Browser Hijack can't get rid of it!!!

weevil6772 · 11-26-2004, 07:43 PM

Seen a similiar thread to this one but solutions there didn't solve my problem.My homepage has been hijacked by the xysearch.biz bug.Ran newest updated versions of ad-aware/spy-bot/xoftspy, and more.Got rid of a couple trojan viruses, but still have the good old xysearch.biz hijacker.Here is a read-out from StartDreck from my pc, using Windows 2000,AMD athlon 2600,512 MB ddr ram.

StartDreck (build 2.1.5 public BETA) - 2004-11-26 @ 20:34:25
Platform: Windows 2000 (Win NT 5.0.2195 )

»Registry
»Run Keys
»Current User
»Run
*Washer=c:\Program Files\Washer\washer.exe /0
*localmon=C:\WINNT\System32\localmon.exe
»RunOnce
»Default User
»Run
»RunOnce
*^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
»Local Machine
»Run
*PV92TRAY=PV92Tray.exe
*LWBKEYBOARD=C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
*Synchronization Manager=mobsync.exe /logon
*Windows AdControl=C:\Program Files\Windows AdControl\WinAdCtl.exe
*XoftSpy=C:\Program Files\XoftSpy\XoftSpy.exe -s
*Sys29=C:\winnt\system32\winutp32.exe
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
*washindex=c:\Program Files\Washer\washidx.exe "ERIC"
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
*.bat
*batfile="%1" %*
*.com
*comfile="%1" %*
*.disabled
*SpybotSD.DisabledFile="F:\Program Files\Spybot - Search & Destroy\blindman.exe" %1
*.exe
*exefile="%1" %*
*.hta
*htafile=C:\WINNT\System32\mshta.exe "%1" %*
*.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.pif
*piffile="%1" %*
*.scr
*scrfile="%1" /S
*.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
*.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
»Files
»Autostart Folders
»Current User
»Default User
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\WINNT\System32\config.nt
*C:\boot.ini
*C:\WINNT\wininit.ini
»System/Drivers
»Running Processes
*00000000=<unkown>
*00000008=<unkown>
*00000098=\SystemRoot\System32\smss.exe
*000000B0=\??\C:\WINNT\system32\csrss.exe
*000000C4=\??\C:\WINNT\system32\winlogon.exe
*000000E0=C:\WINNT\system32\services.exe
*000000F4=C:\WINNT\system32\lsass.exe
*0000019C=C:\WINNT\system32\svchost.exe
*000001C4=C:\WINNT\system32\spoolsv.exe
*000001F8=C:\WINNT\System32\svchost.exe
*00000220=C:\WINNT\system32\regsvc.exe
*00000268=C:\WINNT\System32\WBEM\WinMgmt.exe
*000002E4=C:\WINNT\Explorer.exe
*00000328=C:\WINNT\System32\PV92Tray.exe
*00000344=C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
*000003EC=C:\Program Files\Internet Explorer\iexplore.exe
*00000488=C:\Program Files\Windows NT\Accessories\wordpad.exe
*00000120=C:\WINNT\System32\localmon.exe
*00000474=C:\Program Files\StartDreck.exe
»NT Services
*Alerter Alerter - on demand
*Application Management AppMgmt running on demand
*Computer Browser Browser running auto
*Indexing Service cisvc - on demand
*ClipBook ClipSrv - on demand
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver running auto
*DNS Client Dnscache running auto
*Event Log Eventlog - auto
*COM+ Event System EventSystem running on demand
*Fax Service Fax - on demand
*ISEXEng ISEXEng - auto
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*TCP/IP NetBIOS Helper Service LmHosts running auto
*Messenger Messenger running auto
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Network DDE NetDDE - on demand
*Network DDE DSDM NetDDEdsdm - on demand
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc running auto
*NVIDIA Driver Helper Service NVSvc - auto
*Plug and Play PlugPlay running auto
*IPSEC Policy Agent PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan - on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Registry Service RemoteRegistry running auto
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*Principal AntiVirus RspAVService - on demand
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*Security Agent scagent - auto
*Smart Card Helper SCardDrv - on demand
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule - auto
*RunAs Service seclogon running auto
*System Event Notification SENS running auto
*Internet Connection Sharing SharedAccess - on demand
*Print Spooler Spooler running auto
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Telnet TlntSvr - on demand
*Distributed Link Tracking Client TrkWks running auto
*Uninterruptible Power Supply UPS - on demand
*Utility Manager UtilMan - on demand
*Windows Time W32Time - on demand
*Windows Management Instrumentation WinMgmt running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*Windows Management Instrumentation Driver Exten Wmi running on demand
`sions
»Application specific

Any help would be very appreciated, I have downloaded and ran Hijackthis here is the log from that as well:

Logfile of HijackThis v1.98.2
Scan saved at 8:35:41 PM, on 11/26/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\PV92Tray.exe
C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINNT\System32\localmon.exe
C:\Program Files\HijackThis.exe

F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winutp32.exe
O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe "ERIC"
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [localmon] C:\WINNT\System32\localmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...5c336c858f6465
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

Thanks in advance!!!!!

MicroBell · 11-26-2004, 08:52 PM

Click on the link below and download the reglook.zip file.

http://www.bleepingcomputer.com/files/reglook.php

Unzip the file to it's own folder somewhere. Doubleclick on the runme.bat file inside to run it. Post the log it produces in your next reply here.

You will need this program also at some point.. Download KillBox

weevil6772 · 11-26-2004, 08:54 PM

Downloaded both progs, here is the result from Reglook:

A reg_look by IMM
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(key has 0 subkeys and 7 value entries - last modified 07:46(UTC) 12/06/2004)
[AppInit_DLLs] = "" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(key has 2 subkeys and 26 value entries - last modified 03:29(UTC) 27/11/2004)
[Userinit] = "userinit.exe,TGBRFV_" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
(key has 0 subkeys and 5 value entries - last modified 07:46(UTC) 12/06/2004)
[Shell] = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" (REG_SZ)
----------------------------------------

LMK thanks again a ton...

MicroBell · 11-26-2004, 09:36 PM

Ok...

Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK..

Now..search for any files containing TGBRFV They will look like these and you may not have them all but some.

C:\WINDOWS\System32\TGBRFV_.exe
C:\WINDOWS\System32\TGBRFV_5.dll
C:\WINDOWS\System32\TGBRFV_.dll
C:\WINDOWS\System32\TGBRFV_5.exe

Run killbox and paste each of these lines into the box, select delete on reboot and end explorer shell before deleting. On any dll file tick unregister dll before deleting, then press the red X button, when it says reboot now, say NO and continue to paste the lines in in turn and follow the above procedure every time, DO NOT let it reboot yet!!

Then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder. Locate all your TEMP folders and delete the contents!

Now reboot and post a new hijackthis log. We can then start the cleaning process.

weevil6772 · 11-26-2004, 10:12 PM

For some reason it won't let me select the Unregister .Dll before deleting box.Can check all the others but this one, any suggestions?

Also I can't get these two files to delete from my TEMP folder:

tmp6.tmp

or:

~DF4B0D.tmp

what should I do here.

MicroBell · 11-27-2004, 12:34 AM

You can try the same process I layed out above from safe mode. Those Temp files (and that DLL) may be in use...so they can't be deleted. So reboot into safe mode and follow the instructions.

weevil6772 · 11-27-2004, 04:24 PM

Re-booted in safe mode followed instructions from print-out.Was able to delete all in TEMP folder this time.Upon re-boot here is the new HTJ log:

Logfile of HijackThis v1.98.2
Scan saved at 5:14:19 PM, on 11/27/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\PV92Tray.exe
C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
C:\Program Files\HijackThis.exe

F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winutp32.exe
O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe "ERIC"
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [localmon] C:\WINNT\System32\localmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...5c336c858f6465
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

Also if it helps every time I re-boot I have to remove some trojan viruses.Used TDS3 each time to delete them but they are back each time i boot up.Still have the xysearch as my homepage, etc.Thanks for all the help, it's very appreciated!!LMK what to do from here.

CTSNKY · 11-27-2004, 07:36 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

You don't seem to have an antivirus program installed. Please download a free one at Grisoft (http://www.grisoft.com). Install it and make sure to check for updates. Run a FULL scan!

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this site to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Download WinsockFix and unzip it. Then double-click on it to run it.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Windows AdControl

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winutp32.exe
O4 - HKCU\..\Run: [localmon] C:\WINNT\System32\localmon.exe
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...35c336c858f6465
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\Windows AdControl\
C:\winnt\system32\winutp32.exe
C:\WINNT\System32\localmon.exe
c:\counter.cab

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

weevil6772 · 11-28-2004, 05:15 PM

Ran HJT and all was clean, no longer redirected to xysearch, and ran several virus scans and trojan detectors, all is clean!!!Thanks a ton!!!!!!!!

CTSNKY · 11-28-2004, 05:17 PM

Post one last log, to be 100% sure.

11-26-2004, 07:43 PM	#1 (permalink)
weevil6772 Registered User Join Date: Nov 2004 Posts: 5 OS: Windows 2000	Browser Hijack can't get rid of it!!! Seen a similiar thread to this one but solutions there didn't solve my problem.My homepage has been hijacked by the xysearch.biz bug.Ran newest updated versions of ad-aware/spy-bot/xoftspy, and more.Got rid of a couple trojan viruses, but still have the good old xysearch.biz hijacker.Here is a read-out from StartDreck from my pc, using Windows 2000,AMD athlon 2600,512 MB ddr ram. StartDreck (build 2.1.5 public BETA) - 2004-11-26 @ 20:34:25 Platform: Windows 2000 (Win NT 5.0.2195 ) »Registry »Run Keys »Current User »Run Washer=c:\Program Files\Washer\washer.exe /0 localmon=C:\WINNT\System32\localmon.exe »RunOnce »Default User »Run »RunOnce ^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop »Local Machine »Run PV92TRAY=PV92Tray.exe LWBKEYBOARD=C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe Synchronization Manager=mobsync.exe /logon Windows AdControl=C:\Program Files\Windows AdControl\WinAdCtl.exe XoftSpy=C:\Program Files\XoftSpy\XoftSpy.exe -s Sys29=C:\winnt\system32\winutp32.exe Installed=1 NoChange=1 Installed=1 Installed=1 »RunOnce »RunServices »RunServicesOnce washindex=c:\Program Files\Washer\washidx.exe "ERIC" »RunOnceEx »RunServicesOnceEx »File Associations (CR) .bat batfile="%1" %* .com comfile="%1" %* .disabled SpybotSD.DisabledFile="F:\Program Files\Spybot - Search & Destroy\blindman.exe" %1 .exe exefile="%1" %* .hta htafile=C:\WINNT\System32\mshta.exe "%1" %* .htm htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome .html htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome .js JSFile=%SystemRoot%\System32\WScript.exe "%1" %* .jse JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* .pif piffile="%1" %* .scr scrfile="%1" /S .txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 .vbs VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* .vbe VBEFile=%SystemRoot%\System32\WScript.exe "%1" %* .wsh WSHFile=%SystemRoot%\System32\WScript.exe "%1" %* .wsf WSFFile=%SystemRoot%\System32\WScript.exe "%1" %* .lnk `lnkfile= [key or value does not exist] »Browser Helper Objects (LM) »Files »Autostart Folders »Current User »Default User »Local Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk »INI-Files »WIN.INI\[windows] LOAD= RUN= »SYSTEM.INI\[boot] SHELL=Explorer.exe »Text Files C:\msdos.sys C:\config.sys C:\WINNT\System32\config.nt C:\boot.ini C:\WINNT\wininit.ini »System/Drivers »Running Processes 00000000=<unkown> 00000008=<unkown> 00000098=\SystemRoot\System32\smss.exe 000000B0=\??\C:\WINNT\system32\csrss.exe 000000C4=\??\C:\WINNT\system32\winlogon.exe 000000E0=C:\WINNT\system32\services.exe 000000F4=C:\WINNT\system32\lsass.exe 0000019C=C:\WINNT\system32\svchost.exe 000001C4=C:\WINNT\system32\spoolsv.exe 000001F8=C:\WINNT\System32\svchost.exe 00000220=C:\WINNT\system32\regsvc.exe 00000268=C:\WINNT\System32\WBEM\WinMgmt.exe 000002E4=C:\WINNT\Explorer.exe 00000328=C:\WINNT\System32\PV92Tray.exe 00000344=C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe 000003EC=C:\Program Files\Internet Explorer\iexplore.exe 00000488=C:\Program Files\Windows NT\Accessories\wordpad.exe 00000120=C:\WINNT\System32\localmon.exe 00000474=C:\Program Files\StartDreck.exe »NT Services Alerter Alerter - on demand Application Management AppMgmt running on demand Computer Browser Browser running auto Indexing Service cisvc - on demand ClipBook ClipSrv - on demand DHCP Client Dhcp running auto Logical Disk Manager Administrative Service dmadmin - on demand Logical Disk Manager dmserver running auto DNS Client Dnscache running auto Event Log Eventlog - auto COM+ Event System EventSystem running on demand Fax Service Fax - on demand ISEXEng ISEXEng - auto Server lanmanserver running auto Workstation lanmanworkstation running auto TCP/IP NetBIOS Helper Service LmHosts running auto Messenger Messenger running auto NetMeeting Remote Desktop Sharing mnmsrvc - on demand Distributed Transaction Coordinator MSDTC - on demand Windows Installer MSIServer - on demand Network DDE NetDDE - on demand Network DDE DSDM NetDDEdsdm - on demand Net Logon Netlogon - on demand Network Connections Netman running on demand NT LM Security Support Provider NtLmSsp - on demand Removable Storage NtmsSvc running auto NVIDIA Driver Helper Service NVSvc - auto Plug and Play PlugPlay running auto IPSEC Policy Agent PolicyAgent running auto Protected Storage ProtectedStorage running auto Remote Access Auto Connection Manager RasAuto - on demand Remote Access Connection Manager RasMan - on demand Routing and Remote Access RemoteAccess - disabled Remote Registry Service RemoteRegistry running auto Remote Procedure Call (RPC) Locator RpcLocator - on demand Remote Procedure Call (RPC) RpcSs running auto Principal AntiVirus RspAVService - on demand QoS RSVP RSVP - on demand Security Accounts Manager SamSs running auto Security Agent scagent - auto Smart Card Helper SCardDrv - on demand Smart Card SCardSvr - on demand Task Scheduler Schedule - auto RunAs Service seclogon running auto System Event Notification SENS running auto Internet Connection Sharing SharedAccess - on demand Print Spooler Spooler running auto Performance Logs and Alerts SysmonLog - on demand Telephony TapiSrv running on demand Telnet TlntSvr - on demand Distributed Link Tracking Client TrkWks running auto Uninterruptible Power Supply UPS - on demand Utility Manager UtilMan - on demand Windows Time W32Time - on demand Windows Management Instrumentation WinMgmt running auto Portable Media Serial Number Service WmdmPmSN - on demand *Windows Management Instrumentation Driver Exten Wmi running on demand `sions »Application specific Any help would be very appreciated, I have downloaded and ran Hijackthis here is the log from that as well: Logfile of HijackThis v1.98.2 Scan saved at 8:35:41 PM, on 11/26/2004 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.exe C:\WINNT\System32\PV92Tray.exe C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows NT\Accessories\wordpad.exe C:\WINNT\System32\localmon.exe C:\Program Files\HijackThis.exe F2 - REG:system.ini: UserInit=Userinit.exe, O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winutp32.exe O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe "ERIC" O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0 O4 - HKCU\..\Run: [localmon] C:\WINNT\System32\localmon.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O10 - Broken Internet access because of LSP provider 'osmim.dll' missing O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...5c336c858f6465 O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab Thanks in advance!!!!!

11-26-2004, 08:52 PM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,961 OS: Windows XP-Pro SP2	Click on the link below and download the reglook.zip file. http://www.bleepingcomputer.com/files/reglook.php Unzip the file to it's own folder somewhere. Doubleclick on the runme.bat file inside to run it. Post the log it produces in your next reply here. You will need this program also at some point.. Download KillBox __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

11-26-2004, 08:54 PM	#3 (permalink)
weevil6772 Registered User Join Date: Nov 2004 Posts: 5 OS: Windows 2000	Thanks.... Downloaded both progs, here is the result from Reglook: A reg_look by IMM ---------------------------------------- Handle OK. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows (key has 0 subkeys and 7 value entries - last modified 07:46(UTC) 12/06/2004) [AppInit_DLLs] = "" (REG_SZ) ---------------------------------------- Handle OK. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (key has 2 subkeys and 26 value entries - last modified 03:29(UTC) 27/11/2004) [Userinit] = "userinit.exe,TGBRFV_" (REG_SZ) ---------------------------------------- Handle OK. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot (key has 0 subkeys and 5 value entries - last modified 07:46(UTC) 12/06/2004) [Shell] = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" (REG_SZ) ---------------------------------------- LMK thanks again a ton...

11-26-2004, 09:36 PM	#4 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,961 OS: Windows XP-Pro SP2	Ok... Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK.. Now..search for any files containing TGBRFV They will look like these and you may not have them all but some. C:\WINDOWS\System32\TGBRFV_.exe C:\WINDOWS\System32\TGBRFV_5.dll C:\WINDOWS\System32\TGBRFV_.dll C:\WINDOWS\System32\TGBRFV_5.exe Run killbox and paste each of these lines into the box, select delete on reboot and end explorer shell before deleting. On any dll file tick unregister dll before deleting, then press the red X button, when it says reboot now, say NO and continue to paste the lines in in turn and follow the above procedure every time, DO NOT let it reboot yet!! Then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder. Locate all your TEMP folders and delete the contents! Now reboot and post a new hijackthis log. We can then start the cleaning process. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

11-26-2004, 10:12 PM	#5 (permalink)
weevil6772 Registered User Join Date: Nov 2004 Posts: 5 OS: Windows 2000	Hey... For some reason it won't let me select the Unregister .Dll before deleting box.Can check all the others but this one, any suggestions? Also I can't get these two files to delete from my TEMP folder: tmp6.tmp or: ~DF4B0D.tmp what should I do here.

11-27-2004, 12:34 AM	#6 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,961 OS: Windows XP-Pro SP2	You can try the same process I layed out above from safe mode. Those Temp files (and that DLL) may be in use...so they can't be deleted. So reboot into safe mode and follow the instructions. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

11-27-2004, 04:24 PM	#7 (permalink)
weevil6772 Registered User Join Date: Nov 2004 Posts: 5 OS: Windows 2000	here... Re-booted in safe mode followed instructions from print-out.Was able to delete all in TEMP folder this time.Upon re-boot here is the new HTJ log: Logfile of HijackThis v1.98.2 Scan saved at 5:14:19 PM, on 11/27/2004 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.exe C:\WINNT\System32\PV92Tray.exe C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe C:\Program Files\HijackThis.exe F2 - REG:system.ini: UserInit=Userinit.exe, O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winutp32.exe O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe "ERIC" O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0 O4 - HKCU\..\Run: [localmon] C:\WINNT\System32\localmon.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O10 - Broken Internet access because of LSP provider 'osmim.dll' missing O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...5c336c858f6465 O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab Also if it helps every time I re-boot I have to remove some trojan viruses.Used TDS3 each time to delete them but they are back each time i boot up.Still have the xysearch as my homepage, etc.Thanks for all the help, it's very appreciated!!LMK what to do from here.

11-27-2004, 07:36 PM	#8 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. You don't seem to have an antivirus program installed. Please download a free one at Grisoft (http://www.grisoft.com). Install it and make sure to check for updates. Run a FULL scan! Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this site to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Download WinsockFix and unzip it. Then double-click on it to run it. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Windows AdControl Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): F2 - REG:system.ini: UserInit=Userinit.exe, O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winutp32.exe O4 - HKCU\..\Run: [localmon] C:\WINNT\System32\localmon.exe O10 - Broken Internet access because of LSP provider 'osmim.dll' missing O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...35c336c858f6465 O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\Program Files\Windows AdControl\ C:\winnt\system32\winutp32.exe C:\WINNT\System32\localmon.exe c:\counter.cab Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. __________________ GO BIG BLUE!!

11-28-2004, 05:15 PM	#9 (permalink)
weevil6772 Registered User Join Date: Nov 2004 Posts: 5 OS: Windows 2000	Clean!!!! Ran HJT and all was clean, no longer redirected to xysearch, and ran several virus scans and trojan detectors, all is clean!!!Thanks a ton!!!!!!!!

11-28-2004, 05:17 PM	#10 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Post one last log, to be 100% sure. __________________ GO BIG BLUE!!