anothe spysherrif disaster [CLOSED]

All done. I had to leave for a while, but I've followed the instructions and cleaned, anti-virused and did all that I could/should do. Please advise, as I'd like to get this *pooey* off of my computer!!! Thanks! :tazz:

Here's my log.

Logfile of HijackThis v1.99.0
Scan saved at 6:16:44 PM, on 12/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ipsd.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Palm\hotsync.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\ntue.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\LxrJD31s.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Owner\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jbagk.dll/sp.html#77035%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jbagk.dll/sp.html#77035%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jbagk.dll/sp.html#77035%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jbagk.dll/sp.html#77035%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jbagk.dll/sp.html#77035%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jbagk.dll/sp.html#77035%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jbagk.dll/sp.html#77035%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {09F29D3B-C0DF-4EB3-98DF-2A7F14306D2E} - C:\WINDOWS\system32\mshi.dll (file missing)
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: Class - {CC2A66A5-539A-852C-FA22-A3BD80E37FC4} - C:\WINDOWS\system32\crtv32.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\ualjlu.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [E6.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\E6.tmp.exe
O4 - HKLM\..\Run: [E7.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\E7.tmp.exe
O4 - HKLM\..\Run: [ipsd.exe] C:\WINDOWS\system32\ipsd.exe
O4 - HKLM\..\Run: [E6.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\E6.tmp.exe
O4 - HKLM\..\Run: [E7.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\E7.tmp.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Startup: Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Ron's World\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Ron's World\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Ron's World\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.63.219.181.7
O15 - Trusted Zone: http://linktrader.cyberspacehq.com
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{51990ABC-37A3-4262-95E0-184CF1DEB5F5}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\ntue.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Lexar JD31 - Unknown - LxrJD31s.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by KFA, 15 December 2005 - 06:49 PM.

You have quite a few nasties going on here at the same time. We must start by ridding your system of an infection called CWS About:Buster.

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Prepare CWShredder for use:
- Download CWShredder.
- Save CWShredder.exe to a convenient location.
- Please do not do anything with it yet.
Prepare AboutBuster for use:
- Download AboutBuster.
- Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
- Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
- Click "OK" at the prompt with instructions.
- Click "Update" and then "Check For Update" to begin the update process.
- If any updates exist please download them by clicking "Download Update".
- You should not run the program yet so click "Exit".

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Run CWShredder:
- Double-click on CWShredder.exe.
- Click "Fix ->" and click "OK" at the prompt.
- CWShredder will scan and clean your system of CWS files.
- Click "Next->" and then "Exit".
Run AboutBuster and save the logs:
- Browse to where you saved AboutBuster and run AboutBuster.exe.
- Click "OK" at the directions Read: Important! prompt.
- Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
- Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
- Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
- When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
- Click "Exit" and "Exit" again to exit AboutBuster.
Clean out temporary files:
- Start | Run | type cleanmgr | OK
- Let it scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
- Click "OK" to remove them.
- Click "Yes" to confirm the deletion.
Restart your computer normally to return to normal mode.
Free TrendMicro Housecall scan:
- Vist the TrendMicro Housecall website.
- Select your country from the drop-down list and click "Go".
- Choose "Yes" at the ActiveX Security Warning prompt.
- Please wait while the Housecall engine is updated.
- Select the drives to be scanned by placing a check in their respective boxes.
- Check the "Auto Clean" box.
- Click "SCAN" in order to begin scanning your system.
- Please be patient while Housecall scans your system for malicious files.
- If not auto-cleaned, remove anything it finds.
- Click "Close" to exit the Housecall scanner.
- Choose "Yes" at the HouseCall message prompt.
Prepare your reply:
- Please post a fresh HijackThis log
- Please post the AboutBuster log.
- Please note any complications you had.

Regards,

Trevuren

#1
KFA

Posted 15 December 2005 - 02:01 PM

Advertisements

#2
Trevuren

Posted 15 December 2005 - 02:27 PM

#3
KFA

Posted 15 December 2005 - 06:15 PM

#4
Trevuren

Posted 15 December 2005 - 07:12 PM

#5
KFA

Posted 15 December 2005 - 07:33 PM

#6
KFA

Posted 15 December 2005 - 07:39 PM

#7
Trevuren

Posted 15 December 2005 - 08:32 PM

#8
KFA

Posted 15 December 2005 - 10:55 PM

#9
KFA

Posted 15 December 2005 - 10:57 PM

#10
Trevuren

Posted 15 December 2005 - 11:48 PM

#11
Trevuren

Posted 27 December 2005 - 12:08 PM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us

anothe spysherrif disaster [CLOSED]

#1 KFA Posted 15 December 2005 - 02:01 PM

Advertisements

#2 Trevuren Posted 15 December 2005 - 02:27 PM

#3 KFA Posted 15 December 2005 - 06:15 PM

#4 Trevuren Posted 15 December 2005 - 07:12 PM

#5 KFA Posted 15 December 2005 - 07:33 PM

#6 KFA Posted 15 December 2005 - 07:39 PM

#7 Trevuren Posted 15 December 2005 - 08:32 PM

#8 KFA Posted 15 December 2005 - 10:55 PM

#9 KFA Posted 15 December 2005 - 10:57 PM

#10 Trevuren Posted 15 December 2005 - 11:48 PM

#11 Trevuren Posted 27 December 2005 - 12:08 PM