how-to block ads
|
eay9
join:2001-08-03
Dixon, IL
| hijack this log...Winfixer, cws.qttask, Vx2.Look2m My browser was hijacked with Winfixer popups. In the process of trying to remove that I found and hopefully, removed others.
I ran every program I know of: CWShredder, AdAware, Spybot, Spware Sweeper, Counter Spy, Trojan Hunter, Trend micro, Ewido and any other program I could locate 
CWshredder found: VX2. Look2me
Counterspy Found: cws.qttask
Spybot: Winfixer
AdAware or maybe trend found and removed Vundi
Trojan Huner found a possible Trojan. Here's the log:
###########################################################
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found possible trojan file: C:\WINDOWS\SYSTEM32\strings.exe (Suspicious: UPX-packed file in Windows System folder)
1 possible trojan files found
#############################################################
My system is running better but I'm still getting an occasional pop up. I would appreciate any help you can provide. Thanks!
############################################################
Here's my hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 3:45:47 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\default\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »desktop.presario.net/scripts/red···&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\yabab.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\default\My Documents\filelib\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···te_x.cab
O16 - DPF: Yahoo! Pyramids - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - »messenger.zone.msn.com/binary/ms···1267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - »housecall60.trendmicro.com/house···an60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - »messenger.zone.msn.com/binary/Up···1267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - »download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - »h20270.www2.hp.com/ediags/gmn/in···_gmn.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - »messenger.zone.msn.com/binary/Mi···1267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - »jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »appldnld.m7z.net/qtinstall.info.···ller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···10355375
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - »appdirectory.messenger.msn.com/A···ctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - »appdirectory.messenger.msn.com/A···kMSN.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - »www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - »messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - »messenger.zone.msn.com/binary/Ba···1267.cab
O16 - DPF: {C852B12E-3F08-4099-AF8E-32FD327B88EA} (msnloader Class) - »rockstar.messenger.msn.com/rockstar.cab
O20 - Winlogon Notify: yabab - C:\WINDOWS\system32\yabab.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\82VVYU4H\CWShredder[1].exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe | |
|  
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
1 edit | Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo It's Vundo
Please follow these instructions:
1. Make a copy of these instructions so you have them handy as the most steps need to be done in safe mode with IE closed.
2. Please download the VundoFix tool
www.atribune.org/downloads/VundoFix.exe
3. Double-click VundoFix.exe to extract the files
4. This will create a folder named VundoFix on your desktop.
5. After the files are extracted, please reboot your computer into Safe Mode.
How to start the computer in Safe mode
»service1.symantec.com/SUPPORT/ts···_doc_nam
6. Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a message and a list of forums to seek help at (but you're already getting help now at this forum)
At this point press enter one time.
7. Next you will see:
quote:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix
At this point please copy and paste the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\yabab.dll
Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.
8. Next you will see:
quote:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point please copy and paste the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\babay
Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.
9. The fix will run then HijackThis will open.
Using HijackThis, please place a check next to the following items and click the *FIX CHECKED* button:
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\yabab.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O20 - Winlogon Notify: yabab - C:\WINDOWS\system32\yabab.dll
10. After you have fixed these items, close HijackThis and Press any key to force a reboot of your computer.
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
Once your machine reboots please continue with the instructions below.
11. Then, please run this online virus scan to clean up any leftovers:
»www.pandasoftware.com/products/a···scan.htm
Save the results of the Panda ActiveScan so you can post them for review back here.
12. Also please post a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| On this item noted by Trojan Hunter:
C:\WINDOWS\SYSTEM32\strings.exe (Suspicious: UPX-packed file in Windows System folder)
You can get a second (well actually 14) opinion here:
Jotti Malware Scan
»virusscan.jotti.org/
Let Jotti scan the file (just browse to it and submit) and wait while it finishes scanning. Copy the report when it's done and post the results back here 
If Jotti's Malware scan is busy, you can also use this one
Virus Total
»www.virustotal.com/
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| | eay9
join:2001-08-03
Dixon, IL
| Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo Thank you Calamity Jane.
I did as you suggested but the Vundi Fix will not work.
After I *cut and paste* the file path and do the "*enter,F6,enter*" it does not proceed to the next step.
I do not see the ""Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.""
I am in safe mode. I'm XP SP2.
Any suggestions? | |
| | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
1 edit | Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo Does Vundo fix say file not found? If so, something else may have already taken care of it and we can do some fixing of entries in HijackThis. | |
| | | | eay9
join:2001-08-03
Dixon, IL | Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo It doesn't say anything........just the file path and then nothing. My version of XP is an upgrade from WinME. Would that make a difference? | |
| | | | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo Hmmm, you're using this filename and path, right?:
C:\WINDOWS\system32\yabab.dll
Maybe try rebooting back into normal mode. Then try running the tool. I saw once instance where it wasn't working right in safe mode.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| eay9
join:2001-08-03
Dixon, IL | OK, I'll try that and post the results.
Thanks for your help on this. I appreciate truly it. | |
| |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo The program is set to exit if the file is not found. So if it still does that as well in normal mode, scan with HijackThis and post a fresh HJT log please. | |
| eay9
join:2001-08-03
Dixon, IL | all righty then.......that didn't work either ;-(
I "cut and paste" the file paths. That didn't work. Then I typed the file paths and that didn't work.
Sorry. I'm clueless on why this isn't working. | |
| eay9
join:2001-08-03
Dixon, IL
| Logfile of HijackThis v1.99.1
Scan saved at 6:15:16 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\default\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »desktop.presario.net/scripts/red···&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\yabab.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\default\My Documents\filelib\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···te_x.cab
O16 - DPF: Yahoo! Pyramids - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - »messenger.zone.msn.com/binary/ms···1267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - »housecall60.trendmicro.com/house···an60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - »messenger.zone.msn.com/binary/Up···1267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - »download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - »h20270.www2.hp.com/ediags/gmn/in···_gmn.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - »messenger.zone.msn.com/binary/Mi···1267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - »jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »appldnld.m7z.net/qtinstall.info.···ller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···10355375
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - »appdirectory.messenger.msn.com/A···ctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - »appdirectory.messenger.msn.com/A···kMSN.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - »www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - »messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - »messenger.zone.msn.com/binary/Ba···1267.cab
O16 - DPF: {C852B12E-3F08-4099-AF8E-32FD327B88EA} (msnloader Class) - »rockstar.messenger.msn.com/rockstar.cab
O20 - Winlogon Notify: yabab - C:\WINDOWS\system32\yabab.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\82VVYU4H\CWShredder[1].exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe | |
| |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo Ok, I may need to call some Vundo experts in here. I should see {file missing}on HJT if it had been deleted. How much time are you giving it to search for the file? Or does the program just close?
2. download this tool called Filefind:
»www.atribune.org/downloads/FileFind.zip
Unzip it and doubleclick on Filefind.exe to run it
Copy and paste into the *Directory* searchbox the following line:
C:\WINDOWS\system32
Then copy and paste into the *file* find search box:
yabab.dll
Then press the *find* button. Wait for it to scan. Copy and paste the results found back here please.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| eay9
join:2001-08-03
Dixon, IL |
Here's the scoop from file finder............
Number of files found:1 Files found in 182 Directories
Size of files found under C:\WINDOWS\system32\ = 528,404 Bytes
Export.txt:
C:\WINDOWS\system32\yabab.dll - 528404 Bytes | |
| eay9
join:2001-08-03
Dixon, IL | To answer your question on the Vundi Fix.......Each time I ran it I waited several minutes. Nothing ever showed after the file path entry. | |
| |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo Ok, well, the file is definitely there. I've called in some others to take a look and add suggestions. This is the first time I've been stumped with it acting this way - in the many I've done. | |
| eay9
join:2001-08-03
Dixon, IL | Thanks for all of your help. | |
| |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
1 edit | Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo While waiting for the calvary to arrive, could you reboot into safe mode and give the tool a while longer to work? (More than several minutes). | |
| eay9
join:2001-08-03
Dixon, IL | I started doing that about 20 minutes ago. Still just sits there after I entered the file path and*enter,F6,Enter*.......Crazy. | |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Let's see, one member of the calvary ( LoPhatPhuud  - thank you Lo!) has spotted an error in the second file name....lemme revise instructions. But I think the first file is where it is hanging??
Please follow these instructions:
1. Make a copy of these instructions so you have them handy as the most steps need to be done in safe mode with IE closed.
2. Please download the VundoFix tool
www.atribune.org/downloads/VundoFix.exe
3. Double-click VundoFix.exe to extract the files
4. This will create a folder named VundoFix on your desktop.
5. After the files are extracted, please reboot your computer into Safe Mode.
How to start the computer in Safe mode
»service1.symantec.com/SUPPORT/ts···_doc_nam
6. Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a message and a list of forums to seek help at (but you're already getting help now at this forum)
At this point press enter one time.
7. Next you will see:
quote:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix
At this point please copy and paste the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\yabab.dll
Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.
8. Next you will see:
quote:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point please copy and paste the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\babay.*
Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.
9. The fix will run then HijackThis will open.
Using HijackThis, please place a check next to the following items and click the *FIX CHECKED* button:
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\yabab.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O20 - Winlogon Notify: yabab - C:\WINDOWS\system32\yabab.dll
10. After you have fixed these items, close HijackThis and Press any key to force a reboot of your computer.
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
Once your machine reboots please continue with the instructions below.
11. Then, please run this online virus scan to clean up any leftovers:
»www.pandasoftware.com/products/a···scan.htm
Save the results of the Panda ActiveScan so you can post them for review back here.
12. Also please post a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Ok, another suggestion from LoPhat...he reports seeing where someone had success using Microsoft Antispyware with the latest defs (#5757)
The download is here:
»www.microsoft.com/athome/securit···ult.mspx
Be sure you update it first before scanning.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| eay9
join:2001-08-03
Dixon, IL | Nope.....it still hangs on the first file path  | |
| |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo Try typing it in (be very careful) | |
| eay9
join:2001-08-03
Dixon, IL | I did that earlier today. I updated the definitions and ran the scan. The scan came out clean. | |
| |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo Ok - we'll scratch MSAS didn't work?
Did you try typing in the file name? | |
| eay9
join:2001-08-03
Dixon, IL | ""Try typing it in (be very careful)""
I did that too | |
| |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo LOL...you're very quick! Lemme call more cavalry | |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Ah, big cavalry. The author of the program, suggests this:
Can you ask your user to open the vundofix folder and post a list of files that are in it.
If you dont see process.exe have him redownload the vundofix.exe.
»www.atribune.org/downloads/VundoFix.exe
Note to Mods: While the forum rules state not to use a link to an .exe file in a post to protect users from accidentally clicking on a malware file. This fix uses a self-extracting archive in an .exe that is a fix tool only and is NOT malware. No other mirrored download links are allowed by the author of the tool, therefore, you will see the link to Vundofix.exe in my post here is an exception to this forum rule. Using that link for the tool ensures that the OP has the most current version of the tool maintained on the author's authorized website
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| eay9
join:2001-08-03
Dixon, IL | It has ..........
process
command line utitlity
www.beyondlogic.org
I have reinstalled this fix twice thinking that perhaps it was missing something. | |
| eay9
join:2001-08-03
Dixon, IL | Oops. I forgot The other files are ......
Readme.txt
Vundo Registration Entries
srthjt | |
| | eay9
join:2001-08-03
Dixon, IL | Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m What would happen if I just renamed the file? | |
| | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo Hold on. Atribune is looking at this thread. He should post soon | |
| | | Atribune
Premium
join:2004-11-21 | Can you try Calamity Janes instructions again but this time instead of enter f6 enter use enter ctrl+z enter and let me know how that goes. | |
| eay9
join:2001-08-03
Dixon, IL | Not a problem. I was just thinking out loud:D | |
| eay9
join:2001-08-03
Dixon, IL | Will do. Thanks for your help. | |
| | Atribune
Premium
join:2004-11-21 | Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo You're welcome, but i wouldn't call it help yet. | |
| eay9
join:2001-08-03
Dixon, IL | enter, ctrl+z, enter......didn't work:( | |
| | Atribune
Premium
join:2004-11-21 | Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo Can you post a new hijackthis log | |
| | | |
|
