Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Arora is driving me batty (resolved)

Started by baseballbroad , May 08 2005 05:09 PM

  • This topic is locked This topic is locked

#1
baseballbroad
Posted 08 May 2005 - 05:09 PM

baseballbroad

    New Member

  • Member
  • Pip
  • 4 posts
Hi, I'm new. I am also ready to hurl my PC out the nearest window. :tazz:
I have adaware, spywareBlaster and SpyBot, and nothing hs gotten rid of this annoyance (various arora pop ups). Please help!
I hope I am doing this correctly. ;)

Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 7:02:36 PM, on 5/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\memuryg.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Documents and Settings\Owner.BASEBALL[bleep]\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CleanMyPCPopupBlocker Class - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vaUR] C:\documents and settings\owner.baseball[bleep]\local settings\temp\vaUR.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [or09LvX] C:\documents and settings\owner.baseball[bleep]\local settings\temp\or09LvX.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [memuryg] C:\WINDOWS\System32\memuryg.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://www.dioceseaj.org/iNotes6.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://64.84.107.59/activex/AMC.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by baseballbroad, 08 May 2005 - 05:10 PM.

  • 0

Advertisements

#2
Guest_usetobe_*
Posted 09 May 2005 - 05:31 AM

Guest_usetobe_*
  • Guest
Hi Baseballbroad.

You have a nasty nail infection, and i don't mean on your fingers and toes :tazz:

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and checkthe following if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [vaUR] C:\documents and settings\owner.baseball[bleep]\local settings\temp\vaUR.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [or09LvX] C:\documents and settings\owner.baseball[bleep]\local settings\temp\or09LvX.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [memuryg] C:\WINDOWS\System32\memuryg.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close all open windows except for HijackThis and click Fix Checked.

Download the following program.

Cleanup

Reboot into SAFE MODE by tapping the F8 key whilst PC starts up.

Set PC to show hidden files (Click link below if you do not know how

Show hidden files

Using Windows Explorer locate and delete the following files/folders if present.

C:\WINDOWS\Nail.exe
O4C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
C:\documents and settings\owner.baseball[bleep]\local settings\temp\vaUR.exe
C:\WINDOWS\System32\IEHost.exe
c:\installer\id53.exe
C:\documents and settings\owner.baseball[bleep]\local settings\temp\or09LvX.exe
C:\WINDOWS\System32\memuryg.exe
C:\WINDOWS\System32\ms.exe
C:\WINDOWS\svcproc.exe

Now use the Cleanup program to clear out temp files, junk etc.

Restart your computer in normal mode

Carry out a free online virus scan from the following link

Panda Active Scan

Rescan with HijackThis and post the lofg back, as well as the log from the Ewido scan.
  • 0

#3
baseballbroad
Posted 09 May 2005 - 03:04 PM

baseballbroad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Firstly, THANKS SO MUCH for your help.
Being the novice that I am, and having three disctractions ages 5,3 and ten months....this took me all day! :tazz:

But I did it....I think.

First, the ewido log:

C:\Documents and Settings\Owner.BASEBALL[bleep]\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.BASEBALL[bleep]\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\Preloader.dll -> TrojanDownloader.OTXloader -> Cleaned with backup
C:\WINDOWS\mtubarolsc.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\system32\memurygndw30102lib.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\swawff.exe -> TrojanDropper.Agent.jl -> Cleaned with backup
D:\WINDOWS\TEMP\Adware\DelFinMediaViewer29j.exe -> Spyware.DelFin -> Cleaned with backup
D:\WINDOWS\TEMP\Adware\kazaa_336.exe -> Spyware.NewDotNet -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@us[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S109821[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@products[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S138568[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@80693899[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@tryaolfree[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S137319[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@59985654[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S120283[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S143139[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S0014-01-2-11-223910-53051[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S116989[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S005-01-6-28-254547-85584[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@DCS000017_1O8L[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S005-01-6-28-254547-85611[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S139392[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@media[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@31953349[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@843040[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S005-01-4-6-238077-65696[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S005-01-8-15-233860-97119[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S0014-01-2-16-217494-54117[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@74330191[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@31953349[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S148889[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@43323746[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S123391[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@80693899[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@ctx[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S130376[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@media[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S113245[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S130343[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S130603[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S147918[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@totalvelocity[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@S005-01-6-28-254547-85621[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S116123[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@S0014-01-2-16-217494-54117[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@media[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@71469122[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@link[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S005-01-8-20-85963-98106[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@track-star[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@31953349[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@35109650[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@exitfuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@74330191[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S0012-01-1-7-217494-47679[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S0014-01-2-16-217494-54117[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@843040[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S009-00-11-16-116105-36694[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@ctx[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@media[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@exitfuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@specificpop[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@S116123[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@S141048[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@S009-00-12-21-195626-44841[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\egans@S009-00-10-10-195626-30870[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@S009-00-10-10-195626-30870[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\anyuser@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\Program Files\DelFin\PromulGate\PgMonitr.exe -> Spyware.DelFin -> Cleaned with backup
D:\WIN\Cookies\egan family@S113245[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@3com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@4871802[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@31953349[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@hotbar[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@tryaolfree[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\anyuser@S148584[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\anyuser@bannerads[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@S130343[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\anyuser@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\anyuser@S125100[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@S148889[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@45151286[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@S109821[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@S130376[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\egan family@S110357[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Cookies\anyuser@dcs91jbzf21e5hql7xx01y499_9y1u[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WIN\Temporary Internet Files\Content.IE5\YTWZU921\all_launch_reg[1].htm -> Trojan.NoClose.e -> Cleaned with backup
D:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP255\A0023808.dll -> Trojan.KeyHost.e -> Cleaned with backup
D:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP255\A0023809.exe -> Spyware.BiSpy.r -> Cleaned with backup
D:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP255\A0023810.DLL -> Trojan.KeyHost.e -> Cleaned with backup
D:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP255\A0023811.EXE -> Spyware.BiSpy.r -> Cleaned with backup
D:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP255\A0023812.exe -> Spyware.ClipGenie -> Cleaned with backup
D:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP255\A0023813.exe -> Spyware.DownloadWare -> Cleaned with backup


Now: the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:44:41 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner.BASEBALL[bleep]\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CleanMyPCPopupBlocker Class - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://www.dioceseaj.org/iNotes6.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.c...lient/setup.exe
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe



Thanks so much for your help.

So far so good, no annoying pop-ups! ;)


baseballbroad
  • 0

#4
Guest_usetobe_*
Posted 09 May 2005 - 03:10 PM

Guest_usetobe_*
  • Guest
Hi Baseballbroad,

Almost there.

Rescan with HJT

Check the following

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R3 - Default URLSearchHook is missing

Ensure no windows open excdept HJT and click FIX CHECKED.

Rescan with HJT and post log back in this thread
  • 0

#5
baseballbroad
Posted 09 May 2005 - 04:22 PM

baseballbroad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I am so relieved I did this correctly!!!! Thank you soooo much! :tazz:

the final HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:17:06 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner.BASEBALL[bleep]\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CleanMyPCPopupBlocker Class - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://www.dioceseaj.org/iNotes6.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.c...lient/setup.exe
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Thanks so very much!

;)


baseballbroad
  • 0

#6
Guest_usetobe_*
Posted 09 May 2005 - 11:58 PM

Guest_usetobe_*
  • Guest
Hi baseballbroad,

From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean. ;)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#7
baseballbroad
Posted 10 May 2005 - 05:47 AM

baseballbroad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
ok, let me tell you what I already have installed.

I have adaware, spybot and spyware blaster. I run these at least three times a week.
I also have AVG, and run it daily.
I've been using Firefox for about two weeks now, was resistant, but am finding it very easy and.....I like it!!! lol
I also have a couple pop-up clockers installed. There names escape me at the moment.
Thanks so much for your help!

baseballbroad
  • 0

#8
Guest_usetobe_*
Posted 10 May 2005 - 05:56 AM

Guest_usetobe_*
  • Guest
You are very welcome. Glad we could help you out.

If you follow the advice in my signature you will be a safe and happy surfer.

Slimbrowser is another good browser that you may like to try. Like everything else, there maybe a reluctance to change, as in your change to Firefox, but once you play around with it for a while, i'm sure you will like it.

Regards

Usetobe.


As this matter has been resolved, this topic will be closed. Original poster (Baseballbroad) cam PM a moderator or myself if this topic needs to be reopened.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP