Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I've Been Violated By Spyware And Adware!


  • Please log in to reply
14 replies to this topic

#1 IH8Spywre

IH8Spywre

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 02 November 2005 - 02:41 AM

This sucks majorly, I have some spyware and adware on my computer and I can't handle it anymore! I have anti-spyware and adware programs and this crap still crept into my computer. This is a miscarriage of justice people! I need help baaaaaaad....I did a hijack this log, can any kind peeps give me a hand with this?


Logfile of HijackThis v1.99.1
Scan saved at 12:31:23 AM, on 11/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Cox\Applications\app\ARSAsync.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\FRU\Remind32.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\nda.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\itual.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Compaq_Owner\My Documents\Hijack This!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddabb.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\system32\sfi2.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\FRU\Remind32.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: HPAiODevice(hp officejet 5100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddabb - C:\WINDOWS\system32\ddabb.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Program Files\InterMute\SpySubtract\CWShredder.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:50 AM

Posted 02 November 2005 - 02:45 AM

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\ddabb.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\system32\bbadd.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:
    O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddabb.dll
    O20 - Winlogon Notify: ddabb - C:\WINDOWS\system32\ddabb.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

David

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:50 AM

Posted 02 November 2005 - 02:49 AM

Also, To track this topic, and recieve email updates when i reply:
  • Please subscribe to the thread by looking at the top and clicking "track this topic".
  • Visit the "My Control Panel" and enable email notification
  • Don't start a new topic - keep replies within here


#4 IH8Spywre

IH8Spywre
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 03 November 2005 - 11:43 PM

Hey thanks for your help David...I did what you advised! Here's the new Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 9:38:56 PM, on 11/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Cox\Applications\app\ARSAsync.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\FRU\Remind32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\nda.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Documents and Settings\Compaq_Owner\My Documents\Hijack This!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\system32\sfi2.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\FRU\Remind32.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: HPAiODevice(hp officejet 5100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddabb - C:\WINDOWS\system32\ddabb.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Program Files\InterMute\SpySubtract\CWShredder.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Here's the Vundofix.txt file.....
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\ddabb.dll

The second filepath entered was C:\WINDOWS\SYSTEM32\bbadd

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 364 'smss.exe'

Killing PID 1416 'explorer.exe'


Killing PID 444 'winlogon.exe'
Killing PID 444 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\ddabb.dll Deleted sucessfully.
C:\WINDOWS\SYSTEM32\bbadd Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

and here's the ActiveScan file.....
Incident Status Location

Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1B.tmp\seng.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1D.tmp\apev.exe
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1D.tmp\CHPON.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1D.tmp\eapbh.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1D.tmp\sepng.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq22.tmp\apev.exe
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq22.tmp\CHPON.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq22.tmp\eapbh.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq22.tmp\sepng.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq97.tmp\seng.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqA8.tmp\seng.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF9.tmp\apev.exe
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF9.tmp\CHPON.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF9.tmp\eapbh.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF9.tmp\sepng.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF9.tmp\wo.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005130.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005131.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005132.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005133.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005137.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005140.dll
Adware:Adware/NetPals No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005146.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005177.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005178.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0006227.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0006228.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0006229.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0006230.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0006234.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0006237.dll
Adware:Adware/Favadd No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009554.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009559.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009562.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009563.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009564.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009565.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009571.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009631.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009756.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009759.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009760.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009761.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009762.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009767.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009769.exe
Adware:Adware/Favadd No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009839.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP44\A0013946.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015025.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015027.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015029.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015032.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015033.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015034.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015035.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015038.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015040.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015042.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015117.exe
Adware:Adware/Favadd No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015119.exe
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015177.dll
Adware:Adware/Searchforit No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0016190.dll
Adware:Adware/Searchforit No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0016255.dll
Adware:Adware/Searchforit No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0016287.dll
Adware:Adware/Searchforit No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0016308.dll
Adware:Adware/Favadd No disinfected C:\WINDOWS\eso.exe
Adware:Adware/Favadd No disinfected C:\WINDOWS\eyn.exe
Adware:Adware/Favadd No disinfected C:\WINDOWS\fmw.exe
Adware:Adware/Favadd No disinfected C:\WINDOWS\itual.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezStub.exe
Adware:Adware/Searchforit No disinfected C:\WINDOWS\system32\sfi2.dll
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\vtstq.dll

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:50 AM

Posted 04 November 2005 - 01:19 PM

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.

There is a bit to do on the log - i can almost guaruntee ewido will remove something - it's also a good free tool to keep in your arsenal! :thumbsup:

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful") Posted Image
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post a new HJT log and the ewido log at the end! :flowers:
David

#6 IH8Spywre

IH8Spywre
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 04 November 2005 - 03:06 PM

Alrighty...did that stuff (thanks again) and here are the logs.....I think some of that stuff really worked!




EWIDO:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:54:48 PM, 11/4/2005
+ Report-Checksum: 801DB8FF

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{832BEBED-C3DA-4534-A2C2-B2FFF220C820} -> Spyware.Hijacker.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C109664B-CEB1-420b-B353-D55A561536DD} -> Spyware.AdShooter : Cleaned with backup
HKLM\SOFTWARE\Classes\drs.n -> Adware.Searchforit : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2DB1A6DF-8120-47BD-9DCE-CFCD47B17B24} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl -> Adware.Searchforit : Cleaned with backup
HKLM\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl\CLSID -> Adware.Searchforit : Cleaned with backup
HKLM\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl\CLSID\\ -> Spyware.Hijacker.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl\CurVer -> Adware.Searchforit : Cleaned with backup
HKLM\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl.1 -> Adware.Searchforit : Cleaned with backup
HKLM\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl.1\CLSID\\ -> Spyware.Hijacker.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\SYI.SYIObj -> Adware.Searchforit : Cleaned with backup
HKLM\SOFTWARE\Classes\SYI.SYIObj\CLSID -> Adware.Searchforit : Cleaned with backup
HKLM\SOFTWARE\Classes\SYI.SYIObj\CLSID\\ -> Spyware.AdShooter : Cleaned with backup
HKLM\SOFTWARE\Classes\SYI.SYIObj\CurVer -> Adware.Searchforit : Cleaned with backup
HKLM\SOFTWARE\Classes\SYI.SYIObj.1 -> Adware.Searchforit : Cleaned with backup
HKLM\SOFTWARE\Classes\SYI.SYIObj.1\CLSID\\ -> Spyware.AdShooter : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{C109664B-CEB1-420b-B353-D55A561536DD} -> Spyware.AdShooter : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\DR_S -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\DR_S\dp -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\DR_S\dp\adsh -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\DR_S\dp\ca -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\DR_S\dp\ezu -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\DR_S\dp\sfisb -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\DR_S\dp\sfitb -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\DR_S\dp\sfitb\154 -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\DR_S\dp\sfitb\76 -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\DR_S\dp\sfitb\78 -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\DR_S\dp\ts -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C109664B-CEB1-420B-B353-D55A561536DD} -> Spyware.AdShooter : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C109664B-CEB1-420B-B353-D55A561536DD} -> Spyware.AdShooter : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\searchforit -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\searchforit\searchforit -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\searchforit\searchforit\Historyfiles -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2182039365-2520973280-4235848548-1008\Software\searchforit\searchforit\Historys1 -> Adware.Searchforit : Cleaned with backup
[3088] C:\WINDOWS\system32\sfi2.dll -> Spyware.SearchIt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1B.tmp\seng.dll -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1D.tmp\apev.exe -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1D.tmp\CHPON.dll -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1D.tmp\eapbh.dll -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq22.tmp\apev.exe -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq22.tmp\CHPON.dll -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq22.tmp\eapbh.dll -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq97.tmp\seng.dll -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqA8.tmp\seng.dll -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF9.tmp\apev.exe -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF9.tmp\CHPON.dll -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF9.tmp\eapbh.dll -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@coxhsi.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@excite[1].txt -> Spyware.Cookie.Excite : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@msxml.excite[2].txt -> Spyware.Cookie.Excite : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@sel.as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Program Files\Common Files\tsa\tsl.exe -> TrojanDownloader.TSUpdate.f : Cleaned with backup
C:\Program Files\sf\sf.exe -> TrojanDownloader.Small.hs : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005130.exe -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005131.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005132.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005140.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005146.dll -> TrojanDownloader.Rameh.c : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005177.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005178.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0006227.exe -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0006228.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0006229.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0006237.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009554.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009559.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009562.exe -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009563.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009564.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009756.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009759.exe -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009760.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009761.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009839.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP36\A0011304.exe -> TrojanDownloader.TSUpdate.f : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015002.exe -> TrojanDownloader.TSUpdate.f : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015025.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015029.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015032.exe -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015033.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015034.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015117.exe -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015119.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015177.dll -> Trojan.Crypt.o : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0016190.dll -> Spyware.SearchIt : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0016255.dll -> Spyware.SearchIt : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0016287.dll -> Spyware.SearchIt : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0016308.dll -> Spyware.SearchIt : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0016350.dll -> Spyware.SearchIt : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0016390.dll -> Spyware.SearchIt : Cleaned with backup
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016417.dll -> Spyware.SearchIt : Cleaned with backup
C:\WINDOWS\eso.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\eyn.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\fmw.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\itual.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\ezStub.exe -> Adware.eZula : Cleaned with backup
C:\WINDOWS\system32\sfi2.dll -> Spyware.SearchIt : Cleaned with backup
C:\WINDOWS\system32\vtstq.dll -> Trojan.Crypt.o : Cleaned with backup


::Report End







HIJACK THIS:

Logfile of HijackThis v1.99.1
Scan saved at 1:02:12 PM, on 11/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Cox\Applications\app\ARSAsync.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\FRU\Remind32.exe
C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\nda.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Compaq_Owner\My Documents\Hijack This!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\FRU\Remind32.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: HPAiODevice(hp officejet 5100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddabb - C:\WINDOWS\system32\ddabb.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Program Files\InterMute\SpySubtract\CWShredder.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

:thumbsup: :flowers:

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:50 AM

Posted 04 November 2005 - 03:10 PM

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things should most certainly help getting it back to how it was

_____________________

Go to add/remove and uninstall WeatherBug

______________________

Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.
_____________________


With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
(HKCU)

O20 - Winlogon Notify: ddabb - C:\WINDOWS\system32\ddabb.dll (file missing)

_____________________


Boot into Safe Mode

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\Program Files\sf\sf.exe
_____________________


Manually delete this folder:

C:\Program Files\sf
_____________________


Please Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. (if you cannot delete some items it's fine!)
_____________________

Then go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
_____________________

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.
_____________________


Empty the Recycle Bin.
_____________________


Reboot to normal mode and post a new HJT log
David

#8 IH8Spywre

IH8Spywre
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 04 November 2005 - 10:50 PM

Done...completed your instructions :thumbsup: here is the new HJT log




Logfile of HijackThis v1.99.1
Scan saved at 8:47:41 PM, on 11/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Cox\Applications\app\ARSAsync.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\FRU\Remind32.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\nda.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Documents and Settings\Compaq_Owner\My Documents\Hijack This!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\FRU\Remind32.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: HPAiODevice(hp officejet 5100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Program Files\InterMute\SpySubtract\CWShredder.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:50 AM

Posted 05 November 2005 - 03:25 AM

Clean Log!! Posted Image
How's everything running? :up: or :down: ?

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

How's everything running? :up: or :down: ?

#10 IH8Spywre

IH8Spywre
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 06 November 2005 - 11:44 PM

The computer is running a lot better but I just did a scan with my anti-spy program and it says I'm infected with "Webhancer" and it's unable to delete or quarantine it..... :thumbsup:

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:50 AM

Posted 07 November 2005 - 01:25 PM

I just did a scan with my anti-spy program


Which program is this?

Does it give you a pathname?

David

#12 IH8Spywre

IH8Spywre
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 07 November 2005 - 11:18 PM

My ISP Cox has an anti-spy program which detected it's presence....here's what a blurb on the web said about it.....


The majority of users running WebHancer are not aware they are running it, unless they have noticed system side-effects or unusual data transfers from their machine. WebHancer, like "Comet Curse", falls into the category of "everything-installs-it-can't-get-rid-of-it" foistware, with completely unrelated software secretly installing the WebHancer product on the user's system. (Given this, I think the program should be more aptly called "WebCancer" :thumbsup: In one of the most user-hostile moves I've seen in a while, the clandestine WebHancer install will alter critical Registry keys relating to Windows Sockets, causing the system's Internet connection capabilities to break if the user dares to try uninstalling the spy. WebHancer's makers claim not to modify system files (which is, technically, true) although they have confirmed that attempting to remove it will break your system.
Removal procedures:
As noted earlier, simply deleting WebHancer files from your system will result in losing your ability to connect to the Internet. WebHancer modifies your Windows Sockets configuration, binding itself to Winsock so that all packets are passed through WebHancer.



:flowers:

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:50 AM

Posted 08 November 2005 - 11:35 AM

Can you run panda scan again and post the log
DAvid

#14 IH8Spywre

IH8Spywre
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 10 November 2005 - 02:21 AM

Sure, here it is....


Incident Status Location

Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1D.tmp\sepng.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq22.tmp\sepng.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF9.tmp\sepng.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF9.tmp\wo.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005133.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP25\A0005137.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0006230.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP26\A0006234.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009565.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009571.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009631.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009762.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009767.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP30\A0009769.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP44\A0013946.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015035.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015040.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP45\A0015042.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016426.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016427.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016428.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016429.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016430.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016431.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016432.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016433.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016434.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016435.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016436.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016437.dll
Adware:Adware/Favadd No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016440.exe
Adware:Adware/Favadd No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016441.exe
Adware:Adware/Favadd No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016442.exe
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP46\A0016445.dll

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:50 AM

Posted 10 November 2005 - 05:45 PM

Try this to remve the infection warning:

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

How's everything running? :up: or :down: ?

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users