Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spy Trooper/Spy Axe + More Adware and Malware [RESOLVED]


  • This topic is locked This topic is locked

#1
Soulfire

Soulfire

    Member

  • Member
  • PipPip
  • 11 posts
Okay, so this is frustrating. I go to one site to download one file, and all of a sudden my PC goes crazy with spyware.

Some symptoms I've been having:
- Hijacked browser to http://www.syserror.com
- Popups for "Spyware Removal"
- The taskbar has little bubbles that pop up saying "System Alert: Popups" and "Your computer is infected" Those redirect me to spyware removal tool websites
- Shortcuts have been added to my desktop without my approval

I've ran McAfee Virus Scan, Ad-Aware, and Microsof Antispyware Beta 1. All of them say "No files detected"
Obiously, they're wrong. I also ran HSremover and Kill2Me, to no avail.

Logfile of HijackThis v1.99.1
Scan saved at 9:24:49 PM, on 11/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\System32\hp6C46.tmp
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

Any help is appreciated, I am almost to the point where I am going to rebuild my PC and it's only been a couple of hours.
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi Soulfire and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. DO NOT UPGRADE TO SP2 AT THIS TIME
  • Click HERE for the update.
  • Apply the update.
  • REBOOT YOUR SYSTEM

2. I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program. If it asks to reboot, do not reboot.

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

A. Close ALL windows except HJT

B. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

C. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

  • 0

#3
Soulfire

Soulfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here's the new log you asked for:

Logfile of HijackThis v1.99.1
Scan saved at 5:03:22 PM, on 11/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\nvctrl.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\1024\ldC2AB.tmp
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\System32\hpA5DB.tmp
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe


Security toolbar is spyware, just in case it gets confused with something legit.
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
  • Download the following self-extracting file smitRem.exe and save the file to your DESKTOP.
    • Double click the Smitrem.exe icon on your Desktop.
    • Then click Run>Start and a Smitrem folder will apear on your desktop also.
  • Place a shortcut to Panda ActiveScan on your desktop.

  • Download the trial version of Ewido Security Suite

  • Please read Ewido Setup Instructions
    • Install the program
    • Update the definitions to the newest files.
    • DO NOT RUN IT YET
  • Install Ad-Aware SE 1.06, follow these download and setup instructions.
  • REBOOT your computer in SafeMode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
  • Now open HJT, click SCAN and place a checkmark next to each of the following items:

    O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\System32\hpA5DB.tmp
    O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - <a href="http://software-dl.r...p/RdxIE601.cab" target="_blank">http://software-dl.r...dxIE601.cab</a>


  • Click the Fix Checked box and EXIT HJT

  • Using Windows Explorer, please locate and DELETE the following files/folders (with all their content), if they are still present:

    C:\WINDOWS\System32\nvctrl.exe
    C:\WINDOWS\System32\1024<==Folder and content
    C:\WINDOWS\System32\hpA5DB.tmp
    C:\Program Files\Security Toolbar<==Folder and content

  • Open the smitRem folder
    • Double click the RunThis.bat file to start the tool.
    • Follow the prompts on screen.
    • Wait for the tool to complete and disk cleanup to finish.
    NOTE:The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

  • Open Ad-aware and do a full scan. Let ir remove all it finds.

  • Run Ewido:
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • NOTE: During some scans with ewido it is finding cases of false positives.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    • Close Ewido
  • Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

  • REBOOT back into Normal Mode

  • Click the Panda ActiveScan shortcut
    • Do a full system scan.
    • Make sure the autoclean box is checked!
  • Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let me know if any problems persist.

Regards,

Trevuren

Edited by Trevuren, 09 November 2005 - 07:15 PM.

  • 0

#5
Soulfire

Soulfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Yeah, well, I think it's also important to say that I cannot open the internet without clicking in the icon, pressing CTRL+ALT+DEL and exiting out of iexplorer.exe and then it opens... But I will try this and see what happens.
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I recoomend that you download, install and use Firefox bypassing the use of IE whenever possible.


Regards,

Trevuren

  • 0

#7
Soulfire

Soulfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I do have firefox, but I haven't used it quite a lot yet - for the things I need to do on the internet, it seems to be restrictive. I'll have to play around with it a bit.

Anyways, here are the results. Also, I feel it important to say that the Panda Activescan did not remove files, nor did I see a button for autoclean. I'm not sure what that means though.

Secondly, I rean McAfee virus scan and it detected a couple of files as well. It also detected one "A0007958.exe" also called "HideWindow" in C"\System Volume Information\(longer file name). But it cannot clean it, it says please verify that it is not write-protected (whatever that means).

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:51:56 PM, 11/9/2005
+ Report-Checksum: 4A637D53

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eqd3vxcv.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eqd3vxcv.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eqd3vxcv.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eqd3vxcv.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eqd3vxcv.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eqd3vxcv.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eqd3vxcv.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eqd3vxcv.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP21\A0004213.dll -> TrojanDownloader.Agent.yb : Cleaned with backup
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP23\A0007910.exe -> TrojanDownloader.Zlob.bb : Cleaned with backup
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP23\A0007934.dll -> TrojanDownloader.Agent.yb : Cleaned with backup
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP9\A0002041.exe -> Spyware.Pacer : Cleaned with backup


::Report End

Panda Activescan
Incident Status Location

Adware:adware/topspyware No disinfected C:\WINDOWS\System32\svchosts.dll
Adware:adware/topspyware No disinfected C:\WINDOWS\SYSTEM32\svchosts.dll
Adware:adware/securityerror No disinfected C:\Documents and Settings\Owner\Favorites\Free XXX Sites List.url
Adware:adware/antivirus-gold No disinfected Windows Registry
Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP23\A0007940.exe
Report End


smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 11/09/2005
The current time is: 20:55:58.42

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Center.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
mscornet.exe


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 6:34:52 AM, on 11/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

Thanks!

I am still getting the "Your Computer is Infected" bubble on the taskbar. When I click on it or try to close it or anything, I am redirected to spyaxe.com or something like that. It gives me more spyware.
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
You can disregard anything McAfee finds in the "System Volume" as all this will be removed during final cleanup and currently is inoffensive.

1. Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select
    • "Delete on Reboot".
    • "End Explorer Shell While Killing File"
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    C:\WINDOWS\SYSTEM32\svchosts.dll


  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.


2. I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe. This scan only produces a report, it doesn't clean your system. I will analyze the report and recommend a course of action depending on the results.

Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

3. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

#9
Soulfire

Soulfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\RdxIE.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\RdxIE.dll". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tmp". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{06506B3A-857D-431f-BE0B-038B1EC386B3}" refers to invalid object ""C:\Program Files\SpyAxe\spyaxe.exe"". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0BFF94F7-9748-43d1-BAC4-D963351B63E7}" refers to invalid object ""C:\Program Files\SpyAxe\spyaxe.exe"". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0C580891-CA9D-4619-BDC9-85378EB65931}" refers to invalid object ""C:\Program Files\SpyAxe\spyaxe.exe"". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{53525A6C-3774-4b47-B317-BC7DFE4FC7ED}" refers to invalid object ""C:\Program Files\SpyAxe\spyaxe.exe"". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5DEB9A24-19E0-49e6-A6B2-110BC3E1062A}" refers to invalid object ""C:\Program Files\SpyAxe\spyaxe.exe"". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5E1ACE2A-8638-4775-8AA9-5C187AD40A82}" refers to invalid object ""C:\Program Files\SpyAxe\spyaxe.exe"". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{629C4FE9-B627-4905-AF5B-AD652BB1B5C5}" refers to invalid object ""C:\Program Files\SpyAxe\spyaxe.exe"". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{659F78EA-6FF2-40f8-8EA3-06F7418A209E}" refers to invalid object ""C:\Program Files\SpyAxe\spyaxe.exe"". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}" refers to invalid object "C:\Program Files\Security Toolbar\Security Toolbar.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7616A7F7-DF99-432f-870D-4AFEA0D079F4}" refers to invalid object ""C:\Program Files\SpyAxe\spyaxe.exe"". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7EB22F36-2CCD-4003-89EE-6CF40EBC4282}" refers to invalid object ""C:\Program Files\SpyAxe\spyaxe.exe"". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A0D06AA3-499B-4156-9FFD-0BE236F0D4E5}" refers to invalid object ""C:\Program Files\SpyAxe\spyaxe.exe"". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B6610F1D-DA77-42c4-8300-721D9DA9D70B}" refers to invalid object ""C:\Program Files\SpyAxe\spyaxe.exe"". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E802FFFF-8E58-4d2c-A435-8BEEFB10AB77}" refers to invalid object "C:\WINDOWS\System32\svchosts.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{0B3A6E45-78BF-4335-BBFF-A2F14F897D55}" refers to invalid object "C:\Program Files\Pinnacle\Studio\programs\KnobControl.ocx". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{2147059C-0BCB-11D4-919A-00AA00A0188E}" refers to invalid object "C:\Program Files\Pinnacle\Studio\Components\MPrProv.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{2BB3BCBF-411A-4C67-8E69-F4BB301DC333}" refers to invalid object "C:\Program Files\SpyAxe\spyaxe.exe". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{361C2BC3-C035-11D2-99DC-00AA00AE68A1}" refers to invalid object "C:\Program Files\Pinnacle\Studio\Components\AVIWAVIm.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{399CB6B4-7312-11D2-B4D9-00105A0422DF}" refers to invalid object "C:\Program Files\Pinnacle\Studio\programs\HHActiveX.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{4B7F8BF4-99C2-11D2-B3C3-00A0CC3A50B9}" refers to invalid object "C:\WINDOWS\emsmtp.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{52F2F122-2BC5-11D2-8FB7-000000000000}" refers to invalid object "C:\Program Files\Adobe\Adobe Photoshop CS2\ImageReady.exe". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{7AF322C5-AB43-11D4-A00B-0050DA18DE71}" refers to invalid object "C:\DOCUME~1\Owner\LOCALS~1\Temp\InfoWindow.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{89C31EC1-E2B3-11D3-8CC4-0050040BE7E0}" refers to invalid object "C:\Program Files\Pinnacle\Studio\Components\MPGTSPr.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{8C808E30-31AF-44F2-9471-04E0054414C0}" refers to invalid object "C:\Program Files\hp center\137903\Program\HPClientExt.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{A07A2751-CCDD-11D3-8CBD-0050040BE7E0}" refers to invalid object "C:\Program Files\Pinnacle\Studio\Components\MPAProv.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{A49DF62A-9BCE-11D4-885E-0010B542B8BB}" refers to invalid object "C:\Program Files\Hewlett-Packard\EZ Internet Signup\HPSdpApp.exe". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{E3029581-7294-11D3-AEE3-00600857EED8}" refers to invalid object "C:\Program Files\Pinnacle\Studio\Components\Filter\mpegdecoder.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{E891EE9A-D0AE-4cb4-8871-F92C0109F18E}" refers to invalid object "C:\Program Files\Adobe\Adobe Photoshop CS2\Plug-Ins\Adobe Photoshop Only\Automate\ScriptingSupport.8li". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{FA5A37A3-4017-11D3-A763-00E018904220}" refers to invalid object "C:\Program Files\Pinnacle\Studio\Components\MP2Prov.dll". Action Taken: No Action Taken.
Entry "HKCR\.as" refers to invalid object "asfile". Action Taken: No Action Taken.
Entry "HKCR\.ase" refers to invalid object "Photoshop.ExchangeableSwatchFile.9". Action Taken: No Action Taken.
Entry "HKCR\.ashx" refers to invalid object "ashxfile". Action Taken: No Action Taken.
Entry "HKCR\.asmx" refers to invalid object "asmxfile". Action Taken: No Action Taken.
Entry "HKCR\.axd" refers to invalid object "axdfile". Action Taken: No Action Taken.
Entry "HKCR\.cin" refers to invalid object "Photoshop.CINFile.9". Action Taken: No Action Taken.
Entry "HKCR\.config" refers to invalid object "configfile". Action Taken: No Action Taken.
Entry "HKCR\.cr2" refers to invalid object "Photoshop.CameraRawFileCanon2.9". Action Taken: No Action Taken.
Entry "HKCR\.crw" refers to invalid object "Photoshop.CameraRawFileCanon.9". Action Taken: No Action Taken.
Entry "HKCR\.cs" refers to invalid object "csfile". Action Taken: No Action Taken.
Entry "HKCR\.dcr" refers to invalid object "Photoshop.CameraRawFileKodak.9". Action Taken: No Action Taken.
Entry "HKCR\.disco" refers to invalid object "discofile". Action Taken: No Action Taken.
Entry "HKCR\.dng" refers to invalid object "Photoshop.CameraRawFileDigital.9". Action Taken: No Action Taken.
Entry "HKCR\.dpx" refers to invalid object "Photoshop.CINFile.9". Action Taken: No Action Taken.
Entry "HKCR\.eps" refers to invalid object "Photoshop.EPSFile.9". Action Taken: No Action Taken.
Entry "HKCR\.erf" refers to invalid object "Photoshop.CameraRawFileEpson.9". Action Taken: No Action Taken.
Entry "HKCR\.exr" refers to invalid object "Photoshop.OpenEXRFile.9". Action Taken: No Action Taken.
Entry "HKCR\.fido" refers to invalid object "Photoshop.CINFile.9". Action Taken: No Action Taken.
Entry "HKCR\.hdr" refers to invalid object "Photoshop.PortableBitMapFile.9". Action Taken: No Action Taken.
Entry "HKCR\.icb" refers to invalid object "Photoshop.TGAFile.9". Action Taken: No Action Taken.
Entry "HKCR\.mnu" refers to invalid object "Photoshop.MenuCustomizationFile.9". Action Taken: No Action Taken.
Entry "HKCR\.mos" refers to invalid object "Photoshop.CameraRawFileLeaf.9". Action Taken: No Action Taken.
Entry "HKCR\.mrw" refers to invalid object "Photoshop.CameraRawFileMinolta.9". Action Taken: No Action Taken.
Entry "HKCR\.nef" refers to invalid object "Photoshop.CameraRawFileNikon.9". Action Taken: No Action Taken.
Entry "HKCR\.orf" refers to invalid object "Photoshop.CameraRawFileOlympus.9". Action Taken: No Action Taken.
Entry "HKCR\.pbm" refers to invalid object "Photoshop.RadianceFile.9". Action Taken: No Action Taken.
Entry "HKCR\.pct" refers to invalid object "Photoshop.PICTFile.9". Action Taken: No Action Taken.
Entry "HKCR\.pdp" refers to invalid object "Photoshop.PDPFile.9". Action Taken: No Action Taken.
Entry "HKCR\.pef" refers to invalid object "Photoshop.CameraRawFilePentax.9". Action Taken: No Action Taken.
Entry "HKCR\.pic" refers to invalid object "Photoshop.PICTFile.9". Action Taken: No Action Taken.
Entry "HKCR\.pict" refers to invalid object "Photoshop.PICTFile.9". Action Taken: No Action Taken.
Entry "HKCR\.png" refers to invalid object "Photoshop.PNGFile.9". Action Taken: No Action Taken.
Entry "HKCR\.psb" refers to invalid object "Photoshop.PSBFile.9". Action Taken: No Action Taken.
Entry "HKCR\.psd" refers to invalid object "Photoshop.Image.9". Action Taken: No Action Taken.
Entry "HKCR\.pxr" refers to invalid object "Photoshop.PXRFile.9". Action Taken: No Action Taken.
Entry "HKCR\.raf" refers to invalid object "Photoshop.CameraRawFileFujifilm.9". Action Taken: No Action Taken.
Entry "HKCR\.raw" refers to invalid object "Photoshop.RAWFile.9". Action Taken: No Action Taken.
Entry "HKCR\.rem" refers to invalid object "remfile". Action Taken: No Action Taken.
Entry "HKCR\.rle" refers to invalid object "Photoshop.BMPFile.9". Action Taken: No Action Taken.
Entry "HKCR\.sct" refers to invalid object "Photoshop.SCTFile.9". Action Taken: No Action Taken.
Entry "HKCR\.sdpx" refers to invalid object "Photoshop.CINFile.9". Action Taken: No Action Taken.
Entry "HKCR\.shh" refers to invalid object "Photoshop.SHHFile.9". Action Taken: No Action Taken.
Entry "HKCR\.shtm" refers to invalid object "shtmfile". Action Taken: No Action Taken.
Entry "HKCR\.shtml" refers to invalid object "shtmlfile". Action Taken: No Action Taken.
Entry "HKCR\.srf" refers to invalid object "Photoshop.CameraRawFileSony.9". Action Taken: No Action Taken.
Entry "HKCR\.sta" refers to invalid object "Photoshop.STAFile.9". Action Taken: No Action Taken.
Entry "HKCR\.stm" refers to invalid object "stmfile". Action Taken: No Action Taken.
Entry "HKCR\.tga" refers to invalid object "Photoshop.TGAFile.9". Action Taken: No Action Taken.
Entry "HKCR\.tif" refers to invalid object "Photoshop.TIFFFile.9". Action Taken: No Action Taken.
Entry "HKCR\.tiff" refers to invalid object "Photoshop.TIFFFile.9". Action Taken: No Action Taken.
Entry "HKCR\.vb" refers to invalid object "vbfile". Action Taken: No Action Taken.
Entry "HKCR\.vda" refers to invalid object "Photoshop.TGAFile.9". Action Taken: No Action Taken.
Entry "HKCR\.vst" refers to invalid object "Photoshop.TGAFile.9". Action Taken: No Action Taken.
Entry "HKCR\.wbm" refers to invalid object "Photoshop.WBMFile.9". Action Taken: No Action Taken.
Entry "HKCR\.wbmp" refers to invalid object "Photoshop.WBMFile.9". Action Taken: No Action Taken.
Entry "HKCR\.web" refers to invalid object "webfile". Action Taken: No Action Taken.
Entry "HKCR\.x3f" refers to invalid object "Photoshop.CameraRawFileFoveon.9". Action Taken: No Action Taken.

Logfile of HijackThis v1.99.1
Scan saved at 3:39:00 PM, on 11/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

I would've replied sooner, by Mwav took 16 hours to scan.
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
  • Download Ad-Aware SE Personal 1.06:
  • Install Ad-Aware SE Personal 1.06:
    • Double-click on aawsepersonal.exe to install the program.
    • Follow the default settings for installation.
    • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
  • Update Ad-Aware SE Personal 1.06:
    • Double-click the Ad-Aware SE Personal icon on your desktop.
    • Click "Check for updates now" then click "Connect".
    • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
  • Configure Ad-Aware SE Personal 1.06:
    • Click on the Gear button at the top of the window.
    • Click "General" on the left hand side to display the General Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Automatically save logfile"
        • "Automatically quarantine objects prior to removal"
        • "Safe Mode (always request confirmation)"
        • "Prompt to update outdated definitions" - change to 7 days from the default 14.
    • Click "Scanning" on the left hand side to display the Scan Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Scan within archives"
      • "Select drives & folders to scan" - select your hard drive(s).
      • "Scan active processes"
      • "Scan registry"
      • "Deep-scan registry"
      • "Scan my IE favorites for banned URLs"
      • "Scan my Hosts file"
    • Click "Advanced" on the left hand side to display the Advanced Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Move deleted files to Recycle Bin"
      • "Include additional object information"
      • "Include negligible objects information"
      • "Include environment information"
    • Click "Defaults" on the left hand side to display the Default Settings box.
      • Make sure these items have your preferred settings in them.:
      • "Default homepage"
      • "Default searchpage"
    • Click "Tweak" on the left hand side to display the Tweak Settings box.
      • Click the + (plus) sign next to the Log Files section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Include basic Ad-Aware settings in log file"
        • "Include additional Ad-Aware settings in log file"
        • "Include reference summary in log file"
        • "Include alternate data stream details in log file"
      • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Unload recognized processes & modules during scan"
        • "Scan registry for all users instead of current user only"
        • "Obtain command line of scanned processes"
      • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Always try to unload modules before deletion"
        • "During removal, unload Explorer and IE if necessary"
        • "Let Windows remove files in use at next reboot"
        • "Delete quarantined objects after restoring"
    • Once you are done with these settings, click "Proceed" to save them.
    • This will take you back to the main screen.
  • Run Ad-Aware SE Personal 1.06:
    • Click the "Start" button.
    • Uncheck the "Search for negligible risk entries" entry.
    • Choose the "Use custom scanning options" scan mode.
    • Click the "Next" button.
    • Ad-Aware will begin to scan for malware residing on your computer.
    • Allow the scan to finish.
    • Right-click on any entry in the list and click "Select All" to select the whole list.
    • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.
2. Please update your Ewido definitions. Reboot your system into Safe mode, Run Ewido and save the log.

3. Please boot back into Normal Mode.

4. Please run HJT, Scan and post the log along with the Ewido log into your reply.

5. Please also comment on any visible signs of malware still remaining in your system.

Regards,

Trevuren

  • 0

#11
Soulfire

Soulfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Well, the Ewido log got lost or unsaved or something for some reason or another. It detected three things and the quarantine was deleted. I believe some other family members might've been on my computer between the time the scan started and finished, as some things weren't set like normal.

At any rate, if you really need an Ewido log, I'll re-scan overnight and post tomorrow afternoon (I'm busy the entire morning).

I have Hijack This though.

Logfile of HijackThis v1.99.1
Scan saved at 8:56:49 PM, on 11/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

I have no obvious signs of spyware. No browser hijacks, no messages, nothing bad on the taskbar, no extra toolbars or anything.
  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

Reconfigure Windows XP to hide hidden files:
  • Click Start. Open My Computer.
  • Select the Tools menu and click Folder Options. Select the View Tab.
  • Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the "Hide protected operating system files (recommended)" option.
  • Click Yes to confirm. Click OK.
2. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
  • Right-click "My Computer", and then left click "Properties".
  • Left click on "System Restore Tab"
  • Check box beside "Turn Off System Restore"
  • Left click on "Apply"
TO ENABLE SYSTEM RESTORE
  • Remove check mark from "Turn Off System Restore"
  • Click on "Apply"
Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

  • 0

#13
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP