Author Topic: Yahoo toolbar (Read 3893 times)

Ed · « **on:** January 16, 2005, 05:48:12 AM »

Ok guys when i go to yahoo.com i click at the top where it say Get yahoo! Toolbar with anti-spy. Ok i click on it then it brings me to the next page where i can download it. I click the purple box that says download with anti-spy. Then when it gets done it says yahoo toolbar is now being installed... Then it bring up another page that says yahoo! Toolbar with anti-spy.

The it says Welcome click next to install yahoo! toolbar with anti-spy. So i click next then it goes back to the other page where is say yahoo! toolbar is being installed and now it says the installation was cancled. And then it brigns me back to the page with the purple box. If someone can please help me. I think i may have a virus or a correpted file or something but i dought it. So if u can help me id appreciate it.

Ty Ed

guestolo · « **Reply #1 on:** January 16, 2005, 10:12:29 AM »

Let's take a closer look Ed
I have some better anti-spyware tools than Yahoo if you want them

Can you Download Hijackthis 1.99
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE or CLICK HERE
Save it to that new folder

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important

Ed · « **Reply #2 on:** January 16, 2005, 01:55:32 PM »

Ok. I made a folder called HJT. I downloaded Hijackthis and put it in the HJT folder. I did a scan and save a log file. The log file went to HJT folder but for some strage reason it has like a windows media player symbol inside of it.

Note i am currently running windows 98 se edition. If u can plz help me get rid of this file containing windows media player symbol plz help.

guestolo · « **Reply #3 on:** January 16, 2005, 02:15:49 PM »

Do me a favor, the next time you do a scan
and the log pops up, Copy and paste the contents of the log back here before you close it out
Is that possible?

If not you may have CoolWeb infection

Look in your C:\WINDOWS folder for Notepad.exe
Does it exist?

Ed · « **Reply #4 on:** January 16, 2005, 07:35:34 PM »

No it is note possible because the log file wont swtich over to word pad or note pad because it looks like a windows media folder. If i can get it to where it's back to normal then i can do it. If u no how to do that plz tell me.

guestolo · « **Reply #5 on:** January 16, 2005, 07:48:57 PM »

Go into your C:\Windows Folder, do you see Notepad.exe?

If you do, Navigate to where you saved the Hijackthis log
Left click on it to Highlight it
Hold down the SHIFT key and then Right Click on the file
Choose OPEN WITH from the menu bar
Open it with Notepad, you should check the Always use this program to open this type of file

If it won't open let me know, but try the above

Ed · « **Reply #6 on:** January 16, 2005, 08:46:53 PM »

ok i see Notepad.exe but it says when i try ot open it C:\windows\notepad.exe is not valid win32 application. What do i do now? Is there any possible way i can have the spyware file that u told me about in ur first submit?

ed · « **Reply #7 on:** January 16, 2005, 08:48:16 PM »

But i do see notepad in my documents. But not notepad.exe Can i use this notepad to do it?

Ed · « **Reply #8 on:** January 16, 2005, 08:52:09 PM »

Ok bro. sorry for triple posten but i have done it. Instead of using note pad i used word pad and i got this. Hope this helps.
Logfile of HijackThis v1.99.0
Scan saved at 12:49:29 PM, on 1/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\PROGRAM FILES\NAVEXCEL SEARCH TOOLBAR\NAVEXCELBAR.DLL (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://play.igl.net/clo/install/CLOActiveX...tallerProj1.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntr...ro.cab27513.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clie...ts/y/pote_x.cab

There u go that the log i got from the scan

guestolo · « **Reply #9 on:** January 16, 2005, 08:55:07 PM »

Yup, you have CoolWeb Infection, let me post a fix, give me a few minutes

Download and save to desktop Notepad_98.zip removed link
Don't Unzip it yet
The above link you will have to Right click on it and Copy Shortcut
Paste it into your IE address bar and hit GO

Download and save to desktop the Standalone Version of CWShredder.exe

Disconnect from the Internet and close down all Browser windows

Open up CWShredder and click Only the FIX button
Let it Fix all problems
RESTART your computer to finish the cleaning

Once back in Windows
I see you have SpywareDoctor installed
Can you also
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates

Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Back in Windows

UNZIP the contents of Notepad_98.zip to your
C:\WINDOWS folder
Allow to overwrite if prompted

Post back a fresh hijackthis log after you have done the above

Do what you can and then post back

Ed · « **Reply #10 on:** January 16, 2005, 09:42:16 PM »

k for some reason when i try to run ad-aware it says ad-aware has performed an illegal operation and be shutdown. i got the details and this is what it says.AD-AWARE caused an exception eedfadeH in module <unknown> at 0000:00000000.
Registers:
EAX=00000000 CS=0000 EIP=00000000 EFLGS=00000000
EBX=00000000 SS=0000 ESP=00000000 EBP=00000000
ECX=00000000 DS=0000 ESI=00000000 FS=0000
EDX=00000000 ES=0000 EDI=00000000 GS=0000
Bytes at CS:EIP:

Stack dump:

Do u still want me to do what u said except without ad-aware?

guestolo · « **Reply #11 on:** January 16, 2005, 09:57:03 PM »

Do me a favor Ed

Set Windows To Show Hidden Files and Folders
* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Click OK.

Navigate to this folder
C:\WINDOWS\SYSTEM

Inside the System folder let me know if you can find both the files below

Riched20.dll and Riched32.dll

If not I can upload you the correct copy for your Operating system

Ed · « **Reply #12 on:** January 16, 2005, 10:15:54 PM »

ok i have done what u said i have found the files riched.dll and riched20.dll.. I did not find riched32.dll

ed · « **Reply #13 on:** January 16, 2005, 10:18:10 PM »

Oh and also i no i did soemthing wrong i dont no if it is the problem with download the yahoo toolbar but. When i was doing something in regedit i was looking for a file and i click the wrong file on the left side where u search and the file i clicks was toolbar and i accidently deleted it. Maybe thats the problem but i dont know.

guestolo · « **Reply #14 on:** January 16, 2005, 10:30:47 PM »

Can you download this file please
Save it to your C:Windows\System folder

Restart your computer and try Ad-Aware again

Again, you will have to Right click on the link and Copy Shortcut
Paste it to the IE address bar and hit GO

Riched32.dll Removed link

Ed · « **Reply #15 on:** January 16, 2005, 11:00:56 PM »

Ok what do i do to zip notepad.exe?

guestolo · « **Reply #16 on:** January 16, 2005, 11:06:07 PM »

Unzip the contents(Notepad.exe) to the
C:\Windows folder

Allow to Overwrite if prompted

Ed · « **Reply #17 on:** January 16, 2005, 11:10:47 PM »

Ok i did everything u said here is the new log file.
Logfile of HijackThis v1.99.0
Scan saved at 10:07:15 PM, on 1/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\PROGRAM FILES\NAVEXCEL SEARCH TOOLBAR\NAVEXCELBAR.DLL (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://play.igl.net/clo/install/CLOActiveX...tallerProj1.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntr...ro.cab27513.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clie...ts/y/pote_x.cab

Ed · « **Reply #18 on:** January 16, 2005, 11:22:45 PM »

Is this log file a good sign? Oh and also what would u suggest for a anti virus software. Right now i currently have AVG 7.300 version.

guestolo · « **Reply #19 on:** January 16, 2005, 11:40:10 PM »

Download and save to desktop LSP FIX.exe

Please print out the rest of this or save it to a Notepad file for easy access

Disconnect from the Internet

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\PROGRAM FILES\NAVEXCEL SEARCH TOOLBAR\NAVEXCELBAR.DLL (file missing)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Double click to run LSP fix
Check "I know what I'm doing".
Then select all occurances of osmim.dll (and nothing else) in the left pane,
click the arrow button to have them moved into the right hand panel.(The Removal Pane)
Click Finish

RESTART your computer

Your way behind on Windows updates, when your back in Windows you should Visit Windows Updates
Scan for Updates>>>Download and Install ALL Critical Updates and Services packs
Don't try and get them all at once, keep Restarting your computer and revisiting until you have them all installed
This is important in keeping your system secure

Don't install the Recommended updates, unless you want or need them
Just install the Criticals

Post back a fresh Hijackthis log afterwards

We should get a free Anti-Virus on your computer if you don't have one to install later

Quote

Right now i currently have AVG 7.300 version.

I don't see it running on your computer?

??

News:

Author Topic: Yahoo toolbar (Read 3893 times)

Ed

Ed

Ed

Ed

ed

Ed

Ed

Ed

ed

Ed

Ed

Ed