Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help me please


  • This topic is locked This topic is locked
18 replies to this topic

#1 alliecarter24

alliecarter24

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 09 August 2005 - 01:24 PM

A few days ago a yupsearch toolbar appeared (along with some annoying beeps)and took the place of my yahoo toolbar on my internet explorer. i have tried spybot, spykiller pro, and elite toolbar remover, none of which have worked. I was weary to use HJT because I really don't know much at all about the registry of a computer. So I could really use some help. Thanks in advance!
Here's my log of HJT:

Logfile of HijackThis v1.99.1
Scan saved at 2:18:59 PM, on 8/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\sf\sf.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
C:\Documents and Settings\Owner\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1053ab7c9a1f41...ip/RdxIE601.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

Edited by alliecarter24, 09 August 2005 - 01:25 PM.


BC AdBot (Login to Remove)

 


#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 AM

Posted 11 August 2005 - 08:44 AM

Welcome alliecarter24 to Bleeping Computer.

Download LQfiz by Miekemoes.
Unzip it to your desktop.
Don't use it yet.

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\Program Files\COMMON files\tsa\tsl.exe
C:\Program Files\sf\sf.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe

O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1053ab7c9a1f41...ip/RdxIE601.cab

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Run LQfix and reboot the computer back to normal mode.

***

Do a full system scan:
Panda ActiveScan
Save the report.

***

Post back with a fresh log using HijackThis and Panda report.


Posted Image
Life is what happens while you're making other plans

#3 alliecarter24

alliecarter24
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 11 August 2005 - 02:32 PM

The beeping and toolbar are gone! Thank you so much. When I ran Panda scan it said that 47 spyware files were found. Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 3:28:41 PM, on 8/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe



Panda report:

Incident Status Location

Spyware:spyware/betterinet No disinfected C:\WINDOWS\SYSTEM32\in10b6s.dll
Adware:adware/megasearch No disinfected C:\WINDOWS\SYSTEM32\megaV2Wbr.dll
Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM32\msbb321.dll
Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/elitebar No disinfected C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\suicidetb.exe
Adware:adware/sqwire No disinfected C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ts_8_new.exe
Adware:adware/searchforit No disinfected C:\PROGRAM FILES\sf
Adware:adware/savenow No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\1049546_3568_996_4024_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\1246156_3568_996_1640_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\132144_3568_996_2652_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\1376882_372_996_748_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\1573128_3568_996_2836_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\197578_3568_996_700_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\197680_3568_996_3188_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\197924_3568_996_2456_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\328524_372_996_3716_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\328652_3568_996_2932_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\525308_3568_996_2220_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\590428_3568_996_3448_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\590620_372_996_2276_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\66878_3568_996_936_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\787402_3568_996_2256_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\852250_3568_996_1860_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\852418_3568_996_1668_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\852988_3568_996_3036_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\983604_1172_996_1904_62.41.tmp
Adware:Adware/eZula No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\GLF23CGLF23C.EXE
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\suicidetb.exe
Adware:Adware/eZula No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\DKCN9LWP\ts_8_new[1].exe
Possible Virus. No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\G16FG1UV\AIMFix[1].exe
Adware:Adware/Searchforit No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\MP78DSR2\SYSsfitb[1].dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\V353B5WK\ezStub[1].exe
Virus:Trj/Favadd.G Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\W1EJ0HIF\sfita[1].exe
Adware:Adware/eZula No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\ts_8_new.exe
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\uninstall.exe
Adware:Adware/NetPals No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20050405215158.zip[ATPartners.dll]
Adware:Adware/Sqwire No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25F.tmp
Adware:Adware/NetPals No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq260.tmp
Adware:Adware/eZula No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26E.tmp
Adware:Adware/Searchforit No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2F2.tmp
Adware:Adware/NetPals No disinfected C:\WINDOWS\96wu19rd.exe
Adware:Adware/Searchforit No disinfected C:\WINDOWS\system32\ca2.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\in10b6s.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\msbb321.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\shawn_1.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\SplWbr.dll
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\vm_d.dll
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\vm_d.exe

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 AM

Posted 11 August 2005 - 03:02 PM

The HijackThis log looks good.

Some items were found in the quarantine box:
C:\Program Files\Yahoo!\YPSR\Quarantine\

You can clean them from within the Yahoo Anti-spy application by cleaning out the quarantine box there.

***

Lots were found in temp folders. Let's clean them out.

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingcomputer.com/tutorials/how-to-use-cleanup/

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options"
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

Meanwhile I will prepare an advise to remove the others.


Posted Image
Life is what happens while you're making other plans

#5 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 AM

Posted 11 August 2005 - 03:04 PM

Can you post me an uninstall list to see if there are programs that belong to the files found?
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from notepad into your post



Posted Image
Life is what happens while you're making other plans

#6 alliecarter24

alliecarter24
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 11 August 2005 - 03:50 PM

I'm not sure if this has anything to do with all the spyware that is on my computer, but I have not been able to sign in to my hotmail email account, my msn messenger, and the DMV website (in order to schedule my driver's test). This is the link for the DMV website. https://www.dot4.state.pa.us/contact_us/index.shtml I was wondering if you would be able to tell me why I am unable to access this and hotmail. Thanks so much! Here is the list of programs you asked for:

Adobe Photoshop Album Starter Edition
Adobe Reader 6.0
Air USB Utility
AOL Instant Messenger
CC_ccStart
ccCommon
CCHelp
CCScore
CleanUp!
Compaq Connections
Compaq Instant Support
Compaq Organize
CR2
CXP Plug-In
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSvpaht
ESSvpot
HijackThis 1.99.1
HLPCCTR
HLPIndex
HLPSFO
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Photo and Imaging 2.0 - Photosmart Cameras
HP PSC & OfficeJet 3.0
HP PSC & OfficeJet 3.5
HP Software Update
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
Internet Explorer Q828750
Java 2 Runtime Environment, SE v1.4.2
KBD
Kodak EasyShare software
KSU
LimeWire
LimeWire 4.8.1
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft Office 2000 Premium
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft Works 7.0
MSRedist
MUSICMATCH® Jukebox
Network Play System (Patching)
NIOC Service
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton Personal Firewall
Norton WMI Update
Notifier
NVIDIA GART Driver
OfotoXMI
OTtBP
OTtBPSDK
Outlook Express Update Q330994
Panda ActiveScan
PCDLNCH
Photosmart 140,240,7200,7600,7700,7900 Series
PhotoSuite 7 Platinum
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
QuickTime
RealPlayer
RecordNow!
Rio Internet Update
Rio Music Manager
Rio Taxi
SFR
SFR2
Snood for Windows version 3.52-W
Sonic Update Manager
SpamSubtract
SpyWare Killer Pro
SymNet
TI Connect™ 1.1
Ultralingua 5.0
VCAMCEN
Viewpoint Media Player
VPRINTOL
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824146
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See q329256 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329112
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329909
Windows XP Hotfix (SP2) Q331953
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811789
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q815485
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
WZCBDL Service
Yahoo! Address AutoComplete
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Messenger

#7 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 AM

Posted 11 August 2005 - 04:18 PM

Try this - with all browser windows closed, Go to Start->Run and copy and paste each of the following, hitting ok after each:
regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll
Reboot, then try to access the sites that were giving you problems again.

***

To remove the leftovers:

Use Windows Explorer to remove this folder:

C:\PROGRAM FILES\sf
Close Windows Explorer when you are done.

***

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.

***

Go to start - run
in the commandbox type the purple text:
regsvr32.exe /u /s
in words: regsvr32.exe space /u space /s space

at the end put these files one by one:
C:\WINDOWS\SYSTEM32\in10b6s.dll
C:\WINDOWS\SYSTEM32\megaV2Wbr.dll
C:\WINDOWS\SYSTEM32\msbb321.dll
C:\WINDOWS\system32\ca2.dll
C:\WINDOWS\system32\in10b6s.dll
C:\WINDOWS\system32\msbb321.dll
C:\WINDOWS\system32\shawn_1.dll
C:\WINDOWS\system32\SplWbr.dll
C:\WINDOWS\system32\vm_d.dll

So the first one would be:
regsvr32.exe /u /s C:\WINDOWS\SYSTEM32\in10b6s.dll
press OK after each one. Wait for the 'merge succesfull' message and move on to the next.

After you did all that:

***

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\SYSTEM32\in10b6s.dll
C:\WINDOWS\SYSTEM32\megaV2Wbr.dll
C:\WINDOWS\SYSTEM32\msbb321.dll
C:\WINDOWS\system32\ca2.dll
C:\WINDOWS\system32\in10b6s.dll
C:\WINDOWS\system32\msbb321.dll
C:\WINDOWS\system32\shawn_1.dll
C:\WINDOWS\system32\SplWbr.dll
C:\WINDOWS\system32\vm_d.dll
C:\WINDOWS\system32\vm_d.exe
C:\WINDOWS\96wu19rd.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Let me know how things are now.

Edited by g2i2r4, 11 August 2005 - 04:19 PM.



Posted Image
Life is what happens while you're making other plans

#8 alliecarter24

alliecarter24
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 11 August 2005 - 05:01 PM

Unfortunately, I'm still unable to access those sites. Also after I restored the original hosts, I tried to run those commands. However, I'm not getting any "merge successful" message after them. Should I enter them anyway without getting those messages or should I skip ahead and run KillBox? Thanks again!

#9 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 AM

Posted 12 August 2005 - 03:50 AM

Run them anyway, then do the killbox part.

Did you recently start using a different modem/router?


Posted Image
Life is what happens while you're making other plans

#10 alliecarter24

alliecarter24
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 12 August 2005 - 10:11 AM

I have been using the same router for the past year. It is a D-Link DI-514 802.11b wireless router and I have the D-Link DWL-122 Wireless USB Adapter for it. I do tend to lose the signal a lot of the time, but other than that I haven't had any problems accessing those sites until the toolbar appeared. Thanks for all the help you've been providing me with!

#11 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 AM

Posted 12 August 2005 - 01:38 PM

Open IE, go to TOOLS > Internet Options > Advanced and scroll to bottom of list. Options there are for SSL, TLS, etc. Make sure they are all on.

or

UNCHECK the box for Enable Third Party Browser Extensions in the Advanced Section (all other setting in Advanced Section set to Default). Click "Apply" then reboot the computer.

or

a. Click Start > Settings > Control Panel
b. Select Internet Options
c. Select the Programs tab
d. Click Reset Web Settings
e. Click OK
f. Exit Control Panel

Does one of these options help?


Posted Image
Life is what happens while you're making other plans

#12 alliecarter24

alliecarter24
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 12 August 2005 - 01:54 PM

Unfortunately, none of those options worked.

#13 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 AM

Posted 12 August 2005 - 02:36 PM

Download IEfix.
Unzip and run it.
Click apply.
You'll be prompted for the Operating System CD or the Service Pack Files location:

* insert the Operating System CD. For OEM systems, point to the Operating System source path when prompted. If you've applied a Service Pack separately, you need to insert the Slipstreamed Operating System CD (if you have one) or point the installer to the ServicePack source path when prompted (see Fig below). Mention the path as "C:\Windows\ServicePackFiles\i386" or "C:\Windows\ServicePackFiles"

* If you don't have the Windows installation CD, and if the installation source files are not present in the hard disk, you may click Cancel when you see a dialog similar to Fig below. IEFix will continue with DLL registration part.


Posted Image

Restart Windows.

thanks to Ramesh Srinivasan


Posted Image
Life is what happens while you're making other plans

#14 alliecarter24

alliecarter24
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 12 August 2005 - 07:17 PM

Still no luck. I can't get those sites to work.

#15 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 AM

Posted 14 August 2005 - 06:47 AM

Let's see if it's the computer keeping you away from these sites or just Internet Explorer.

Go here and download Firefox. It's a browser like Internet Explorer.

Let me know if you can access the sites using Firefox.


Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users