOWS\sdkdl32.exe
C:\WINDOWS\system32\appoa.exe
C:\WINDOWS\ntpi.exe
C:\WINDOWS\msjt32.exe
C:\WINDOWS\appmf.exe
C:\WINDOWS\system32\mfcyo32.exe
C:\WINDOWS\sdkhg32.exe
C:\WINDOWS\atljl.exe

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Restart and run a new HijackThis scan.
Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it back here.
__________________
"If you aren't a liberal when you're 20, you have no heart. If you aren't a conservative when you are 50, you have no brain"

bry623 is offline