Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Abi, aurora, microsoft explorer


  • Please log in to reply

#16
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
No worry Mary, Did you run HJT and make the fix's with it ? If not please do so and post back a fresh log please
  • 0

Advertisements


#17
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don

Here is my latest HJT log

Thanks,
Mary

Attached Files


  • 0

#18
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Mary,
Gaining on it !

[*]Close all programs leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [*keyac] C:\WINDOWS\Web\printers\keyac.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [*adjava] C:\WINDOWS\Registration\adjava.exe rerun
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: adjava - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe


Click on Fix Checked when finished and exit HijackThis.


Next

*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
C:\WINDOWS\Web\printers\keyac.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\Registration\adjava.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.


Next
Restart your computer and post back a fresh HJT log please
  • 0

#19
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don

I did the killbox, but I didn;t see where to click " no" at pending operations prompt. I hope I didn't make a mistake. Here is my new HJT log.

Thanks
Mary

Attached Files


  • 0

#20
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Did the computer restart ? If it didn't please run it again and if it doesn't restart, Manually rrestart your computer,,
Also
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the services called:

WebSeach Toolbar support NT service

or

TBPSSvc

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

TBPSSvc
Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

Post a new HiJackThis log after it reboots and let me know if you received any error messages.
  • 0

#21
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don

I tried to disable websearch toolbar, but I got a message saying it was unable to do so it had timed out. But in general tab is said " stopped" I tried to then Disable
after I hit apply then O.k and try to go to HJT to contine.. I typed in TBPSSvc. hit
O.K, I get a message that says this is enabled /running and I must disable it in services or Hijack this. When I go back to services, It still says stopped, but it is back on Automatic. Tried again to disable, but same results.

Mary
  • 0

#22
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • You can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into this topic please,

  • 0

#23
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don

Here is what I came up with.

Viewpoint Media Player
WebSearch Toolbar
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB824920
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) [See q329256 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329112
Windows XP Hotfix (SP2) Q329909
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q811009
Windows XP Hotfix (SP2) Q811632
Windows XP Hotfix (SP2) Q811789
Windows XP Related
WSEM Update
Yahoo! Address AutoComplete
Yahoo! Companion
Yahoo! Install Manager

Mary
  • 0

#24
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Mary looks like your missing a section of the log, Could you run through and post all the programs found in Uninstall Manager please
  • 0

#25
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don,

Sorry I didn;t get it all on the first try.

2Wire Wireless Client
Active Alert
Adobe Reader 6.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20020929.1)
AOL Instant Messenger
ArcSoft PhotoImpression 4
ArcSoft ShowBiz 2
Asteroids
ATI Control Panel
ATI Display Driver
Content Delivery Module
Digimax Viewer 2.1
Display Utility
Dodge View
E2give Plug-in
Easy Internet Sign-up
ewido security suite
HijackThis 1.99.1
hp deskjet 5100
HP Deskjet Preloaded Printer Drivers
HP Instant Support
HP Photo & Imaging 3.0
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Software Update
HPImageZone
Intel® Extreme Graphics 2 Driver
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Kaspersky Anti-Virus Web Scanner
Kazaa Media Desktop 2.6
KBD
KODAK Picture CD Volume 2 Issue 4
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Plus! Digital Media Edition
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Web Publishing Wizard 1.52
Microsoft Works 7.0
Multimedia Card Reader
MUSICMATCH Media Center
MUSICMATCH® Jukebox
My Search Bar
Norton AntiVirus 2003
Otto
PC-Doctor for Windows
Peer Points Manager
Photosmart 140,240,7200,7600,7700,7900 Series
Punch! Master Landscape
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
Reader Rabbit 1st Grade
RealOne Player
RecordNow!
Registry Cleaner
Related Page
SBC Yahoo! Applications
SBC Yahoo! DSL
SBC Yahoo! DSL Extras
SBC Yahoo! DSL Home Networking Installer
SBC Yahoo! Messenger
searchforit - Toolbar
Shockwave
Sonic Update Manager
Spybot - Search & Destroy 1.4
TContext
The ABI Network- A Division of Direct Revenue
The Print Shop 20
toolkit
Updates from HP
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WebSearch Toolbar
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB824920
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) [See q329256 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329112
Windows XP Hotfix (SP2) Q329909
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q811009
Windows XP Hotfix (SP2) Q811632
Windows XP Hotfix (SP2) Q811789
Windows XP Related
WSEM Update
Yahoo! Address AutoComplete
Yahoo! Companion
Yahoo! Install Manager

2Wire Wireless Client
Active Alert
Adobe Reader 6.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20020929.1)
AOL Instant Messenger
ArcSoft PhotoImpression 4
ArcSoft ShowBiz 2
Asteroids
ATI Control Panel
ATI Display Driver
Content Delivery Module
Digimax Viewer 2.1
Display Utility
Dodge View
E2give Plug-in
Easy Internet Sign-up
ewido security suite
HijackThis 1.99.1
hp deskjet 5100
HP Deskjet Preloaded Printer Drivers
HP Instant Support
HP Photo & Imaging 3.0
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Software Update
HPImageZone
Intel® Extreme Graphics 2 Driver
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Kaspersky Anti-Virus Web Scanner
Kazaa Media Desktop 2.6
KBD
KODAK Picture CD Volume 2 Issue 4
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Plus! Digital Media Edition
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Web Publishing Wizard 1.52
Microsoft Works 7.0
Multimedia Card Reader
MUSICMATCH Media Center
MUSICMATCH® Jukebox
My Search Bar
Norton AntiVirus 2003
Otto
PC-Doctor for Windows
Peer Points Manager
Photosmart 140,240,7200,7600,7700,7900 Series
Punch! Master Landscape
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
Reader Rabbit 1st Grade
RealOne Player
RecordNow!
Registry Cleaner
Related Page
SBC Yahoo! Applications
SBC Yahoo! DSL
SBC Yahoo! DSL Extras
SBC Yahoo! DSL Home Networking Installer
SBC Yahoo! Messenger
searchforit - Toolbar
Shockwave
Sonic Update Manager
Spybot - Search & Destroy 1.4
TContext
The ABI Network- A Division of Direct Revenue
The Print Shop 20
toolkit
Updates from HP
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WebSearch Toolbar
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB824920
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) [See q329256 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329112
Windows XP Hotfix (SP2) Q329909
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q811009
Windows XP Hotfix (SP2) Q811632
Windows XP Hotfix (SP2) Q811789
Windows XP Related
WSEM Update
Yahoo! Address AutoComplete
Yahoo! Companion
Yahoo! Install Manager

2Wire Wireless Client
Active Alert
Adobe Reader 6.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20020929.1)
AOL Instant Messenger
ArcSoft PhotoImpression 4
ArcSoft ShowBiz 2
Asteroids
ATI Control Panel
ATI Display Driver
Content Delivery Module
Digimax Viewer 2.1
Display Utility
Dodge View
E2give Plug-in
Easy Internet Sign-up
ewido security suite
HijackThis 1.99.1
hp deskjet 5100
HP Deskjet Preloaded Printer Drivers
HP Instant Support
HP Photo & Imaging 3.0
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Software Update
HPImageZone
Intel® Extreme Graphics 2 Driver
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Kaspersky Anti-Virus Web Scanner
Kazaa Media Desktop 2.6
KBD
KODAK Picture CD Volume 2 Issue 4
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Plus! Digital Media Edition
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Web Publishing Wizard 1.52
Microsoft Works 7.0
Multimedia Card Reader
MUSICMATCH Media Center
MUSICMATCH® Jukebox
My Search Bar
Norton AntiVirus 2003
Otto
PC-Doctor for Windows
Peer Points Manager
Photosmart 140,240,7200,7600,7700,7900 Series
Punch! Master Landscape
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
Reader Rabbit 1st Grade
RealOne Player
RecordNow!
Registry Cleaner
Related Page
SBC Yahoo! Applications
SBC Yahoo! DSL
SBC Yahoo! DSL Extras
SBC Yahoo! DSL Home Networking Installer
SBC Yahoo! Messenger
searchforit - Toolbar
Shockwave
Sonic Update Manager
Spybot - Search & Destroy 1.4
TContext
The ABI Network- A Division of Direct Revenue
The Print Shop 20
toolkit
Updates from HP
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WebSearch Toolbar
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB824920
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) [See q329256 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329112
Windows XP Hotfix (SP2) Q329909
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q811009
Windows XP Hotfix (SP2) Q811632
Windows XP Hotfix (SP2) Q811789
Windows XP Related
WSEM Update
Yahoo! Address AutoComplete
Yahoo! Companion
Yahoo! Install Manager

Mary
  • 0

Advertisements


#26
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Mary.

Removing programs though HJT

[*]If you have any that won't remove, then try using HJT to remove it:

[*]Open HijackThis.
[*]Click the "Open the Misc Tools section" button.
[*]Next click "Open Uninstall Manager..." button.
[*]Highlight (click on) WebSearch Toolbar.
[*]Then click "Delete this entry".


[/list]
Reboot and post back a fresh HJT log please
  • 0

#27
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don

Here is a fresh HJT

Logfile of HijackThis v1.99.1
Scan saved at 8:08:04 PM, on 6/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\WINDOWS\Registration\adjava.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Registry Cleaner Trial\RegClean.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
c:\PROGRA~1\Toolbar\radio.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [*adjava] C:\WINDOWS\Registration\adjava.exe rerun
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: adjava - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Mary
  • 0

#28
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
This is proving to be tough Mary,

Go to start/run and type services.msc press OK

when the screen opens scroll down to WebSeach Toolbar support NT service right click and select properties and then on that page press stop service and then set the start up type to disabled, press ok


Next
Please open HJT> Click on the Config button> Click >Misc. Tools > Click > Open Process manager> Check Show DLLs > Highlight “
TBPS.exe
PIB.exe
TBPSSvc.exe
adjava.e
“ >Click> Kill process>
Next click the scan button and put a check mark next to the following, close all open windows , Click “ Fix Checked”

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [*adjava] C:\WINDOWS\Registration\adjava.exe rerun
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O20 - Winlogon Notify: adjava - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe


Next

Open killbox In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:


C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\Registration\adjava.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt

Your computer should reboot (If it doesn't please restart your computer manually )

Post back a fresh log when done please
  • 0

#29
maryb63

maryb63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Don

I tried to remove The TBPS, PIB, TBPSS, & adjava, but a message came up
" The selected process could not be Killed, It may be protected by Windows,
I tried again, same but message but with an added part..This process might be a service which you can stop from the services applet in Admin. toos. Now when I went to Disable the Websearch toolbar, it was already stopped from last time,
But when I press disable, it seems to go to disable, but when I went back to it to check if I did it right , it said automatic again. I ran a new scan on HJT

Mary

Logfile of HijackThis v1.99.1
Scan saved at 9:43:28 PM, on 6/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Toolbar\TBPS.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\WINDOWS\Registration\adjava.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Registry Cleaner Trial\RegClean.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [*adjava] C:\WINDOWS\Registration\adjava.exe rerun
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: adjava - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avajda.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#30
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Mary sorry for taking abit to get back to you,

Could you perform the above instruction while in safe mode please,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP