Author Topic: Topantispyware Problems (Read 1153 times)

Teeren · « **on:** December 15, 2005, 06:08:04 PM »

My laptop seems to be infected with the topantispyware thing. I have been able to fix parts of it but can't seem to get rid of all of it. I have cleaned the system several times with Spybot S&D as well as Ad-Aware but it seems to still be there. Any help you an give would be greatly appreciated. My Hijack this log is below. The PC date is wrong obviously but this is the last log I ran. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 6:00:51 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netzz.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\ipuh32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\alqqa.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\alqqa.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\alqqa.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\alqqa.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\alqqa.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\alqqa.dll/sp.html#77035
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\alqqa.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {66B04E69-11B5-479C-817F-182355D1BA73} - C:\WINDOWS\system32\bpjj.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E4EDC898-7094-9C0B-426A-F49CDE0BAD64} - C:\WINDOWS\msbx32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run597.exe dummy
O4 - HKLM\..\Run: [sdkre.exe] C:\WINDOWS\system32\sdkre.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ipuh32.exe] C:\WINDOWS\ipuh32.exe
O4 - HKCU\..\Run: [Camfrog] "C:\Program Files\Camfrog\Camfrog Video Chat 3.4\CamfrogNet.exe" 0 C:\Program Files\Camfrog\Camfrog Video Chat 3.4\Camfrog Video Chat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D036E2B1-6AD8-4C74-B4A1-C52F8A0307A4}: NameServer = 71.243.0.12 151.203.0.85
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netzz.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

guestolo · « **Reply #1 on:** December 15, 2005, 08:52:25 PM »

Can you reset the clock on your computer??

Can you post a fresh hijackthis log please and then don't reboot till I see the new log
What makes you think you have TopAnti-Spyware problems
Are you having desktop problems?

Teeren · « **Reply #2 on:** December 15, 2005, 09:08:10 PM »

I reset the clock on the computer. This whole thing began with the topantispyware issue. I lost my desktop and had the warnings and all of that. I was able to get rid of that symptom but I am still having all kinds of problems. My browser will not stay at my homepage, which was Yahoo. Instead all I get now is about blank. I have run both ad-aware, spybot and microsoft spyware beta but no matter how many times I clean it the problems keep coming back. I am getting all kinds of pop-ups as well. Below is the new hijack this scan result. I won't reboot until I hear back from you, Thanks for the help. Much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 9:01:33 PM, on 12/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\ipuh32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\netzz.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pswjm.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\alqqa.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pswjm.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pswjm.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pswjm.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pswjm.dll/sp.html#77035
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pswjm.dll/sp.html#77035
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {66B04E69-11B5-479C-817F-182355D1BA73} - C:\WINDOWS\system32\bpjj.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E4EDC898-7094-9C0B-426A-F49CDE0BAD64} - C:\WINDOWS\msbx32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [sdkre.exe] C:\WINDOWS\system32\sdkre.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ipuh32.exe] C:\WINDOWS\ipuh32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netzz.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

guestolo · « **Reply #3 on:** December 15, 2005, 09:30:57 PM »

Let's try to clear the about:blank
Then we'll see if you still have issues with topanti-spyware

Open Ad-Aware and Check for updates online
Download any updates if available
Close out later

==Download CWShredder.exe and save to your desktop
Don't run it yet

Download Hoster.zip and save it to your Desktop.
UNZIP the contents to your desktop or folder

==Download and Install
Windows Cleanup! 4.0
Don't run it yet

==Download and save Cwsserviceremove.zip
UNZIP to your desktop so you now have Cwsserviceremove.reg extracted
We'll need it later

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

==Create a New folder on your desktop, call it Aboutbuster
(Right click an empty spot on the desktop and select NEW>>FOLDER)
Download to desktop About:Buster 5.1
by RubbeR Ducky
Unzip it to that new folder

Open the Aboutbuster folder and Run About:buster.exe
Click the Update button
Allow to update
After it's updated, please close it as we'll need it later

==Please print the next set of instructions or save them too a notepad file on your desktop for reference

Please Disable Microsoft AntiSpyware's realtime protections so it won't interfere in any fixes we try.
Keep this disabled until we know you are clean
Open Microsoft AntiSpyware.
Click on Options>>Settings
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Close all unnecessary programs running including this window
Double click on CWShredder.exe
Run the FIX part of it, let it fix what it finds

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Select Safe mode from the Startup menu

Once in safe mode
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Remote Procedure Call (RPC) Helper <<--There are others that looks similiar, look for the one with "Helper" at the end of it
You may have to drag NAME in the Services (Local) window to see the whole name of the bad service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

==Open the Aboutbuster folder and Run About:buster.exe
Click the Begin Removal button
Can you please run this scan twice
When it's done it will produce a log in the Aboutbuster folder called
Ab logfile.txt
I'll need to see the log later

==Double click on cwserviceremove.reg and allow to add or merge to the registry

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.

Find and delete the following files if found
C:\WINDOWS\ipuh32.exe <-this file
C:\WINDOWS\pswjm.dll <-file
C:\WINDOWS\msbx32.dll <-file
C:\WINDOWS\system32\netzz.exe <-file
C:\WINDOWS\system32\sdkre.exe <-file

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Give it time to load
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Open Ad-Aware and run a scan, Fix all Criticals found

Do a "system scan only" with Hijackthis and put a check next to these entries if found:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pswjm.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\alqqa.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pswjm.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pswjm.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pswjm.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pswjm.dll/sp.html#77035
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pswjm.dll/sp.html#77035
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {66B04E69-11B5-479C-817F-182355D1BA73} - C:\WINDOWS\system32\bpjj.dll (file missing)
O2 - BHO: Class - {E4EDC898-7094-9C0B-426A-F49CDE0BAD64} - C:\WINDOWS\msbx32.dll

O4 - HKLM\..\Run: [sdkre.exe] C:\WINDOWS\system32\sdkre.exe
O4 - HKLM\..\Run: [ipuh32.exe] C:\WINDOWS\ipuh32.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal mode

Locate the Hoster folder , open it and double click on Hoster.exe
Click on Restore Original Hosts
In the confirmation window, click on OK.

==Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the Security tab | Custom Level
Check ActiveX security settings:
Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Script ActiveX controls marked safe for scripting (Prompt)

Look for a file called shell.dll in your C:\Windows\system32 folder
If it is not there, let me know, we'll have too replace it

Post back the following please
1. A fresh hijackthis log
2. The whole report from Ewidos
3. The contents of the "Ab logfile.txt" in the Aboutbuster folder

Teeren · « **Reply #4 on:** December 15, 2005, 11:58:31 PM »

OK, finished all of it and we seem to be making some progress. I was able to locate shell.dll in the system32 folder so that is OK. I did everything else as per your instructions and here are the loffiles you requested.

Logfile of HijackThis v1.99.1
Scan saved at 11:52:59 PM, on 12/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         11:18:43 PM, 12/14/2005
+ Report-Checksum:      840EB18

+ Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{07FF232E-41D0-38A2-6073-6847AD3E6453} -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{5345A51F-E5D0-5A0D-1418-A1C95C417E3C} -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
   C:\WINDOWS\addwg32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\appqn32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\imsins.BAK:pspbi -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\javari.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\syspy.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\sysqv32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\apihd.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\dial32.exe -> Trojan.Dialer.ay : Cleaned with backup
   C:\WINDOWS\system32\iesr.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\ieze.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\ldr105.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\ldr114.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\ldr136.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\ldr177.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\ldr192.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\ldr242.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\ldr404.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\ldr405.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\ldr412.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\ldr5.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\ldr500.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\ldr516.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\ldr652.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\ldr905.dll -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\mfcba.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\mfcjy.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\ntfe.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\oleext.dll -> Trojan.Small.ev : Cleaned with backup
   C:\WINDOWS\system32\run597.exe -> Downloader.Small.cat : Cleaned with backup
   C:\WINDOWS\system32\sdfdil.exe -> Trojan.Dialer.ay : Cleaned with backup
   C:\WINDOWS\system32\srpcsrv32.dll -> Downloader.Adload.g : Cleaned with backup
   C:\WINDOWS\system32\txfdb32.dll -> Downloader.Adload.g : Cleaned with backup
   C:\WINDOWS\system32\upd370.exe -> Downloader.Small.bpz : Cleaned with backup
   C:\WINDOWS\system32\upd440.exe -> Downloader.Small.bpz : Cleaned with backup
   C:\WINDOWS\system32\upd773.exe -> Dropper.Agent.ii : Cleaned with backup
   C:\WINDOWS\system32\upd865.exe -> Downloader.Small.bpz : Cleaned with backup
   C:\WINDOWS\system32\upd984.exe -> Dropper.Agent.ii : Cleaned with backup
   C:\WINDOWS\system32\winctrl64.exe -> Downloader.Small.awa : Cleaned with backup
   C:\WINDOWS\sysxw.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\warnhp.html:gcxti -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\winjf32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\WMSysPrx.prx:tlkjy -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\{EAD46DB3-72B0-4394-9F4B-3272587729F5}.dat:sznmk -> Downloader.WinShow.bg : Cleaned with backup

::Report End

AboutBuster 5.1, reference file 33
Scan started on [12/14/2005] at [10:18:20 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:20:04 PM

AboutBuster 5.1, reference file 33
Scan started on [12/14/2005] at [10:20:53 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:22:26 PM

Things seem to be running a lot better than they were, at least so far.

Teeren · « **Reply #5 on:** December 16, 2005, 08:09:39 PM »

guestolo · « **Reply #6 on:** December 17, 2005, 04:07:14 AM »

Sorry for the delay
Your log looks good

Final cleanup
If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature
Make sure you reenable system restore feature

Afterwards, For added protections
You should install this free tool
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection...."

Additionally, use the Immunize feature of Spybot
Open Spybot, click on Immunize>>OK>>Immunize at the top green cross
Do this after every update

If you disabled Microsoft AntiSpyware protections earlier, go ahead and reenable them

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Teeren · « **Reply #7 on:** December 17, 2005, 12:27:23 PM »

Ok. Thanks so much for your help. You saved me a lot of headaches!!! Have a great holiday!!!!

guestolo · « **Reply #8 on:** December 17, 2005, 10:27:23 PM »

I'll lock this topic as your problems are resolved

Take care and merry Xmas

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: Topantispyware Problems (Read 1153 times)

Teeren

Topantispyware Problems

guestolo

Topantispyware Problems

Teeren

Topantispyware Problems

guestolo

Topantispyware Problems

Teeren

Topantispyware Problems

Teeren

Topantispyware Problems

guestolo

Topantispyware Problems

Teeren

Topantispyware Problems

guestolo

Topantispyware Problems