Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

a-search.biz HiJack

Started by Stevo839300 , Jan 15 2005 02:44 AM

  • Please log in to reply

#1
Stevo839300
Posted 15 January 2005 - 02:44 AM

Stevo839300

    New Member

  • Member
  • Pip
  • 9 posts
I have been hijacked for sometime now, the page that comes up is http://a-search.biz

HJT Log:
Logfile of HijackThis v1.98.2
Scan saved at 2:38:10 AM, on 1/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Steve\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105774080274

Any help removing the problem would be appreciated.
  • 0

Advertisements

#2
LineOFire
Posted 17 January 2005 - 11:10 AM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Hello and welcome to GeeksToGo Forums. I hope you enjoy your stay here! :tazz:
  • Obtain list of irregular services:
  • Please download ServiceFilter.
  • Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.
  • Navigate to where you unzipped it and double-click on ServiceFilter.vbs.
  • If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.
  • It will open a text file (POST_THIS.TXT) that lists all of the irregular services.
  • Press Ctrl + A simultaneously to select all of the text.
  • Copy and paste the whole thing into your next post.
  • A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.
Download RegLook from here:

http://www.bleepingc...are/reglook.zip

Extract the contents of reglook.zip to a convenient location. Run the program and post the log it gives you into your next reply.
  • 0

#3
Stevo839300
Posted 17 January 2005 - 02:50 PM

Stevo839300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Jan 17, 2005 2:47:24 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: pnpsvc
Display Name: Plug and Play svc service
Start Mode: Auto
Start Name: LocalSystem
Description: Provides plug and play svc devices ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 900
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{99fb527f-4dc3-4e1c-9baf-a1a8ac25b8a3}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 83 Win32 services on this machine.
2 were unrecognized.

Script Execution Time: 16.23047 seconds.

A reg_look by IMM
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(key has 0 subkeys and 7 value entries - last modified 23:32(UTC) 13/01/2005)
[AppInit_DLLs] = "wbsys.dll" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(key has 4 subkeys and 31 value entries - last modified 08:20(UTC) 17/01/2005)
[Userinit] = "C:\WINDOWS\System32\userinit.exe," (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
(key has 0 subkeys and 5 value entries - last modified 15:02(UTC) 09/08/2003)
[Shell] = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" (REG_SZ)
----------------------------------------
  • 0

#4
LineOFire
Posted 17 January 2005 - 03:04 PM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Alright, bad service identified! :tazz:

Start | Run | type services.msc | OK

Scroll down to Plug and Play svc service and double-click on it. Click "Stop" to stop the service and change it's Startup Type to Disabled. Then click Apply and OK to apply the settings.

Start | Run | type sc delete "pnpsvc" | OK

It should give you a message about the sucessful deletion.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Find and delete:

C:\WINDOWS\System32\wbsys.dll

Tell me if you don't see it.

Finally, restart and post a new HijackThis log. ;)
  • 0

#5
Stevo839300
Posted 17 January 2005 - 03:47 PM

Stevo839300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.98.2
Scan saved at 3:46:13 PM, on 1/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Steve\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105774080274
  • 0

#6
LineOFire
Posted 17 January 2005 - 03:56 PM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Log looks clean now. Great job! :tazz:

Are you having anymore problems?
  • 0

#7
Stevo839300
Posted 17 January 2005 - 04:00 PM

Stevo839300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
the problem still hasn't changed at all, my explorer still is hijacked by http://a-search.biz
  • 0

#8
LineOFire
Posted 17 January 2005 - 04:35 PM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Interesting...

Please post new ServiceFilter and Reglook logs.
  • 0

#9
Stevo839300
Posted 17 January 2005 - 11:58 PM

Stevo839300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
A reg_look by IMM
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(key has 0 subkeys and 7 value entries - last modified 23:32(UTC) 13/01/2005)
[AppInit_DLLs] = "wbsys.dll" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(key has 4 subkeys and 31 value entries - last modified 21:44(UTC) 17/01/2005)
[Userinit] = "C:\WINDOWS\System32\userinit.exe," (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
(key has 0 subkeys and 5 value entries - last modified 15:02(UTC) 09/08/2003)
[Shell] = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" (REG_SZ)
----------------------------------------


The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Jan 17, 2005 11:57:37 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: pnpsvc
Display Name: Plug and Play svc service
Start Mode: Auto
Start Name: LocalSystem
Description: Provides plug and play svc devices ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 864
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{99fb527f-4dc3-4e1c-9baf-a1a8ac25b8a3}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 83 Win32 services on this machine.
2 were unrecognized.

Script Execution Time: 1.679688 seconds.
  • 0

#10
LineOFire
Posted 18 January 2005 - 05:11 PM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Service is still there and running. Try my above instructions again but this time do EVERYTHING in Safe Mode. Good luck!
  • 0

Advertisements

#11
Stevo839300
Posted 18 January 2005 - 05:52 PM

Stevo839300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
When i try to stop the plug and play svc service it won't allow me to.

the error message says

Could not stop Plug and Play svc service on Local Computer.
The service did not return an error. This could be an internal Windows error or an internal service error.
  • 0

#12
LineOFire
Posted 18 January 2005 - 06:34 PM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Have you tried the sc delete "pnpsvc" in Safe Mode yet? If not then do that.
  • 0

#13
Stevo839300
Posted 21 January 2005 - 12:54 AM

Stevo839300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I tried deleting it in safe mode. When I typed into run what you said to, the screen simply flashed, and there was no alert confirming the deletion.
  • 0

#14
LineOFire
Posted 22 January 2005 - 07:39 PM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
This thing is being stubborn. :tazz:

Start | Run | type regedit | OK

Navigate to this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pnpsvc\Parameters

In the right hand pane you should see a value named ServiceDll. Double-click on it and tell me what is listed there.
  • 0

#15
Stevo839300
Posted 24 January 2005 - 12:31 AM

Stevo839300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
c:\windows\system32\tqodbmmk.dll
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP