posting lag as Peaches advised!

Discussion in 'adware, spyware & hijack cleaning' started by cyberfilly, Jan 31, 2004.

Thread Status:
Not open for further replies.
  1. cyberfilly

    cyberfilly Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    16
    hopefully someone can figure out what gremlins are in my sysem!

    Logfile of HijackThis v1.97.7
    Scan saved at 11:37:16 AM, on 1/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\apvxdwin.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\M2W Notifier Service\M2W Notifier Service.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
    C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jaydillar.com/forums/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [M2WNotifierService] C:\Program Files\M2W Notifier Service\M2W Notifier Service.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit26.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - http://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

    as well heres whats also happening
    now Im getting another error?
    in a popup box is
    iexplore.exe application error the instruction at " 0x73dd1c9d" referenced memory at "0x00000038" the memory could not be read, click ok to terminate the program and Im getting a strange notepad popup (2 copies actually) when I reboot my com heres what it says

    " [.ShellClassInfo]
    LocalizedResourceName=@shell32.dll,-21785 "

    my cable connection keeps dropping off and I keep getting errors like action canceled and no page to display when I know there is.
    Many Thanks
    Cheers Lisa
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi cyberfilly,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)

    Then reboot and do a Find Files for desktop.ini
    Open the file in notepad and post the content please.

    Regards,

    Pieter
     
  3. cyberfilly

    cyberfilly Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    16
    well sadly your suggestions did not help(this time lol) but...........
    after spending hours on the phone with HP support it was discovered that I had an unknown (wild? ) virus, it seems mydoom may have reinvented its self with new extensions?( hope I said that right) or heaven forbid we have a completly new 1 to watch for
    anyway the end result was a complete wipe of my com and a full reinstall of windows and all other programs :eek:
    sorry but I did not think to write down the information of the virus as by then it was 2:30 am my time and I was too tired to think straight
    HP support did say they would investigate and get in touch with the proper persons to report it,
    cheers Lisa
     
Thread Status:
Not open for further replies.