A-search or xysearch hijackers

Discussion in 'news, general information and FAQs' started by dvk01, Nov 10, 2004.

Thread Status:
Not open for further replies.
  1. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    A new hijacker is starting to plague the net

    It has no obvious entries in a HJT log to start with except possibly a reference to a-search.biz
    and sometimes an F2 - REG:system.ini: UserInit=Userinit.exe,

    the cure is to download reglook.zip. Unzip it to it's own folder and doubleclick on the runme.bat file inside. Let it run then post the log it produces in your next reply to this thread.
    http://forums.techguy.org/attachment.php?attachmentid=43107

    or from http://www.bleepingcomputer.com/files/reglook.php

    that will produce a log like this one

    A reg_look by IMM
    ----------------------------------------
    Handle OK.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    (key has 0 subkeys and 6 value entries - last modified 15:43(UTC) 15/09/2004)
    [AppInit_DLLs] = not present!
    ----------------------------------------
    Handle OK.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    (key has 4 subkeys and 32 value entries - last modified 01:10(UTC) 10/11/2004)
    [Userinit] = "Userinit.exe,TGBRFV_" (REG_SZ)
    ----------------------------------------
    Handle OK.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
    (key has 0 subkeys and 5 value entries - last modified 19:47(UTC) 16/09/2001)
    [Shell] = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" (REG_SZ)
    ----------------------------------------

    once we know the name of the baddy which is almost always TGBRFV_*

    to fix

    run killbox and paste each of these lines into the box, select delete on reboot and end explorer shell before deleting. On any dll file tick unregister dll before deleting, then press the red X button, when it says reboot now, say no and continue to paste the lines in in turn and follow the above procedure every time, DO NOT let it reboot yet


    C:\WINDOWS\System32\TGBRFV_.exe
    C:\WINDOWS\System32\TGBRFV_5.dll
    C:\WINDOWS\System32\TGBRFV_.dll
    C:\WINDOWS\System32\TGBRFV_5.exe


    then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.

    the files will be hidden and only killbox or a similar delete on reboot mechanism works any attempt to delte manually results in a total reinfection

    alawys killbox all 4 of the above named files at the same time. Many infections will only have 1 .exe and 1 .dll which might or might not have the _5 suffix

    then once the files are deleted and the temp folders emptied then the full F2 entry in a hjt log & the R0 & R1 will appear and can be fixed with HJt as normal
     
    Last edited: Nov 14, 2004
Thread Status:
Not open for further replies.