dvk01
November 10th, 2004, 10:21 AM
A new hijacker is starting to plague the net
It has no obvious entries in a HJT log to start with except possibly a reference to a-search.biz
and sometimes an F2 - REG:system.ini: UserInit=Userinit.exe,
the cure is to download reglook.zip. Unzip it to it's own folder and doubleclick on the runme.bat file inside. Let it run then post the log it produces in your next reply to this thread.
http://forums.techguy.org/attachment.php?attachmentid=43107
or from http://www.bleepingcomputer.com/files/reglook.php
that will produce a log like this one
A reg_look by IMM
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(key has 0 subkeys and 6 value entries - last modified 15:43(UTC) 15/09/2004)
[AppInit_DLLs] = not present!
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(key has 4 subkeys and 32 value entries - last modified 01:10(UTC) 10/11/2004)
[Userinit] = "Userinit.exe,TGBRFV_" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
(key has 0 subkeys and 5 value entries - last modified 19:47(UTC) 16/09/2001)
[Shell] = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" (REG_SZ)
----------------------------------------
once we know the name of the baddy which is almost always TGBRFV_*
to fix
run killbox and paste each of these lines into the box, select delete on reboot and end explorer shell before deleting. On any dll file tick unregister dll before deleting, then press the red X button, when it says reboot now, say no and continue to paste the lines in in turn and follow the above procedure every time, DO NOT let it reboot yet
C:\WINDOWS\System32\TGBRFV_.exe
C:\WINDOWS\System32\TGBRFV_5.dll
C:\WINDOWS\System32\TGBRFV_.dll
C:\WINDOWS\System32\TGBRFV_5.exe
then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.
the files will be hidden and only killbox or a similar delete on reboot mechanism works any attempt to delte manually results in a total reinfection
alawys killbox all 4 of the above named files at the same time. Many infections will only have 1 .exe and 1 .dll which might or might not have the _5 suffix
then once the files are deleted and the temp folders emptied then the full F2 entry in a hjt log & the R0 & R1 will appear and can be fixed with HJt as normal
It has no obvious entries in a HJT log to start with except possibly a reference to a-search.biz
and sometimes an F2 - REG:system.ini: UserInit=Userinit.exe,
the cure is to download reglook.zip. Unzip it to it's own folder and doubleclick on the runme.bat file inside. Let it run then post the log it produces in your next reply to this thread.
http://forums.techguy.org/attachment.php?attachmentid=43107
or from http://www.bleepingcomputer.com/files/reglook.php
that will produce a log like this one
A reg_look by IMM
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(key has 0 subkeys and 6 value entries - last modified 15:43(UTC) 15/09/2004)
[AppInit_DLLs] = not present!
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(key has 4 subkeys and 32 value entries - last modified 01:10(UTC) 10/11/2004)
[Userinit] = "Userinit.exe,TGBRFV_" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
(key has 0 subkeys and 5 value entries - last modified 19:47(UTC) 16/09/2001)
[Shell] = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" (REG_SZ)
----------------------------------------
once we know the name of the baddy which is almost always TGBRFV_*
to fix
run killbox and paste each of these lines into the box, select delete on reboot and end explorer shell before deleting. On any dll file tick unregister dll before deleting, then press the red X button, when it says reboot now, say no and continue to paste the lines in in turn and follow the above procedure every time, DO NOT let it reboot yet
C:\WINDOWS\System32\TGBRFV_.exe
C:\WINDOWS\System32\TGBRFV_5.dll
C:\WINDOWS\System32\TGBRFV_.dll
C:\WINDOWS\System32\TGBRFV_5.exe
then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.
the files will be hidden and only killbox or a similar delete on reboot mechanism works any attempt to delte manually results in a total reinfection
alawys killbox all 4 of the above named files at the same time. Many infections will only have 1 .exe and 1 .dll which might or might not have the _5 suffix
then once the files are deleted and the temp folders emptied then the full F2 entry in a hjt log & the R0 & R1 will appear and can be fixed with HJt as normal