1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Yusearch Problem.

Discussion in 'Virus & Other Malware Removal' started by Mushin, Jan 26, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Mushin

    Mushin Thread Starter

    Joined:
    Jan 26, 2005
    Messages:
    3
    Hi there.
    I am trying to sort out a friend's pc (XP Home Ed.) that appears to have the Yusearch bug in it - can't access any anti-adware or virus sites, Internet Explorer shuts down by itself or goes to the Yupsearch page and runs really slow, etc.
    I tried to run Hijack This to get a log but could only do it in Safe Mode.
    The log is below.
    Any help on what to do next would be much appreciated.


    Logfile of HijackThis v1.97.7
    Scan saved at 1:12:22 a.m., on 27/01/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hijack This\HijackThis.exe

    O1 - Hosts: 65.75.165.10 ibank.barclays.co.uk
    O1 - Hosts: 65.75.165.10 online-business.lloydstsb.co.uk
    O1 - Hosts: 65.75.165.10 online.lloydstsb.co.uk
    O1 - Hosts: 65.75.165.10 www.halifax-online.co.uk
    O1 - Hosts: 65.75.165.10 www.ukpersonal.hsbc.co.uk
    O1 - Hosts: 65.75.165.10 www.nwolb.com
    O1 - Hosts: 65.75.165.10 banesnet.banesto.es
    O1 - Hosts: 65.75.165.10 extranet.banesto.es
    O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\EliteSideBar version 8.dll
    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IncredimailDownloader] C:\WINDOWS\DOWNLO~1\imloader.exe
    O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
    O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
    O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
    O4 - HKLM\..\Run: [System Startup] voltio.exe
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\qisdav.exe
    O4 - HKLM\..\Run: [Win32 USB2.0 Driver] w32usb2.exe
    O4 - HKLM\..\Run: [Microsoftkeysd] systemwin32s.exe
    O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
    O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
    O4 - HKLM\..\Run: [hcfolyj] C:\WINDOWS\hcfolyj.exe
    O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe
    O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe
    O4 - HKLM\..\Run: [Microsofts media] wingtp.exe
    O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
    O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
    O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
    O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
    O4 - HKLM\..\RunServices: [System Startup] voltio.exe
    O4 - HKLM\..\RunServices: [Win32 USB2.0 Driver] w32usb2.exe
    O4 - HKLM\..\RunServices: [Microsoftkeysd] systemwin32s.exe
    O4 - HKLM\..\RunServices: [Microsofts media] wingtp.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
    O4 - HKCU\..\Run: [System Startup] voltio.exe
    O4 - HKCU\..\Run: [Win32 USB2.0 Driver] w32usb2.exe
    O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
    O4 - HKLM\..\RunOnce: [Win32 USB2.0 Driver] w32usb2.exe
    O4 - HKLM\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
    O4 - HKCU\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
    O4 - HKCU\..\RunOnce: [Win32 USB2.0 Driver] w32usb2.exe
    O4 - Startup: OpenOffice.org 1.0.3.lnk = C:\Program Files\OpenOffice.org1.0.3\program\quickstart.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
     
  2. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    You have a very old version of hijackthis and since you are unable to get to the internet you can get the new version by using a floppy disk provided both computers have that type of drive (3.5 floppy drive, or A:\)

    Download Hijackthis.exe to a floppy disk---the link is down at the end of my reply.

    Put the disk into the bad computer's floppy drive, after the pc is started up.

    You do not need Internet access on that pc to do this.

    Open Windows Explorer and hit C: drive so the folders etc show over on the right side.

    At the top, select File>New Folder, but rename the new folder to HJT, then, hit Drive A: to see the hijackthis.exe file, then EDIT> Copy, then click on the new HJT folder on drive C: that you made, EDIT> Paste and the hijackthis.exe file should be copied to C:\HJT folder so you can run it on the bad pc.

    When you have hijackthis.exe in the HJT folder:

    Start hijackthis.exe by double clicking it from the HJT folder and use the Scan button, it will scan and when done the Save Log button will show. Save the log as hijackthis.txt and copy and paste it back to the floppy disk.

    Take the floppy disk to a good computer you access TSG with, come back to this thread, and copy and paste the log to a Reply to this thread.

    http://tools.radiosplace.com/HijackThis.exe

    NOTE: We are used to helping with pc's that do not have good Internet access, you can work this way but there will of course be a lot of going back and forth to post new logs, do the fixes... but after a few, there should be an improvement and perhaps you can at least use the bad p
     
  3. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    We really need to run a virus check on this machine.

    spybot.br worm
    forbot-b1 worm
    wootbot.co worm
    rbot.nj worm

    just to name a few that is on this machine

    So you are unable to get to any of the sites below to do the scan?

    Run an online antivirus check from at least one and preferably 2 of the following sites

    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www.anti-trojan.net/en/onlinecheck.aspx



    Be sure and put a check in the box by "Auto Clean" before you do the
    scan. If it finds anything that it cannot clean have it delete it or
    make a note of the exact file name and file location so you can delete it yourself.
     
  4. Mushin

    Mushin Thread Starter

    Joined:
    Jan 26, 2005
    Messages:
    3
    Thanks mjack547.
    Unfortunately I wasn't able to run any of the anti-virus programs that you recommended.
    However, I was able to run the later version of Hijack This. The file is posted below. Thanks.

    Logfile of HijackThis v1.99.0
    Scan saved at 7:30:57 p.m., on 27/01/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\HJT\HijackThis.exe

    O1 - Hosts: 65.75.165.10 ibank.barclays.co.uk
    O1 - Hosts: 65.75.165.10 online-business.lloydstsb.co.uk
    O1 - Hosts: 65.75.165.10 online.lloydstsb.co.uk
    O1 - Hosts: 65.75.165.10 www.halifax-online.co.uk
    O1 - Hosts: 65.75.165.10 www.ukpersonal.hsbc.co.uk
    O1 - Hosts: 65.75.165.10 www.nwolb.com
    O1 - Hosts: 65.75.165.10 banesnet.banesto.es
    O1 - Hosts: 65.75.165.10 extranet.banesto.es
    O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\EliteSideBar version 8.dll
    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IncredimailDownloader] C:\WINDOWS\DOWNLO~1\imloader.exe
    O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
    O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
    O4 - HKLM\..\Run: [System Startup] voltio.exe
    O4 - HKLM\..\Run: [Win32 USB2.0 Driver] w32usb2.exe
    O4 - HKLM\..\Run: [Microsoftkeysd] systemwin32s.exe
    O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
    O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
    O4 - HKLM\..\Run: [hcfolyj] C:\WINDOWS\hcfolyj.exe
    O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe
    O4 - HKLM\..\Run: [Microsofts media] wingtp.exe
    O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
    O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton AntiVirus\BootWarn.exe /a
    O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
    O4 - HKLM\..\RunServices: [System Startup] voltio.exe
    O4 - HKLM\..\RunServices: [Win32 USB2.0 Driver] w32usb2.exe
    O4 - HKLM\..\RunServices: [Microsoftkeysd] systemwin32s.exe
    O4 - HKLM\..\RunServices: [Microsofts media] wingtp.exe
    O4 - HKLM\..\RunOnce: [Win32 USB2.0 Driver] w32usb2.exe
    O4 - HKLM\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [System Startup] voltio.exe
    O4 - HKCU\..\Run: [Win32 USB2.0 Driver] w32usb2.exe
    O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
    O4 - HKCU\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
    O4 - HKCU\..\RunOnce: [Win32 USB2.0 Driver] w32usb2.exe
    O4 - Startup: OpenOffice.org 1.0.3.lnk = C:\Program Files\OpenOffice.org1.0.3\program\quickstart.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Nmhhdl32.dll (file missing)
    O23 - Service: AutoComplete Service - Unknown - C:\PROGRA~1\INTERN~2\autocomp.exe (file missing)
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/323560

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice