Recently got Bestfriends.scr virus....NEED HELP PLZ!

Unknown
edited September 2004 in Spyware & Virus Removal
Hi

I recently clicked on one of my friend's away messages with a hyperlink linked to the bestfriends.scr virus. The first notable effect was my IE(with sp2) information bar asking me whether I wantED to download script software (activeX) everytime I wanted to browse a page. ALSO, I am unable to login to my hotmail account (which is not so bad because my I have another primary email account). Maybe this hotmail problem can hint to my problem. Once I enter my username and password, the screen freezes on a blank white screen. And ANOTHER effect is that everytime I reboot my computer, my AIM doesnt allow me to connect to the server. If i want to use AIM, I basically have to reinstall it everytime.

More importantly, I've ran every type of adware/spyware software I could find. I also had symantec and norton antivirus running before the virus was contracted.

I could not find any of infected .exe files in my HJT log that other people are getting. I did notice that icqlite.exe was affecting my computer, but I removed and quarantined it. Yet, I still have the problems noted above (hotmail account not loading, AIM not connecting, IE information bar constantly asking for download of script software).

I WOULD GREATLY APPRECIATE ANY HELP. ESPECIALLY IF SOMEONE COULD LOOK AT MY HJC LOG AND START FROM THERE.

THANKS :)



Logfile of HijackThis v1.98.2
Scan saved at 6:14:09 PM, on 9/20/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\avant.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\iTunes\iTunes.exe
D:\IMage2\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50188
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: profmfp - {92D75485-5A36-13D2-A98B-1DEE2EF389E5} - C:\WINDOWS\System32\profmfp.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Auto EPSON Stylus C82 Series on Gregsrana] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P41 "Auto EPSON Stylus C82 Series on Gregsrana" /O25 "\\GREGSRANA\EPSON Printer" /M "Stylus C82"
O4 - HKLM\..\Run: [Auto EPSON Stylus C82 Series on Gregchin] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P40 "Auto EPSON Stylus C82 Series on Gregchin" /O24 "\\GREGCHIN\EPSON Printer" /M "Stylus C82"
O4 - HKLM\..\Run: [Auto EPSON Stylus C82 Series on Clownsmoke] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P42 "Auto EPSON Stylus C82 Series on CLOWNSMOKE" /O36 "\\CLOWNSMOKE\EPSON Stylus C82 Series" /M "Stylus C82"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] D:\Image\aim.exe -cnetwait.odl
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Add to AD Black List - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Image\aim.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

Comments

  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited September 2004
    Get rid of the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50188
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

    2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: profmfp - {92D75485-5A36-13D2-A98B-1DEE2EF389E5} - C:\WINDOWS\System32\profmfp.dll (file missing)
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

    O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cab

    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

    Reboot, and post a new log when you've done this.
  • jsujarit
    edited September 2004
    Thank you very much for responding.
    I am still unable to connect to my hotmail account and my AIM is still not working whenever I reboot my computer after complete shutdown.
    This is my new log....


    Logfile of HijackThis v1.98.2
    Scan saved at 11:16:28 PM, on 9/20/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\PROGRA~1\Toolbar\TBPS.exe
    C:\PROGRA~1\Toolbar\PIB.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\avant.exe
    D:\IMage2\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50188
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [Auto EPSON Stylus C82 Series on Gregsrana] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P41 "Auto EPSON Stylus C82 Series on Gregsrana" /O25 "\\GREGSRANA\EPSON Printer" /M "Stylus C82"
    O4 - HKLM\..\Run: [Auto EPSON Stylus C82 Series on Gregchin] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P40 "Auto EPSON Stylus C82 Series on Gregchin" /O24 "\\GREGCHIN\EPSON Printer" /M "Stylus C82"
    O4 - HKLM\..\Run: [Auto EPSON Stylus C82 Series on Clownsmoke] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P42 "Auto EPSON Stylus C82 Series on CLOWNSMOKE" /O36 "\\CLOWNSMOKE\EPSON Stylus C82 Series" /M "Stylus C82"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKCU\..\Run: [AIM] D:\Image\aim.exe -cnetwait.odl
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: Add to AD Black List - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\AddToADBlackList.htm
    O8 - Extra context menu item: Block All Images from the Same Server - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\AddAllToADBlackList.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Highlight - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\Highlight.htm
    O8 - Extra context menu item: Open All Links in This Page... - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\OpenAllLinks.htm
    O8 - Extra context menu item: Search - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\Search.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Image\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited September 2004
    Alright, remove the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50188
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe

    Now, hit CTRL-ALT-DEL and click task manager, then go to the processes tab.

    END the following processes:

    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\PROGRA~1\Toolbar\TBPS.exe
    C:\PROGRA~1\Toolbar\PIB.exe
    C:\Program Files\Common Files\WinTools\WSup.exe

    After those processes are ended, go to C:\PROGRAM FILES\ and DELETE the folder called TOOLBAR. Then go to C:\PROGRAM FILES\COMMON FILES\ and DELETE the folder called WinTools.

    When those two folders are gone, reboot, and post a new log.
  • wildthing423wildthing423 Virginia beach, Virginia
    edited September 2004
    primesuspect wrote:
    Alright, remove the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50188
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe

    Now, hit CTRL-ALT-DEL and click task manager, then go to the processes tab.

    END the following processes:

    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\PROGRA~1\Toolbar\TBPS.exe
    C:\PROGRA~1\Toolbar\PIB.exe
    C:\Program Files\Common Files\WinTools\WSup.exe

    After those processes are ended, go to C:\PROGRAM FILES\ and DELETE the folder called TOOLBAR. Then go to C:\PROGRAM FILES\COMMON FILES\ and DELETE the folder called WinTools.

    When those two folders are gone, reboot, and post a new log.
  • wildthing423wildthing423 Virginia beach, Virginia
    edited September 2004
    Primwsuspect gave good instructions and advice. One thing, look in add and remove for anything resembling huntbar wintools, ***.anybar. Remove anything evenresembling the same.



    Next, this .scr that seems to be traveling through people who have or currently us AIM, Please try this:



    How to remove the "bestfriends.scr" AIM virus:


    If you have Windows 95, 98 or Millennium: (if you have Windows 95, skip steps 6-9)
    1. Restart the computer. As soon as it starts, tap the Ctrl key (or the F8 key if you have Windows 95) until the Windows startup menu appears.
    2. Use the arrow keys to highlight Safe Mode, then press Enter.
    3. Once Windows has loaded, go to Start > Run, type "dosprmpt" and click "OK".
    4. In the DOS window that appears, type the following:


    C:
    CD \WINDOWS\SYSTEM
    ATTRIB -H -S -R YAHOOMSG.EXE
    DEL YAHOOMSG.EXE


    5. Close the DOS window and restart your computer.
    6. When Windows has loaded, go to Start > Run, type "msconfig" and click "OK".
    7. In the window that appears, click the "Startup" tab and uncheck any items labeled "Yahoo Messenger".
    8. Click "OK".
    9. If prompted, restart your computer.

    If you have Windows 2000 or XP:
    1. Restart the computer. As soon as it starts, tap the F8 key until the "Windows Advanced Options" menu appears.
    2. Use the arrow keys to highlight Safe Mode, then press Enter.
    3. Once Windows has loaded, go to Start > Run, type "cmd" and click "OK".
    4. In the DOS window that appears, type the following:


    C:
    CD \WINDOWS\SYSTEM32
    ATTRIB -H -S -R YAHOOMSG.EXE
    DEL YAHOOMSG.EXE


    5. Close the DOS window and restart your computer.
    6. When Windows has loaded, go to Start > Run, type "msconfig" and click "OK".
    7. In the window that appears, click the "Startup" tab and uncheck any items labeled "Yahoo Messenger".
    8. Click "OK".
    9. If prompted, restart your computer.

    Delete any instance in all temp files,downloaded temp files, etc, etc, and clear all cache.
    do this before you reboot back into normal windows


    Wildthing. :Canflag:
  • jsujarit
    edited September 2004
    Hi again,

    I did everything you said....and it fixed my AIM problem :). However, my hotmail account still cannot be accessed :(, and the information bar for IE is still screwed up.
    I REALLY APPRECIATE all the help so far. It's amazing how you guys take the time to help people out like this.
    If these problems persist....maybe I should just reformat (even though I rather not).

    Here is my new log:


    Logfile of HijackThis v1.98.2
    Scan saved at 5:53:08 PM, on 9/21/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\avant.exe
    D:\IMage2\HJT\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
    O4 - HKLM\..\Run: [Auto EPSON Stylus C82 Series on Gregsrana] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P41 "Auto EPSON Stylus C82 Series on Gregsrana" /O25 "\\GREGSRANA\EPSON Printer" /M "Stylus C82"
    O4 - HKLM\..\Run: [Auto EPSON Stylus C82 Series on Gregchin] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P40 "Auto EPSON Stylus C82 Series on Gregchin" /O24 "\\GREGCHIN\EPSON Printer" /M "Stylus C82"
    O4 - HKLM\..\Run: [Auto EPSON Stylus C82 Series on Clownsmoke] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P42 "Auto EPSON Stylus C82 Series on CLOWNSMOKE" /O36 "\\CLOWNSMOKE\EPSON Stylus C82 Series" /M "Stylus C82"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [AIM] D:\Image\aim.exe -cnetwait.odl
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: Add to AD Black List - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\AddToADBlackList.htm
    O8 - Extra context menu item: Block All Images from the Same Server - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\AddAllToADBlackList.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Highlight - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\Highlight.htm
    O8 - Extra context menu item: Open All Links in This Page... - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\OpenAllLinks.htm
    O8 - Extra context menu item: Search - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\Search.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Image\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited September 2004
    Don't reformat. We can fix this.

    Get rid of:

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)

    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

    Now, END the following processes:

    C:\WINDOWS\system32\cba\pds.exe
    C:\WINDOWS\system32\cba\xfr.exe

    After you end those, go to C:\PROGRAM FILES\COMMON FILES\ and DELETE the Wintools folder. It is VERY important that you get rid of this folder.

    Then, go to C:\WINDOWS\SYSTEM32\ and RENAME the CBA folder to CBA.OLD

    I'm not too clear on what the CBA folder is yet, but it doesn't sit right with me. rename it, reboot, and post a new log.
  • jsujarit
    edited September 2004
    hmm....thats weird that wintools was in my HJT log because the folder was deleted. And for some odd reason, my hotmail account STILL can't be accessed. Also, my IE and Avant browsers don't allow pages to be redirected.
    So yea, I got the wintools out of the way and i renamed the CBA folder. It seemed to remove stuff from my processes and HJT log.
    Thanks for the help....heres my new log:


    Logfile of HijackThis v1.98.2
    Scan saved at 11:01:17 PM, on 9/21/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\avant.exe
    D:\IMage2\HJT\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [Auto EPSON Stylus C82 Series on Gregsrana] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P41 "Auto EPSON Stylus C82 Series on Gregsrana" /O25 "\\GREGSRANA\EPSON Printer" /M "Stylus C82"
    O4 - HKLM\..\Run: [Auto EPSON Stylus C82 Series on Gregchin] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P40 "Auto EPSON Stylus C82 Series on Gregchin" /O24 "\\GREGCHIN\EPSON Printer" /M "Stylus C82"
    O4 - HKLM\..\Run: [Auto EPSON Stylus C82 Series on Clownsmoke] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P42 "Auto EPSON Stylus C82 Series on CLOWNSMOKE" /O36 "\\CLOWNSMOKE\EPSON Stylus C82 Series" /M "Stylus C82"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKCU\..\Run: [AIM] D:\Image\aim.exe -cnetwait.odl
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: Add to AD Black List - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\AddToADBlackList.htm
    O8 - Extra context menu item: Block All Images from the Same Server - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\AddAllToADBlackList.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Highlight - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\Highlight.htm
    O8 - Extra context menu item: Open All Links in This Page... - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\OpenAllLinks.htm
    O8 - Extra context menu item: Search - C:\Documents and Settings\JonJon Sujarit\My Documents\Avant Browser\Search.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Image\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited September 2004
    We've seen this before - hotmail ceases to work, like it is broken by spyware or something. I would suggest trying to reinstall IE. If you google "Reinstall internet explorer" you'll find it somewhere.

    Your log looks clean.
  • jsujarit
    edited September 2004
    I appreciate all the help PrimeSuspect. You have definitely made my situation a million times better, and I can't thank you enough. It's nice to know there are people like you out there who are willing to help strangers. :)

    Im going to try reinstalling IE and hopefully hotmail and other crap will work. If not, I can use Mozilla for my hotmail account, which rarely gets used anyways.

    Thank you


    ps...if I have any more questions in the recent future...mind if I bother you again?
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited September 2004
    not at all, that's what we're here for :)
This discussion has been closed.