Yusearch Problem.

[Mushin]

Hi there.
I am trying to sort out a friend's pc (XP Home Ed.) that appears to have the Yusearch bug in it - can't access any anti-adware or virus sites, Internet Explorer shuts down by itself or goes to the Yupsearch page and runs really slow, etc.
I tried to run Hijack This to get a log but could only do it in Safe Mode.
The log is below.
Any help on what to do next would be much appreciated.


Logfile of HijackThis v1.97.7
Scan saved at 1:12:22 a.m., on 27/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijack This\HijackThis.exe

O1 - Hosts: 65.75.165.10 ibank.barclays.co.uk
O1 - Hosts: 65.75.165.10 online-business.lloydstsb.co.uk
O1 - Hosts: 65.75.165.10 online.lloydstsb.co.uk
O1 - Hosts: 65.75.165.10 www.halifax-online.co.uk
O1 - Hosts: 65.75.165.10 www.ukpersonal.hsbc.co.uk
O1 - Hosts: 65.75.165.10 www.nwolb.com
O1 - Hosts: 65.75.165.10 banesnet.banesto.es
O1 - Hosts: 65.75.165.10 extranet.banesto.es
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\EliteSideBar version 8.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IncredimailDownloader] C:\WINDOWS\DOWNLO~1\imloader.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [System Startup] voltio.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\qisdav.exe
O4 - HKLM\..\Run: [Win32 USB2.0 Driver] w32usb2.exe
O4 - HKLM\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [hcfolyj] C:\WINDOWS\hcfolyj.exe
O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe
O4 - HKLM\..\Run: [Microsofts media] wingtp.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [System Startup] voltio.exe
O4 - HKLM\..\RunServices: [Win32 USB2.0 Driver] w32usb2.exe
O4 - HKLM\..\RunServices: [Microsoftkeysd] systemwin32s.exe
O4 - HKLM\..\RunServices: [Microsofts media] wingtp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [System Startup] voltio.exe
O4 - HKCU\..\Run: [Win32 USB2.0 Driver] w32usb2.exe
O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKLM\..\RunOnce: [Win32 USB2.0 Driver] w32usb2.exe
O4 - HKLM\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\RunOnce: [Win32 USB2.0 Driver] w32usb2.exe
O4 - Startup: OpenOffice.org 1.0.3.lnk = C:\Program Files\OpenOffice.org1.0.3\program\quickstart.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

 

[mjack547]

You have a very old version of hijackthis and since you are unable to get to the internet you can get the new version by using a floppy disk provided both computers have that type of drive (3.5 floppy drive, or A:\)

Download Hijackthis.exe to a floppy disk---the link is down at the end of my reply.

Put the disk into the bad computer's floppy drive, after the pc is started up.

You do not need Internet access on that pc to do this.

Open Windows Explorer and hit C: drive so the folders etc show over on the right side.

At the top, select File>New Folder, but rename the new folder to HJT, then, hit Drive A: to see the hijackthis.exe file, then EDIT> Copy, then click on the new HJT folder on drive C: that you made, EDIT> Paste and the hijackthis.exe file should be copied to C:\HJT folder so you can run it on the bad pc.

When you have hijackthis.exe in the HJT folder:

Start hijackthis.exe by double clicking it from the HJT folder and use the Scan button, it will scan and when done the Save Log button will show. Save the log as hijackthis.txt and copy and paste it back to the floppy disk.

Take the floppy disk to a good computer you access TSG with, come back to this thread, and copy and paste the log to a Reply to this thread.

http://tools.radiosplace.com/HijackThis.exe

NOTE: We are used to helping with pc's that do not have good Internet access, you can work this way but there will of course be a lot of going back and forth to post new logs, do the fixes... but after a few, there should be an improvement and perhaps you can at least use the bad p

 

[mjack547]

We really need to run a virus check on this machine.

spybot.br worm
forbot-b1 worm
wootbot.co worm
rbot.nj worm

just to name a few that is on this machine

So you are unable to get to any of the sites below to do the scan?

Run an online antivirus check from at least one and preferably 2 of the following sites

http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www.anti-trojan.net/en/onlinecheck.aspx



Be sure and put a check in the box by "Auto Clean" before you do the
scan. If it finds anything that it cannot clean have it delete it or
make a note of the exact file name and file location so you can delete it yourself.

 

[Mushin]

Thanks mjack547.
Unfortunately I wasn't able to run any of the anti-virus programs that you recommended.
However, I was able to run the later version of Hijack This. The file is posted below. Thanks.

Logfile of HijackThis v1.99.0
Scan saved at 7:30:57 p.m., on 27/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

O1 - Hosts: 65.75.165.10 ibank.barclays.co.uk
O1 - Hosts: 65.75.165.10 online-business.lloydstsb.co.uk
O1 - Hosts: 65.75.165.10 online.lloydstsb.co.uk
O1 - Hosts: 65.75.165.10 www.halifax-online.co.uk
O1 - Hosts: 65.75.165.10 www.ukpersonal.hsbc.co.uk
O1 - Hosts: 65.75.165.10 www.nwolb.com
O1 - Hosts: 65.75.165.10 banesnet.banesto.es
O1 - Hosts: 65.75.165.10 extranet.banesto.es
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\EliteSideBar version 8.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IncredimailDownloader] C:\WINDOWS\DOWNLO~1\imloader.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [System Startup] voltio.exe
O4 - HKLM\..\Run: [Win32 USB2.0 Driver] w32usb2.exe
O4 - HKLM\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [hcfolyj] C:\WINDOWS\hcfolyj.exe
O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe
O4 - HKLM\..\Run: [Microsofts media] wingtp.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [System Startup] voltio.exe
O4 - HKLM\..\RunServices: [Win32 USB2.0 Driver] w32usb2.exe
O4 - HKLM\..\RunServices: [Microsoftkeysd] systemwin32s.exe
O4 - HKLM\..\RunServices: [Microsofts media] wingtp.exe
O4 - HKLM\..\RunOnce: [Win32 USB2.0 Driver] w32usb2.exe
O4 - HKLM\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System Startup] voltio.exe
O4 - HKCU\..\Run: [Win32 USB2.0 Driver] w32usb2.exe
O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\RunOnce: [Win32 USB2.0 Driver] w32usb2.exe
O4 - Startup: OpenOffice.org 1.0.3.lnk = C:\Program Files\OpenOffice.org1.0.3\program\quickstart.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Nmhhdl32.dll (file missing)
O23 - Service: AutoComplete Service - Unknown - C:\PROGRA~1\INTERN~2\autocomp.exe (file missing)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe