Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Thecoolpics


  • This topic is locked This topic is locked
4 replies to this topic

#1 larral

larral

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 28 October 2006 - 04:50 PM

Hi. I read all the insructions, done all the clean-up reccommendations and finally have a log file. Please can you help me to get rid of this coolpics thing that has infected my Yahoo and hijacked my homepage? Here is my logfile, thank you very much.

Logfile of HijackThis v1.99.1
Scan saved at 22:47:45, on 28/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00

(6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.

exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
C:\Program Files\Thomson\SpeedTouch

USB\Dragdiag.exe
C:\Program

Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.e

xe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.e

xe
C:\Program Files\IVT

Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ewido\security

suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MSN

Messenger\msnmsgr.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\DOCUME~1\Jeremy\LOCALS~1\Temp\object

1.exe
C:\DOCUME~1\Jeremy\LOCALS~1\Temp\object

2.exe
C:\Documents and

Settings\Jeremy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://thecoolpics.com
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.msn.co.uk/Default.asp?Ath=f
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88}

- (no file)
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F}

- C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}

- C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) -

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}

- (no file)
O2 - BHO: YahooTaggedBM Class -

{65D886A2-7CA7-479B-BB95-14D1EFB7946A}

- C:\Program

Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7}

- c:\program

files\google\googletoolbar2.dll
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467}

- C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F}

- c:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program

Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Zone Labs Client]

C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.

exe
O4 - HKLM\..\Run: [TkBellExe]

"C:\Program Files\Common

Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [SpeedTouch USB

Diagnostics] "C:\Program

Files\Thomson\SpeedTouch

USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched]

C:\Program

Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [AVG7_EMC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [bcmwltry]

bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl]

RemoveCpl.exe
O4 - HKLM\..\Run: [Task Manager]

C:\WINDOWS\system\svchost32.exe
O4 - HKLM\..\Run: [svchost]

C:\WINDOWS\system\svhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE]

C:\WINDOWS\System32\ctfmon.exe
O6 -

HKCU\Software\Policies\Microsoft\Intern

et Explorer\Control Panel present
O7 -

HKCU\Software\Microsoft\Windows\Current

Version\Policies\System,

DisableRegedit=1
O8 - Extra context menu item: &Yahoo!

Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport

to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXC

EL.EXE/3000
O8 - Extra context menu item: Yahoo!

&Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo!

&Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo!

&SMS - file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}

- C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O14 - IERESET.INF:

START_PAGE_URL=http://www.myinternetpas

s.com
O16 - DPF:

{01A88BB1-1174-41EC-ACCB-963509EAE56B}

(SysProWmi Class) -

http://support.dell.com/systemprofiler/

SysPro.CAB
O16 - DPF:

{04E214E5-63AF-4236-83C6-A7ADCBF9BD02}

(HouseCall Control) -

http://housecall60.trendmicro.com/house

call/xscan60.cab
O16 - DPF:

{0E5F0222-96B9-11D3-8997-00104BD12D94}

(PCPitstop Utility) -

http://www.pcpitstop.com/pcpitstop/PCPi

tStop.CAB
O16 - DPF:

{2917297F-F02B-4B9D-81DF-494B6333150B}

(Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/Mi

neSweeper.cab
O16 - DPF:

{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

(YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF:

{4C39376E-FA9D-4349-BACC-D305C1750EF3}

(EPUImageControl Class) -

http://tools.ebayimg.com/eps/wl/activex

/EPUWALControl_v1-0-3-24.cab
O16 - DPF:

{4F1E5B1A-2A80-42CA-8532-2D05CB959537}

(MSN Photo Upload Tool) -

http://by101fd.bay101.hotmail.msn.com/r

esources/MsnPUpld.cab
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v

5consumer/V5Controls/en/x86/client/wuwe

b_site.cab?1098124211008
O16 - DPF:

{665585FD-2068-4C5E-A6D3-53AC3270ECD4}

(FileSharingCtrl Class) -

http://appdirectory.messenger.msn.com/A

ppDirectory/P4Apps/FileSharing/en/files

haringctrl.cab
O16 - DPF:

{74D05D43-3236-11D4-BDCD-00C04F9A3B61}

(HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004

061001/housecall.trendmicro.com/houseca

ll/xscan53.cab
O16 - DPF:

{8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Me

ssengerStatsClient.cab
O16 - DPF:

{A90A5822-F108-45AD-8482-9BC8B12DD539}

(Crucial cpcScan) -

http://www.crucial.com/controls/cpcScan

ner.cab
O16 - DPF:

{B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl

Class) -

http://messenger.msn.com/download/msnme

ssengersetupdownloader.cab
O16 - DPF:

{F04F4F32-6457-401A-8169-D2773DDFF930}

(Yahoo! Photos Easy Upload Tool Class)

-

http://us.dl1.yimg.com/download.yahoo.c

om/dl/installs/ydropper/ydropper1_1uk.c

ab
O16 - DPF:

{F6BF0D00-0B2A-4A75-BF7B-F385591623AF}

(Solitaire Showdown Class) -

http://messenger.zone.msn.com/binary/So

litaireShowdown.cab31267.cab
O18 - Protocol: msnim -

{828030A1-22C1-4009-854F-8E305202313F}

- "C:\PROGRA~1\MSNMES~1\msgrapp.dll"

(file missing)
O23 - Service: AVG7 Alert Manager

Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.e

xe
O23 - Service: AVG7 Update Service

(Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.e

xe
O23 - Service: BlueSoleil Hid Service -

Unknown owner - C:\Program Files\IVT

Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido security suite

control - ewido networks - C:\Program

Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: InstallDriver Table

Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper

Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet

Monitor (vsmon) - Zone Labs Inc. -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 04 November 2006 - 10:41 AM

Welcome larral! :thumbsup:

I will be helping you under the guidance of one of our expert coaches.

Please give me a little time to get back to you with instructions.

Thanks
Jamie
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#3 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 04 November 2006 - 12:24 PM

Hey larral

WordWrap:

The formatting of your post is messed up. This is caused by not having Word Wrap checked.

1. Click Start > All Programs > Accessories > Notepad
2. On the menu bar in Notepad select Format and click on WordWrap so it appears checked.

Update Java:

Your version of Java is now outdated. Java vulnerabilites are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 5.0 Update 9 ). Please install it and then reboot your computer.

Remove the older versions of Java:
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except J2SE Runtime Environment 5.0 Update 9
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. DO NOT UPGRADE TO SP2 AT THIS TIME
  • Click HERE for the update.
  • Apply the update.
  • REBOOT YOUR SYSTEM
  • Post a fresh Hijack This log

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#4 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 25 November 2006 - 01:33 PM

Are you still monitoring this thread?
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#5 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 29 November 2006 - 04:54 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users