Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » hijack this log...Winfixer, cws.qttask, Vx2.Look2m
Search Topic:
Uniqs:
1950		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Scanning external drives for spyware - Important?? »
« Security Software Updates - 18 October 2005  
page: 1 · 2 · 3
AuthorAll Replies

eay9

join:2001-08-03
Dixon, IL

hijack this log...Winfixer, cws.qttask, Vx2.Look2m

My browser was hijacked with Winfixer popups. In the process of trying to remove that I found and hopefully, removed others.

I ran every program I know of: CWShredder, AdAware, Spybot, Spware Sweeper, Counter Spy, Trojan Hunter, Trend micro, Ewido and any other program I could locate

CWshredder found: VX2. Look2me
Counterspy Found: cws.qttask
Spybot: Winfixer
AdAware or maybe trend found and removed Vundi

Trojan Huner found a possible Trojan. Here's the log:
###########################################################
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found possible trojan file: C:\WINDOWS\SYSTEM32\strings.exe (Suspicious: UPX-packed file in Windows System folder)
1 possible trojan files found
#############################################################

My system is running better but I'm still getting an occasional pop up. I would appreciate any help you can provide. Thanks!
############################################################
Here's my hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 3:45:47 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\default\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »desktop.presario.net/scripts/red···&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\yabab.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\default\My Documents\filelib\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···te_x.cab
O16 - DPF: Yahoo! Pyramids - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - »messenger.zone.msn.com/binary/ms···1267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - »housecall60.trendmicro.com/house···an60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - »messenger.zone.msn.com/binary/Up···1267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - »download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - »h20270.www2.hp.com/ediags/gmn/in···_gmn.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - »messenger.zone.msn.com/binary/Mi···1267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - »jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »appldnld.m7z.net/qtinstall.info.···ller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···10355375
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - »appdirectory.messenger.msn.com/A···ctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - »appdirectory.messenger.msn.com/A···kMSN.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - »www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - »messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - »messenger.zone.msn.com/binary/Ba···1267.cab
O16 - DPF: {C852B12E-3F08-4099-AF8E-32FD327B88EA} (msnloader Class) - »rockstar.messenger.msn.com/rockstar.cab
O20 - Winlogon Notify: yabab - C:\WINDOWS\system32\yabab.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\82VVYU4H\CWShredder[1].exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
to forum · permalink · · 2005-09-18 17:22:58 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

1 edit		Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo

It's Vundo

Please follow these instructions:

1. Make a copy of these instructions so you have them handy as the most steps need to be done in safe mode with IE closed.

2. Please download the VundoFix tool
www.atribune.org/downloads/VundoFix.exe

3. Double-click VundoFix.exe to extract the files

4. This will create a folder named VundoFix on your desktop.

5. After the files are extracted, please reboot your computer into Safe Mode.
How to start the computer in Safe mode
»service1.symantec.com/SUPPORT/ts···_doc_nam

6. Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a message and a list of forums to seek help at (but you're already getting help now at this forum)

At this point press enter one time.

7. Next you will see:
quote:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix
At this point please copy and paste the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\yabab.dll

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.

8. Next you will see:
quote:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point please copy and paste the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\babay

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.

9. The fix will run then HijackThis will open.

Using HijackThis, please place a check next to the following items and click the *FIX CHECKED* button:

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\yabab.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O20 - Winlogon Notify: yabab - C:\WINDOWS\system32\yabab.dll

10. After you have fixed these items, close HijackThis and Press any key to force a reboot of your computer.

Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

Once your machine reboots please continue with the instructions below.

11. Then, please run this online virus scan to clean up any leftovers:
»www.pandasoftware.com/products/a···scan.htm

Save the results of the Panda ActiveScan so you can post them for review back here.

12. Also please post a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2005


Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2005-09-18 17:45:58 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to eay9
On this item noted by Trojan Hunter:
C:\WINDOWS\SYSTEM32\strings.exe (Suspicious: UPX-packed file in Windows System folder)

You can get a second (well actually 14) opinion here:
Jotti Malware Scan
»virusscan.jotti.org/

Let Jotti scan the file (just browse to it and submit) and wait while it finishes scanning. Copy the report when it's done and post the results back here

If Jotti's Malware scan is busy, you can also use this one

Virus Total
»www.virustotal.com/
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2005-09-18 17:50:40 · Reply to this

eay9

join:2001-08-03
Dixon, IL

 Thank you Calamity Jane.

I did as you suggested but the Vundi Fix will not work.

After I *cut and paste* the file path and do the "*enter,F6,enter*" it does not proceed to the next step.
I do not see the ""Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.""

I am in safe mode. I'm XP SP2.

Any suggestions?
to forum · permalink · · 2005-09-18 18:19:20 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
1 edit		 Does Vundo fix say file not found? If so, something else may have already taken care of it and we can do some fixing of entries in HijackThis.
to forum · permalink · · 2005-09-18 18:37:45 · Reply to this

eay9

join:2001-08-03
Dixon, IL		 It doesn't say anything........just the file path and then nothing. My version of XP is an upgrade from WinME. Would that make a difference?
to forum · permalink · · 2005-09-18 18:55:27 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

 Hmmm, you're using this filename and path, right?:

C:\WINDOWS\system32\yabab.dll

Maybe try rebooting back into normal mode. Then try running the tool. I saw once instance where it wasn't working right in safe mode.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2005-09-18 19:01:20 · Reply to this

eay9

join:2001-08-03
Dixon, IL		reply to eay9
Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m

OK, I'll try that and post the results.

Thanks for your help on this. I appreciate truly it.
to forum · permalink · · 2005-09-18 19:08:32 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL		Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo

The program is set to exit if the file is not found. So if it still does that as well in normal mode, scan with HijackThis and post a fresh HJT log please.
to forum · permalink · · 2005-09-18 19:09:46 · Reply to this

eay9

join:2001-08-03
Dixon, IL		reply to eay9
Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m

all righty then.......that didn't work either ;-(
I "cut and paste" the file paths. That didn't work. Then I typed the file paths and that didn't work.

Sorry. I'm clueless on why this isn't working.
to forum · permalink · · 2005-09-18 19:13:51 · Reply to this

eay9

join:2001-08-03
Dixon, IL

reply to eay9
Logfile of HijackThis v1.99.1
Scan saved at 6:15:16 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\default\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »desktop.presario.net/scripts/red···&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\yabab.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\default\My Documents\filelib\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···te_x.cab
O16 - DPF: Yahoo! Pyramids - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - »messenger.zone.msn.com/binary/ms···1267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - »housecall60.trendmicro.com/house···an60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - »messenger.zone.msn.com/binary/Up···1267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - »download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - »h20270.www2.hp.com/ediags/gmn/in···_gmn.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - »messenger.zone.msn.com/binary/Mi···1267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - »jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »appldnld.m7z.net/qtinstall.info.···ller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···10355375
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - »appdirectory.messenger.msn.com/A···ctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - »appdirectory.messenger.msn.com/A···kMSN.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - »www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - »messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - »messenger.zone.msn.com/binary/Ba···1267.cab
O16 - DPF: {C852B12E-3F08-4099-AF8E-32FD327B88EA} (msnloader Class) - »rockstar.messenger.msn.com/rockstar.cab
O20 - Winlogon Notify: yabab - C:\WINDOWS\system32\yabab.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\82VVYU4H\CWShredder[1].exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
to forum · permalink · · 2005-09-18 19:16:58 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo

Ok, I may need to call some Vundo experts in here. I should see {file missing}on HJT if it had been deleted. How much time are you giving it to search for the file? Or does the program just close?

2. download this tool called Filefind:
»www.atribune.org/downloads/FileFind.zip

Unzip it and doubleclick on Filefind.exe to run it

Copy and paste into the *Directory* searchbox the following line:
C:\WINDOWS\system32

Then copy and paste into the *file* find search box:
yabab.dll

Then press the *find* button. Wait for it to scan. Copy and paste the results found back here please.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2005-09-18 19:26:46 · Reply to this

eay9

join:2001-08-03
Dixon, IL		reply to eay9
Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m


Here's the scoop from file finder............

Number of files found:1 Files found in 182 Directories
Size of files found under C:\WINDOWS\system32\ = 528,404 Bytes

Export.txt:

C:\WINDOWS\system32\yabab.dll - 528404 Bytes
to forum · permalink · · 2005-09-18 19:37:00 · Reply to this

eay9

join:2001-08-03
Dixon, IL		reply to eay9
To answer your question on the Vundi Fix.......Each time I ran it I waited several minutes. Nothing ever showed after the file path entry.
to forum · permalink · · 2005-09-18 19:39:02 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL		Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo

Ok, well, the file is definitely there. I've called in some others to take a look and add suggestions. This is the first time I've been stumped with it acting this way - in the many I've done.
to forum · permalink · · 2005-09-18 19:46:15 · Reply to this

eay9

join:2001-08-03
Dixon, IL		reply to eay9
Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m

Thanks for all of your help.
to forum · permalink · · 2005-09-18 19:53:10 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
1 edit		Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo

While waiting for the calvary to arrive, could you reboot into safe mode and give the tool a while longer to work? (More than several minutes).
to forum · permalink · · 2005-09-18 20:00:14 · Reply to this

eay9

join:2001-08-03
Dixon, IL		reply to eay9
Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m

I started doing that about 20 minutes ago. Still just sits there after I entered the file path and*enter,F6,Enter*.......Crazy.
to forum · permalink · · 2005-09-18 20:08:01 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to eay9
Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo

Let's see, one member of the calvary ( LoPhatPhuud See Profile - thank you Lo!) has spotted an error in the second file name....lemme revise instructions. But I think the first file is where it is hanging??

Please follow these instructions:

1. Make a copy of these instructions so you have them handy as the most steps need to be done in safe mode with IE closed.

2. Please download the VundoFix tool
www.atribune.org/downloads/VundoFix.exe

3. Double-click VundoFix.exe to extract the files

4. This will create a folder named VundoFix on your desktop.

5. After the files are extracted, please reboot your computer into Safe Mode.
How to start the computer in Safe mode
»service1.symantec.com/SUPPORT/ts···_doc_nam

6. Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a message and a list of forums to seek help at (but you're already getting help now at this forum)

At this point press enter one time.

7. Next you will see:
quote:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix
At this point please copy and paste the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\yabab.dll

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.

8. Next you will see:
quote:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point please copy and paste the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\babay.*

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.

9. The fix will run then HijackThis will open.

Using HijackThis, please place a check next to the following items and click the *FIX CHECKED* button:

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\yabab.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O20 - Winlogon Notify: yabab - C:\WINDOWS\system32\yabab.dll

10. After you have fixed these items, close HijackThis and Press any key to force a reboot of your computer.

Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

Once your machine reboots please continue with the instructions below.

11. Then, please run this online virus scan to clean up any leftovers:
»www.pandasoftware.com/products/a···scan.htm

Save the results of the Panda ActiveScan so you can post them for review back here.

12. Also please post a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2005-09-18 20:12:04 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to eay9
Ok, another suggestion from LoPhat...he reports seeing where someone had success using Microsoft Antispyware with the latest defs (#5757)

The download is here:
»www.microsoft.com/athome/securit···ult.mspx

Be sure you update it first before scanning.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2005-09-18 20:17:35 · Reply to this
Forums » Up and Running » Security » SecurityScanning external drives for spyware - Important?? »
« Security Software Updates - 18 October 2005  
page: 1 · 2 · 3

Monday, 09-Nov 01:09:34 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [156] Cable Uncapper Faces Criminal Charges
· [140] AT&T Sues Verizon Over 3G Ads
· [112] Why Run Fiber When You Can Run Ads That Pretend You Do?
· [108] Comcast Is Simply Getting Huge
· [93] Apple Cooking Up New $30 A Month TV Service?
· [83] Bits Of ACTA Agreement Leaking Out
· [80] Will 'Three Strikes' Come To The United States?
· [78] Verizon To Double Smartphone ETFs?
· [77] Verizon: Droid Tethering Will Cost $30 Extra
· [73] Comcast, NBC Deal Almost Complete
Most people now reading
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· Garbage Disposal and Dishwasher [Home Repair & Improvement]
· My cat is reluctant to exercise. [General Questions]
· Hit and run [General Questions]
· [WIN7] Which Services in Win 7 Have You Turned Off? [Microsoft Help]
· DK Tank stats needed for Heroic's plus Rant lol [World of Warcraft]
· [How to] Install Asterisk on an Asus WL-520GU router [VOIP Tech Chat]
· [NFL] Week 9 Games Thread [Sports Chat]
· [Need Info] Looking for backup software... [Software]
· [ Classes] Druid tanking: rotation and glyphs [World of Warcraft]