1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware affecting computer

Discussion in 'Virus & Other Malware Removal' started by Ziggy1, Apr 22, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Ziggy1

    Ziggy1 Thread Starter

    Joined:
    Jun 17, 2002
    Messages:
    2,551
    Hello,

    Im trying to help my dad, here is his hijack log. I looked up some of the programs but I don't see any problems. does anyone recognize anything wrong here? He has run AdAware and deleted some bugs but some this is still affecting his browser

    thanks

    Logfile of HijackThis v1.98.0
    Scan saved at 10:06:30 PM, on 4/22/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2

    (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec

    Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec

    Shared\ccSetMgr.exe
    C:\Program Files\Norton Personal

    Firewall\ISSVC.exe
    C:\Program Files\Common Files\Symantec

    Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec

    Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec

    Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\EPSON\ESM2\eEBSVC.exe
    C:\Program Files\WS_FTP Pro\ftpsched.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton

    Utilities\NPROTECT.EXE
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec

    Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\Common Files\Symantec

    Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Adaptec\Easy CD Creator

    5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\WS_FTP Pro\ftpqueue.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4

    I2K1.EXE
    C:\Program Files\Common Files\Symantec

    Shared\ccApp.exe
    C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
    C:\Program Files\Panasonic\Palmcorder\CARD LINK

    (for USB)\regcnt09.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Norton SystemWorks\Norton

    CleanSweep\csinsmnt.exe
    C:\Program Files\Symantec\ACT\SideACT.exe
    C:\WINDOWS\ntgr32.exe
    C:\PROGRA~1\NORTON~3\navw32.exe
    C:\Program Files\Lavasoft\Ad-Aware SE

    Personal\Ad-Aware.exe
    C:\Program Files\Norton Personal

    Firewall\AlertAst.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\ielq32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Ziggy\Local

    Settings\Temp\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet

    Explorer\Main,Search Bar =

    res://C:\WINDOWS\system32\wxfkw.dll/sp.html#447

    68
    R1 - HKCU\Software\Microsoft\Internet

    Explorer\Main,Search Page =

    res://C:\WINDOWS\system32\wxfkw.dll/sp.html#447

    68
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Default_Search_URL =

    res://C:\WINDOWS\system32\wxfkw.dll/sp.html#447

    68
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Search Bar =

    res://C:\WINDOWS\system32\wxfkw.dll/sp.html#447

    68
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Search Page =

    res://C:\WINDOWS\system32\wxfkw.dll/sp.html#447

    68
    R1 - HKCU\Software\Microsoft\Internet

    Explorer\Search,SearchAssistant =

    res://C:\WINDOWS\system32\wxfkw.dll/sp.html#447

    68
    R0 - HKLM\Software\Microsoft\Internet

    Explorer\Search,SearchAssistant =

    res://C:\WINDOWS\system32\wxfkw.dll/sp.html#447

    68
    R1 - HKCU\Software\Microsoft\Internet

    Explorer\SearchURL,(Default) =

    http://red.clientapps.yahoo.com/customize/ie/de

    faults/su/ymsgr/*http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) -

    {8E94E12D-82FB-A5DD-B787-5B86D538F6BF} -

    C:\WINDOWS\netrd32.dll
    O2 - BHO: NAV Helper -

    {BDF3E430-B101-42AD-A544-FADC6B084872} -

    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus -

    {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program

    Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program

    Files\Adaptec\Easy CD Creator

    5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ftpqueue] C:\Program

    Files\WS_FTP Pro\ftpqueue.exe -tray
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX500]

    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4

    I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6

    "USB001" /M "Stylus Photo RX500"
    O4 - HKLM\..\Run: [ccApp] "C:\Program

    Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

    C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [Advanced Tools Check]

    C:\PROGRA~1\NORTON~3\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Media Access] C:\Program

    Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [UserFaultCheck]

    %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [iexplore.exe] C:\Program

    Files\Internet Explorer\iexplore.exe
    O4 - HKLM\..\Run: [ntgr32.exe]

    C:\WINDOWS\ntgr32.exe
    O4 - HKLM\..\RunOnce: [atlwu.exe]

    C:\WINDOWS\system32\atlwu.exe
    O4 - HKLM\..\RunOnce: [ielq32.exe]

    C:\WINDOWS\ielq32.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program

    Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program

    Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [PlaxoUpdate]

    C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
    O4 - Global Startup: CARD Monitor.lnk =

    C:\Program Files\Panasonic\Palmcorder\CARD LINK

    (for USB)\regcnt09.exe
    O4 - Global Startup: WinZip Quick Pick.lnk =

    C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: EPSON Background

    Monitor.lnk = C:\Program

    Files\EPSON\ESM2\STMS.exe
    O4 - Global Startup: QuickBooks Update

    Agent.lnk = C:\Program Files\Common

    Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Microsoft Office.lnk =

    C:\Program Files\Microsoft

    Office\Office\OSA9.EXE
    O4 - Global Startup: CleanSweep Smart

    Sweep-Internet Sweep.lnk = C:\Program

    Files\Norton SystemWorks\Norton

    CleanSweep\csinsmnt.exe
    O4 - Global Startup: SideACT!.lnk = C:\Program

    Files\Symantec\ACT\SideACT.exe
    O8 - Extra context menu item: Yahoo! Dictionary

    - file:///C:\Program

    Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search -

    file:///C:\Program

    Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger -

    {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no

    file)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

    {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no

    file)
    O9 - Extra button: Real.com -

    {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

    C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide -

    {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

    C:\Program Files\Microsoft

    Money\System\mnyside.dll
    O9 - Extra button: @C:\Program

    Files\Messenger\Msgslang.dll,-61144 -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program

    Files\Messenger\Msgslang.dll,-61144 -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Yahoo! Euchre -

    http://download.games.yahoo.com/games/clients/y

    /et0_x.cab
    O16 - DPF:

    {02BED220-FBC7-4392-93A2-3A50B056F78E} -

    http://down.plaxo.com/down/release/instub.cab
    O16 - DPF:

    {0D3983A9-4E29-4F33-8313-DA22B29D3F87}

    (QuickBooks Online Edition Utilities Class v6)

    -

    https://accounting.quickbooks.com/v9.113/qboax6

    .cab
    O16 - DPF:

    {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -

    http://static.windupdates.com/cab/DownloadAcces

    s/ie/bridge-c24.cab
    O16 - DPF:

    {22A88341-AFCB-45F0-A856-C2BAE74F878E}

    (InstallX Class) -

    http://www.20x2p.com/45f4e2ba/enter.cab
    O16 - DPF:

    {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}

    (Symantec AntiVirus scanner) -

    http://security.symantec.com/sscv6/SharedConten

    t/vc/bin/AvSniff.cab
    O16 - DPF:

    {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF}

    (DownloadManager Control) -

    http://download.akamaitools.com.edgesuite.net/d

    lmanager/live/code/IE_1070/DownloadManager.cab
    O16 - DPF:

    {41F17733-B041-4099-A042-B518BB6A408C} -

    http://a1540.g.akamai.net/7/1540/52/20021205/qt

    install.info.apple.com/borris/us/win/QuickTimeI

    nstaller.exe
    O16 - DPF:

    {644E432F-49D3-41A1-8DD5-E099162EEEC5}

    (Symantec RuFSI Utility Class) -

    http://security.symantec.com/sscv6/SharedConten

    t/common/bin/cabsa.cab
    O16 - DPF:

    {A17E30C4-A9BA-11D4-8673-60DB54C10000}

    (YahooYMailTo Class) -

    http://us.dl1.yimg.com/download.yahoo.com/dl/in

    stalls/yse/ymmapi_416.dll
    O16 - DPF:

    {AE1C01E3-0283-11D3-9B3F-00C04F8EF466}

    (HeartbeatCtl Class) -

    http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF:

    {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE}

    (Symantec RuFSI Registry Information Class) -

    http://security.symantec.com/SSC/SharedContent/

    common/bin/cabsa.cab
    O16 - DPF:

    {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF}

    (Live365Player Class) -

    http://www.live365.com/players/play365.cab
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,835
    First of all, that's an outdated version of Hijack This and secondly, the way the log is presented makes it extremely difficult to read. It also looks like it was run in safe mode, please post a log run in normal mode.

    Please get the new version of Hijack This and copy and paste the entire log without editing or making any changes.

    You can get it here:

    http://www.thespykiller.co.uk/files/hijackthis_sfx.exe
     
  3. Ziggy1

    Ziggy1 Thread Starter

    Joined:
    Jun 17, 2002
    Messages:
    2,551
    Thanks Cookie,

    I just sent it to my dad, so I will have to wait for him to send the scan result
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,835
    No problem, that's fine.
     
  5. Ziggy1

    Ziggy1 Thread Starter

    Joined:
    Jun 17, 2002
    Messages:
    2,551
    Ok here is the new scan


    Logfile of HijackThis v1.99.1
    Scan saved at 9:01:20 PM, on 4/23/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Personal Firewall\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\EPSON\ESM2\eEBSVC.exe
    C:\Program Files\WS_FTP Pro\ftpsched.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\WS_FTP Pro\ftpqueue.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\ntgr32.exe
    C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\NORTON~3\AdvTools\NPROTECT.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Works\MSWorks.exe
    C:\WINDOWS\system32\winsk32.exe
    c:\program files\InterMute\SpySubtract\CWShredder.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Ziggy\Local Settings\Temp\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {8A21261B-1D1C-3E80-0116-95C04A8233EA} - C:\WINDOWS\apiwj32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~3\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [ntgr32.exe] C:\WINDOWS\ntgr32.exe
    O4 - HKLM\..\RunOnce: [winsk32.exe] C:\WINDOWS\system32\winsk32.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
    O4 - Global Startup: CARD Monitor.lnk = C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {0D3983A9-4E29-4F33-8313-DA22B29D3F87} (QuickBooks Online Edition Utilities Class v6) - https://accounting.quickbooks.com/v9.113/qboax6.cab
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c24.cab
    O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/45f4e2ba/enter.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
    O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\AdvTools\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,835
    Click http://www.intermute.com/spysubtract/cwshredder_download.html to download CWShredder. Do Not run it yet. Download it to the desktop and have it ready to run later.

    ____________________________________________________________________

    Click: http://www.downloads.subratam.org/AboutBuster.zip to download AboutBuster created by Rubber Ducky.

    Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.
    _____________________________________________________________________

    Now go ahead and set your computer to show hidden files like so:

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    ______________________________________________________________________

    Sign off the Internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.
    ______________________________________________________________________



    Restart to safe mode.

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Perform the following steps in safe mode:

    Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

    Put a check by these entries in Hijack This and click the "Fix Checked" button:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yhcfs.dll/sp.html#44768

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {8A21261B-1D1C-3E80-0116-95C04A8233EA} - C:\WINDOWS\apiwj32.dll

    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

    O4 - HKLM\..\Run: [ntgr32.exe] C:\WINDOWS\ntgr32.exe

    O4 - HKLM\..\RunOnce: [winsk32.exe] C:\WINDOWS\system32\winsk32.exe

    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D.../bridge-c24.cab

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe


    Find and delete these files:

    C:\WINDOWS\system32\yhcfs.dll
    C:\WINDOWS\apiwj32.dll
    C:\WINDOWS\ntgr32.exe
    C:\WINDOWS\system32\winsk32.exe

    In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    ________________________________________________________________________

    Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
    _______________________________________________________________________

    Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do its thing.
    _______________________________________________________________________

    Boot back into Windows now.

    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Restart your computer.

    Go to: http://housecall.trendmicro.com/ and do an online virus scan.

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.


    This hijacker is known to alter or delete certain files so check this out please:

    Download the Hoster from: http://www.funkytoad.com/download/hoster.zip. UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

    If you have Spybot S&D installed you will also need to replace one file. Go to: http://www.spywareinfo.com/~merijn/winfiles.html and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder.

    Find shell.dll and right click on it. Choose Copy from the menu.
    Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu. Otherwise, you can download following the instructions here: http://www.bleepingcomputer.com/files/shellxp.php


    control.exe may have been deleted.
    See if control.exe is present in C:\windows\system32

    If control.exe isn't there, go to: http://www.richardthelionhearted.com/~merijn/winfiles.html#control, and download control.exe per the instructions at the site.

    IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! Reset your ActiveX security settings like so... Go to Internet Options > Security > Internet, press 'default level', then OK.
    Now press "Custom Level."
    In the ActiveX section, set the first two options (Download signed and unsigned ActiveX
    controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

    Reboot and post another Hijack This log please.
     
  7. Ziggy1

    Ziggy1 Thread Starter

    Joined:
    Jun 17, 2002
    Messages:
    2,551
    Hi Cookie,

    Thanks for the help, a couple of things I need to clarify. You said to scan Hijack in safe mode, and find those entries. But earlier (Post) you said to scan it in normal mode. I assume this is because the spyware maynot be running in safe mode. some of the files are not present in safe mode. I will try in Norm,al mode for these.

    With About buster we do not have Internet access to download the updates because of the spyware. If we run it on another computer and update, is it just a question of copying the .dll file from the about folder and saving it on the other computer.?

    Thanks

    Ziggy
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,835
    You did say that it was affecting his browser but I didn't interpret that to mean that he couldn't connect at all.

    Try this to get the connection back. I believe it can be downloaded onto a floppy from another machine.

    1.) Download http://www.tacktech.com/pub/winsockfix/WinsockFix.zip. (by: Option^Explicit) or http://www.spychecker.com/program/winsockxpfix.html
    2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)
    3.) Run WinsockFix.exe.
    4.) Click the Fix button.

    This program will clean up your TCP/IP connection and rebuild the database. After the program is complete, reboot. Then try to download and update AboutBuster and post another Hijack This log please.
     
  9. Ziggy1

    Ziggy1 Thread Starter

    Joined:
    Jun 17, 2002
    Messages:
    2,551
    Thanks Cookie,

    I'll try and get a log, he kind of goes his own way when I give him solutions.
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,835
    OK, whenever you can.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Spyware affecting computer
  1. TeeTee7
    Replies:
    1
    Views:
    724
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/355455

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice