1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

More Zipzap help needed

Discussion in 'Malware and Virus Removal Archive' started by Mantis, 2005/03/18.

Thread Status:
Not open for further replies.
  1. 2005/03/18
    Mantis

    Mantis Inactive Thread Starter

    Joined:
    2005/03/18
    Messages:
    6
    Likes Received:
    0
    Hi guys. Ive read through all the posts and it looks like im not the only one having problems with this. Also im not sure if its related but when i scan with Spyware Doctor it nearly always find a thing called instant access. Everytime i delete it, spydoctor picks it up again on its next scan. Also looks like im luckier than some people because im getting zipzap popups but the screen inside them is just white. No advertisments, just blank but im still getting the popup. I am also running all the normal spyware stuff. Spybot, adaware SE, balster, Sweeper, doctor etc. However i put most of them on after i started having this problem.
    Anyway here is my log of Hijack this:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:41:17 PM, on 19/03/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Telstra\Cable Login\bpcable.exe
    C:\WINDOWS\system32\bcmwltry.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Telstra\Cable Login\bpcService.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\mdjdev.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Owner\My Documents\spyware stuff\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qau10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: JavaPlugin Support Dll - {2136FD50-C11F-40CC-A714-F9412F91BD40} - C:\WINDOWS\system32\javacore.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
    O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ltwob] C:\WINDOWS\msmbw.exe
    O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\msmbw.exe
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Descarregas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\dial-kazemule2-de\local.html (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    Hope you guys can help.
     
    Last edited: 2005/03/18
    Mantis,
    #1
  2. 2005/03/18
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS Mantis :)

    Please download the List Installed Programs script from here, run it and post it's log.
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2005/03/18
    Mantis

    Mantis Inactive Thread Starter

    Joined:
    2005/03/18
    Messages:
    6
    Likes Received:
    0
    Hi, im on my mums account now (XP) as she seems to get more popups than me. Also the popups on her account arent just white, advertising casinos and other stuff. Dunno if maybe the problem is on her account. Anways here is the latest spywaredoctor log:
    Scans (basic information only):

    Scan Results:
    scan start: 3/19/2005 2:01:06 PM
    scan stop: 3/19/2005 2:03:31 PM
    scanned items: 17307
    found items: 3
    found and ignored: 0
    tools used: Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner



    Infection Name Location Risk
    Instant Access HKCU\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\BD8400524261DF1ADBD8860F22C9CE2B97471448 High
    Slagent HKCU\Software\mc Elevated
    Tracking Cookie(s) jennette@go[2].txt Medium

    Here is the installed programs log on my account:

    INSTALLED SOFTWARE (148) - AIRPANEL - 19/03/2005 1:57:49 PM

    23_24_2500Tour Ver: 5.31.1.27 Installed: 7/03/2004
    2400 Ver: 5.31.1.27 Installed: 7/03/2004
    2400_2500Help Ver: 5.31.1.27 Installed: 7/03/2004
    2400_2500trb Ver: 5.31.1.27 Installed: 7/03/2004
    a-squared free 1.5.1 Ver: 1.5.1
    Ad-aware 6 Personal Ver: 6.0.1.181 Personal
    Ad-Aware SE Personal
    Adobe Acrobat 4.0 Ver: 4.0
    Adobe Photoshop 6.0 Ver: 6.0
    Adobe Photoshop 7.0 Ver: 7.0
    Adobe Reader 6.0 Ver: 6.0 Installed: 22/10/2003
    Adobe SVG Viewer Ver: 1.0
    Adventure Pinball (c) Electronic Arts
    AiO_Scan Ver: 5.31.1.27 Installed: 22/10/2003
    AIOMinimal Ver: 5.31.1.27 Installed: 22/10/2003
    AiOSoftware Ver: 5.31.1.27 Installed: 22/10/2003
    ArcSoft ShowBiz 2
    ATI Control Panel Ver: 6.14.10.5120
    ATI Display Driver Ver: 8.051-040825a-017633C-ATI
    Belkin Wireless Setup utility Ver: 2.4.5_US(H3010D56) Installed: 13/03/2004
    Belkin Wireless Setup utility Ver: 2.4.5_US(H3010D56) Installed: 13/03/2004
    BigPond Broadband Cable Login Ver: 1.1 Installed: 1/09/2004
    Call of Duty Game of the Year Edition
    CC_ccStart Ver: 2.0.0.635 Installed: 22/10/2003
    ccCommon Ver: 2.0.0.635 Installed: 22/10/2003
    Command & Conquer Red Alert 2
    Command & Conquer Renegade
    Compaq Connections
    Copy Ver: 5.31.0.150 Installed: 22/10/2003
    CreativeProjects Ver: 5.31.0.150 Installed: 22/10/2003
    Director Ver: 5.31.0.154 Installed: 22/10/2003
    DMW Client 3 R4 Ver: R4
    DMW Client 3.2 (Hybrid)
    DocProc Ver: 3.1.0.0 Installed: 22/10/2003
    Fax Ver: 5.31.2.31 Installed: 7/03/2004
    GameArena COGS
    HijackThis 1.99.1 Ver: 1.99.1
    HP Deskjet Preloaded Printer Drivers Ver: 8.3.3.0 Installed: 22/10/2003
    HP Flat Panel Monitor INF Software 3.00
    HP Photo & Imaging 3.1 Ver: 3.1
    HP Photo and Imaging 2.0 - Photosmart Cameras Ver: 2.0.0000 Installed: 22/10/2003
    HP PSC & OfficeJet 3.0 Ver: 3.0
    hp psc 2400 series
    HP Software Update Ver: 3.0.4.007 Installed: 5/03/2005
    hpmdtab Ver: 2.0.470.1598 Installed: 22/10/2003
    HpSdpAppCoreApp Ver: 2.00.0000 Installed: 22/10/2003
    HPSystemDiagnostics Ver: 1.5.0.0 Installed: 22/10/2003
    ImageMixer for Sony
    InstantShare Ver: 3.1.0.13 Installed: 22/10/2003
    Intel(R) Extreme Graphics Driver
    Internet Explorer Exception pack
    InterVideo WinDVD Player Ver: 4.0-B11.399
    Java 2 Runtime Environment, SE v1.4.2 Ver: 1.4.2 Installed: 22/10/2003
    kyeo_saver_1
    LiveReg (Symantec Corporation) Ver: 2.4.0.2044
    LiveUpdate 2.6 (Symantec Corporation) Ver: 2.6.14.0
    Medal of Honor Allied Assault
    Memories Disc Creator 2.0 Ver: 2.0.588.1728 Installed: 4/11/2004
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Ver: 1.1.4322 Installed: 27/02/2005
    Microsoft .NET Framework 1.1 Hotfix (KB886903)
    Microsoft Data Access Components KB870669
    Microsoft Encarta Encyclopedia Standard - WE 2004 Ver: 2004 Installed: 31/10/2003
    Microsoft Money Ver: 12.0.100 Installed: 31/10/2003
    Microsoft Money System Pack Ver: 12.0.120 Installed: 31/10/2003
    Microsoft Office 2000 Standard Ver: 9.00.2720 Installed: 7/03/2004
    Microsoft Picture It! Photo Standard 9 Ver: 9.0.0.0000
    Microsoft Picture It! Photo Standard 9 Ver: 9.0.0.0000 Installed: 31/10/2003
    Microsoft Smart Display Services Ver: 1.0.1008.0 Installed: 6/03/2004
    Microsoft Word 2002 Ver: 10.0.2627.01 Installed: 31/10/2003
    Microsoft Works Ver: 07.03.0719 Installed: 31/10/2003
    Microsoft Works 2004 Setup Launcher
    Microsoft Works Suite Add-in for Microsoft Word Ver: 7.0.0.0000 Installed: 31/10/2003
    MicroStaff WINASPI
    Mohaa Cleaner 1.6.1
    MSN Messenger 6.2 Ver: 6.2.0205 Installed: 11/02/2005
    MSRedist Ver: 1.0.0.0 Installed: 22/10/2003
    MUSICMATCH® Jukebox
    Norton AntiVirus 2004 Ver: 10.00.00 Installed: 22/10/2003
    Norton AntiVirus 2004 (Symantec Corporation) Ver: 10.00.00
    Norton AntiVirus Parent MSI Ver: 10.0.0 Installed: 22/10/2003
    Norton Personal Firewall Ver: 6.0.2.0 Installed: 28/02/2004
    Norton WMI Update Ver: 2005.1.0.111 Installed: 2/09/2004
    NVIDIA Ethernet Driver
    NVIDIA GART Driver
    oqhixypwa
    Overland Ver: 1.76.0 Installed: 7/03/2004
    overland Ver: 2.1.6.2 Installed: 4/02/2005
    PC-Doctor for Windows
    PeerGuardian v1.96b
    PhotoGallery Ver: 5.31.0.158 Installed: 22/10/2003
    Photosmart 140,240,7200,7600,7700,7900 Series Ver: 2.0
    PrintScreen Ver: 5.31.0.147 Installed: 22/10/2003
    PS2
    PSShortcutsP Ver: 1.00.0000 Installed: 22/10/2003
    QFolder Ver: 1.00.0000 Installed: 22/10/2003
    QuickProjects Ver: 5.31.0.147 Installed: 22/10/2003
    QuickTime
    Readme Ver: 5.31.1.27 Installed: 22/10/2003
    RealPlayer
    RecordNow! Ver: 6.5.1 Installed: 22/10/2003
    Roll
    Scan Ver: 3.1.0.0 Installed: 22/10/2003
    Shockwave
    Shockwave Flash
    SkinsHP1 Ver: 5.31.0.147 Installed: 22/10/2003
    SkinsHP2 Ver: 5.31.0.147 Installed: 22/10/2003
    Sonic Update Manager Ver: 2.9 Installed: 22/10/2003
    Sony USB Driver
    Spy Sweeper
    Spybot - Search & Destroy 1.2 Ver: 1.2
    Spyware Doctor 3.1 Ver: 3.1
    SpywareBlaster v3.3 Ver: 3.3.0
    Symantec Network Drivers Update Ver: 5.4.4.17 Installed: 19/02/2005
    SymNet Ver: 4.7.1 Installed: 22/10/2003
    TeamSpeak 2 RC2 Ver: 2.0.32.60
    TrayApp Ver: 5.31.0.147 Installed: 22/10/2003
    Unload Ver: 3.1.0 Installed: 22/10/2003
    Unreal Tournament 2004 Demo
    ViewSonic AirPanel 150 Smart Display 1.01.0056.14 Ver: 1.01.0056.14 Installed: 6/03/2004
    ViewSonic Monitor Drivers
    WebFldrs XP Ver: 9.50.6513 Installed: 22/10/2003
    WebReg Ver: 5.31.0.147 Installed: 22/10/2003
    Westwood Shared Internet Components
    Window Washer
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Hotfix - KB834707 Ver: 20040929.110854
    Windows XP Hotfix - KB867282 Ver: 20050127.090417
    Windows XP Hotfix - KB873333 Ver: 20050114.005213
    Windows XP Hotfix - KB873339 Ver: 20041117.092459
    Windows XP Hotfix - KB885250 Ver: 20050118.202711
    Windows XP Hotfix - KB885626 Ver: 20040909.122822
    Windows XP Hotfix - KB885835 Ver: 20041027.181713
    Windows XP Hotfix - KB885836 Ver: 20041028.173203
    Windows XP Hotfix - KB885884 Ver: 20040924.025457
    Windows XP Hotfix - KB886185 Ver: 20041021.090540
    Windows XP Hotfix - KB887472 Ver: 20041014.162858
    Windows XP Hotfix - KB887742 Ver: 20041103.095002
    Windows XP Hotfix - KB888113 Ver: 20041116.131036
    Windows XP Hotfix - KB888302 Ver: 20041207.111426
    Windows XP Hotfix - KB890047 Ver: 20041221.124506
    Windows XP Hotfix - KB890175 Ver: 20041201.233338
    Windows XP Hotfix - KB891781 Ver: 20050110.165439
    Windows XP Service Pack 2 Ver: 20040803.231319
    WinRAR archiver
    WinZip Ver: 9.0 (6028)
    Wolfenstein - Enemy Territory

    Also not knowing that much about PC's this is the Hijack log on my mums account:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:08:36 PM, on 3/19/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Telstra\Cable Login\bpcable.exe
    C:\WINDOWS\system32\bcmwltry.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Telstra\Cable Login\bpcService.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Owner\My Documents\spyware stuff\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kazaa-file-sharing-downloads.com/registrationpage.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: JavaPlugin Support Dll - {2136FD50-C11F-40CC-A714-F9412F91BD40} - C:\WINDOWS\system32\javacore.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
    O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ltwob] C:\WINDOWS\msmbw.exe
    O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\msmbw.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe "
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Descarregas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\dial-kazemule2-de\local.html (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
    Last edited: 2005/03/18
    Mantis,
    #3
  5. 2005/03/18
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Download "Registry Search Tool" (RegSrch.vbs) from here
    http://www.billsway.com/vbspage/
    start it and paste in oqhixypwa, wait, hit ok. Then when wordpad opens, copy that back here please.
     
    noahdfear,
    #4
  6. 2005/03/18
    Mantis

    Mantis Inactive Thread Starter

    Joined:
    2005/03/18
    Messages:
    6
    Likes Received:
    0
    REGEDIT4
    ; RegSrch.vbs © Bill James

    ; Registry search results for string "oqhixypwa" 19/03/2005 2:37:08 PM

    ; NOTE: This file will be deleted when you close WordPad.
    ; You must manually save this file to a new location if you want to refer to it again later.
    ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "oqhixypwa "= "c:\\windows\\system32\\oqhixypwa.exe -start "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\oqhixypwa]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\oqhixypwa]
    "UninstallString "= "c:\\windows\\system32\\oqhixypwa.exe -uninstall "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\oqhixypwa]
    "DisplayName "= "oqhixypwa "
     
    Mantis,
    #5
  7. 2005/03/19
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Logon to your user account. Save this to text where you can access it in safe mode.

    Download the W32.Serflog.A virus removal tool from Symantec. Save it to the desktop.

    Download and install Reglite.

    Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip
    Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

    C:\WINDOWS\System32\oqhixypwa.exe

    Check the box to delete on reboot and click the red X to the right. Click OK, then NO to reboot now. Copy the next filepath and paste it in the box, and repeat the above steps. When the below filepaths are done, close the Killbox.

    C:\WINDOWS\Downlo~1\EGDACCESS.inf
    C:\WINDOWS\system32\EGDACCESS_1057.dll


    Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

    Run the Symantec removal tool.

    Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to your user account.

    Now in safe mode, you will need to show hidden files and folders, as well as system files and extensions for known file types.


    Open RegLite and copy/paste the following string in the address window then click go.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    The forum format puts a space in the word current that you will need to edit out before clicking Go.

    Right click the "oqhixypwa "= "c:\\windows\\system32\\oqhixypwa.exe -start" value in the right pane and delete. Then copy/paste the following.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\oqhixypwa

    Right click the oqhixypwa key in the left pane and delete.

    Then paste,

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Access

    click go and delete the Instant Access key in the left pane.

    Then paste,

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26D7357 3-F1B3-48C9-A989-E6CE071957A1}

    and delete the {26D7357 3-F1B3-48C9-A989-E6CE071957A1} key in the left pane.

    Exit Reglite.

    Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ltwob] C:\WINDOWS\msmbw.exe
    O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\msmbw.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O9 - Extra button: Descarregas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\dial-kazemule2-de\local.html (file missing)
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe



    Open C:\Program Files\Common Files\Real\Update_OB and rename realsched.exe to realsched.old
    Open C:\Temp if present, select all and delete.
    Open C:\Windows\Temp, select all and delete.
    Open C:\Windows\Prefetch, select all and delete.
    Open C:\Windows\System32 and delete the file mdjdev.exe if present.
    Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
    Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content. Close Internet Options. Then, still in the control panel, open the Java Plug-in, click the cache tab and then clear.
    Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

    Log off and log on to Mum's account (still in safe mode).

    Scan again with HJT and fix the following entry if present.

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kazaa-file-sharing-downl...trationpage.htm

    Again, open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.

    Uncheck the /safeboot box in msconfig and ok to reboot.

    Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK.

    Go to the Sun Java Website and update your JRE. Current is 1.4.2_07

    Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

    Run another HijackThis scan and post the log. Let us know if the popups stop.
     
    noahdfear,
    #6
  8. 2005/03/19
    Mantis

    Mantis Inactive Thread Starter

    Joined:
    2005/03/18
    Messages:
    6
    Likes Received:
    0
    Hi......not at my mums till tomorrow. Will follow your instructions then and let you know how it goes. Thanks
     
    Mantis,
    #7
  9. 2005/03/22
    Mantis

    Mantis Inactive Thread Starter

    Joined:
    2005/03/18
    Messages:
    6
    Likes Received:
    0
    Hi Dave, followed all your instructions. Some thing i couldnt fix/delete/find. Wouldnt find:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Instant Access

    click go and delete the Instant Access key in the left pane.

    Then paste,

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26D7357 3-F1B3-48C9-A989-E6CE071957A1}

    and delete the {26D7357 3-F1B3-48C9-A989-E6CE071957A1} key in the left pane.

    Those 2, i couldnt delete 5 TEMP files in my temp folder becos they were being used or are write protected.

    Everything else worked fine i think.......
    Here is the RAV report:
    Scan started at 22/03/2005 6:02:27 PM

    Scanning memory...
    Scanning boot sectors...
    Scanning files...

    Scanned
    ============================
    Objects: 74918
    Directories: 5975
    Archives: 13453
    Size(Kb): -1122099
    Infected files: 0

    Found
    ============================
    Viruses found: 0
    Suspicious files: 0
    Disinfected files: 0
    Mail files: 138

    HIJACK this report:
    Logfile of HijackThis v1.99.1
    Scan saved at 6:51:13 PM, on 22/03/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Telstra\Cable Login\bpcable.exe
    C:\WINDOWS\system32\bcmwltry.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
    C:\Program Files\Telstra\Cable Login\bpcService.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\My Documents\spyware stuff\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qau10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: JavaPlugin Support Dll - {2136FD50-C11F-40CC-A714-F9412F91BD40} - C:\WINDOWS\system32\javacore.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
    O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
    O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\msmbw.exe
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: iMedia DataPump - http://www.sanford.com.au/activetrader/at/DataPump.2.5.0.21.CAB
    O16 - DPF: iMedia DynaLib - http://www.sanford.com.au/activetrader/at/DynaLib.2.5.0.21.CAB
    O16 - DPF: IWL AT - http://www.sanford.com.au/activetrader/at/AT.2.5.0.21.CAB
    O16 - DPF: IWL Component Downloader - http://www.virtualbroker.com.au/ActiveTrader/at/CD.1.0.0.9.CAB
    O16 - DPF: IWL iMediaLib - http://www.sanford.com.au/activetrader/at/iMediaLi.2.5.0.21.CAB
    O16 - DPF: IWL TradingPump - http://www.sanford.com.au/activetrader/at/TradingP.2.5.0.21.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    No pop ups as of yet.
     
    Mantis,
    #8
  10. 2005/03/22
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks good. :) Re-enable System Restore and create a manual restore point. You have both Ad-aware version 6 and SE Personal installed. I recommend you uninstall version 6. You also have an outdated version of Spybot. Uninstall and download version 1.3 from my signature. Allow it to load SD Helper upon installation. Open it up and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it (always recheck this setting after downloading updates). Then click the tools button, then IE tweaks and at least lock the HOSTS file.
    Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

    That will give you some added layers of protection against unwanted parasites.

    For those stubborn temp files, download and install Move-on-Boot. It will add an option when right clicking on a file to delete on next boot. Use it to tag those files and reboot.
     
    noahdfear,
    #9
  11. 2005/03/24
    Mantis

    Mantis Inactive Thread Starter

    Joined:
    2005/03/18
    Messages:
    6
    Likes Received:
    0
    Thanks Dave will do later on today. Your help is much appreciated.
     
    Mantis,
    #10
  12. 2005/03/24
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    You're welcome. Happy to help. :)
     
    noahdfear,
    #11
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...