I smell a rat!!

  1. 13-02-2006  #1
    wingshadow
    wingshadow is offline Junior Member

    I smell a rat!!

    My computer has become sluggish; ad-aware seldom picks up items; printer doesn't function; and just plain general slowness. Can someone please help Me? Here's a HighJack this log I took a few moments ago. Thank you.
    Greg

    Logfile of HijackThis v1.99.1
    Scan saved at 4:16:04 PM, on 2/12/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wwSecure.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
    C:\WINDOWS\system32\hphmon03.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG0 4.EXE
    C:\Program Files\Webroot\Washer\wwDisp.exe
    c:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Common Files\Microsoft Shared\Artgalry\ARTGALRY.EXE
    C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
  2. 13-02-2006  #2
    Neal
    Neal is offline Dedicated Member
    Welcome to DAL,

    Please create a folder like C:\HJT or C:\Program Files\HJT and drag and drop hijackthis.exe into this newly created folder so we can have available backups in case you or I make a mistake.


    Let's do some scans and see what turns up.


    Internet Explorer required
    http://www.pandasoftware.com/products/activescan.htm

    Panda will make a log of what it finds please post it back here please.


    Please download, install, and update the NEW free version of Ewido trojan scanner:
    [*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    [*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    [*]From the main ewido screen, click on update in the left menu, then click the Start update button.
    [*]After the update finishes (the status bar at the bottom will display "Update successful")
    [*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
    [*]If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
    [*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

    Post the log Ewido makes back here please.
  3. 13-02-2006  #3
    wingshadow
    wingshadow is offline Junior Member
    I used the Panda active scan as you suggested, and here's the log, (I really appreciate your help!).


    Incident Status Location

    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
    Adware:Adware Program Not disinfected C:\Documents and Settings\Owner\My Documents\Download\backups\backup-20041019-175150-404.inf
    Adware:Adware/Midaddle Not disinfected C:\Documents and Settings\Owner\My Documents\Download\backups\backup-20041019-175150-701.dll
    Adware:Adware/CheckURL Not disinfected C:\Documents and Settings\Owner\My Documents\Download\backups\backup-20041019-175150-741.dll
    Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
    Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
    Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe
  4. 13-02-2006  #4
    wingshadow
    wingshadow is offline Junior Member
    Here's the log for Ewido:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 11:13:51 PM, 2/12/2006
    + Report-Checksum: 2CBD28DE

    + Scan result:

    C:\Documents and Settings\Owner\My Documents\Download\backups\backup-20041019-175150-701.dll -> Adware.Midaddle : Ignored
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup


    ::Report End
  5. 13-02-2006  #5
    Neal
    Neal is offline Dedicated Member
    Hi,


    Download CCleaner from here:
    http://www.majorgeeks.com/download4191.html
    or here:
    http://www.filehippo.com/download_ccleaner.html

    Run the tool useing the windows tab only please upfront by default.



    Go here to download and install CounterSpy(FREE). Run the tool and post the log it makes please.


    CounterSpy
    Last edited by Neal; 13-02-2006 at 08:16 PM.
  6. 14-02-2006  #6
    wingshadow
    wingshadow is offline Junior Member
    I downloaded both programs you suggested and ran both of them. Here's a log from Counterspy:

    Spyware Scan Details
    Start Date: 2/13/2006 3:01:21 PM
    End Date: 2/13/2006 3:36:21 PM
    Total Time: 35 mins

    Detected spyware

    Keyboard Spectator Lite 1.3 Key Logger more information...
    Details: Keyboard Spectator Lite 1.3 is a keylogger which records each and every key typed in the PC.
    Status: Ignored

    Infected files detected
    c:\documents and settings\all users\application data\ksp\alert.txt
    c:\documents and settings\all users\application data\ksp\key.txt
    c:\documents and settings\all users\application data\ksp\ksp.ini
    c:\documents and settings\all users\application data\ksp\options.ini
    c:\documents and settings\all users\application data\ksp\path.txt
    c:\documents and settings\all users\application data\ksp\window.txt
    c:\documents and settings\all users\application data\ksp\icon\free kgb key logger\free kgb key logger.lnk
    c:\documents and settings\all users\application data\ksp\icon\free kgb key logger\get full version!.lnk
    c:\documents and settings\all users\application data\ksp\icon\free kgb key logger\help.lnk
    c:\documents and settings\all users\application data\ksp\icon\free kgb key logger\license agreement.lnk
    c:\documents and settings\all users\application data\ksp\icon\free kgb key logger\uninstall.lnk
    c:\documents and settings\all users\application data\ksp\icon\free kgb key logger\visit homepage.lnk
    c:\documents and settings\all users\application data\ksp\logfile\owner- clipboard - 8_27_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- clipboard - 8_28_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- clipboard - 8_29_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- clipboard - 8_30_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- clipboard - 8_31_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- clipboard - 9_10_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- clipboard - 9_13_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- clipboard - 9_1_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- clipboard - 9_3_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- clipboard - 9_4_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- clipboard - 9_5_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- clipboard - 9_6_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- clipboard - 9_8_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- keys - 8_27_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- keys - 8_28_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- keys - 8_29_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- keys - 8_30_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- keys - 8_31_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- keys - 9_10_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- keys - 9_13_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- keys - 9_1_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- keys - 9_3_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- keys - 9_4_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- keys - 9_5_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- keys - 9_6_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- keys - 9_8_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- website - 8_27_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- website - 8_28_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- website - 8_29_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- website - 8_30_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- website - 8_31_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- website - 9_10_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- website - 9_13_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- website - 9_1_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- website - 9_3_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- website - 9_4_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- website - 9_5_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- website - 9_6_2005.txt
    c:\documents and settings\all users\application data\ksp\logfile\owner- website - 9_8_2005.txt

    Infected registry entries detected
    HKEY_LOCAL_MACHINE\SOFTWARE\ReFog Software
    HKEY_LOCAL_MACHINE\SOFTWARE\ReFog Software\Keyboard Spectator Pro DirLogFile C:\Documents and Settings\All Users\Application Data\KSP\
    HKEY_LOCAL_MACHINE\SOFTWARE\ReFog Software\Keyboard Spectator Pro DirArchiveLogFile C:\Documents and Settings\All Users\Application Data\KSP\Archive\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\MenuOrder\Start Menu2\Programs\Free KGB Key Logger
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\MenuOrder\Start Menu2\Programs\Free KGB Key Logger Order
    HKEY_CURRENT_USER\Software\ReFog Software
    HKEY_CURRENT_USER\Software\ReFog Software\Keyboard Spectator Pro Key


    Keyboard Spectator Pro Commercial Key Logger more information...
    Details: A keystroke recorder that logs all typed keys.
    Status: Ignored

    Infected registry entries detected
    HKEY_CURRENT_USER\Software\ReFog Software\Keyboard Spectator Pro
    HKEY_CURRENT_USER\Software\ReFog Software\Keyboard Spectator Pro Key
    HKEY_LOCAL_MACHINE\SOFTWARE\ReFog Software\Keyboard Spectator Pro
    HKEY_LOCAL_MACHINE\SOFTWARE\ReFog Software\Keyboard Spectator Pro DirLogFile C:\Documents and Settings\All Users\Application Data\KSP\
    HKEY_LOCAL_MACHINE\SOFTWARE\ReFog Software\Keyboard Spectator Pro DirArchiveLogFile C:\Documents and Settings\All Users\Application Data\KSP\Archive\
  7. 14-02-2006  #7
    Neal
    Neal is offline Dedicated Member
    Hi,

    Did you download that keylogger program on purpose that CounterSpy found?

    Sometimes parents or spouses do this to monitor surfing habits of others.

    Is that the reason all infected files(?) were ignored?


    If not this program can and will steal all credit card transactions, online banking transactions etc.

    If you did not install this you need to notify all credit card companies if you have done buisness like that or any other sensitive activities.

    And don't do any online transactions until this is resolved




    If not you need to run CounterSpy again and this time from safe mode and remove all it finds.

    Safe Mode:

    reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter. Run the tool and post the log it makes.

    Let me know please.
    Last edited by Neal; 14-02-2006 at 12:55 AM.
  8. 14-02-2006  #8
    wingshadow
    wingshadow is offline Junior Member
    Thanks for your advice Neal. No, I didn't install a keylogger and I was astonished to find it. I posted the log as you asked. Then I rebooted in safe mode and ran all the adware/spyware/malware programs (I turned off the system restore first).
    Counterspy discovered the keylogger and I used it to remove it. I Then returned to Ewido and removed the infected file it presented to me.

    Having done all that, shall I get a new log from HighJack This and post it here again?
    Thanks again, Greg
  9. 14-02-2006  #9
    Neal
    Neal is offline Dedicated Member
    Hi, yes please post a hijackthis log and a new counterspy log as well just to make sure we got it all. Thanks.
  10. 15-02-2006  #10
    wingshadow
    wingshadow is offline Junior Member
    Save 20% on AVG Internet Security 2012 Suite!
    Here's the log for Highjack this:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:00:19 PM, on 2/14/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wwSecure.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.e xe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
    C:\WINDOWS\system32\hphmon03.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    C:\Program Files\Messenger\msmsgs.exe
    c:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Documents and Settings\Owner\My Documents\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

    And here's what Counterspy had to say:

    Spyware Scan Details
    Start Date: 2/14/2006 7:01:21 PM
    End Date: 2/14/2006 7:37:24 PM
    Total Time: 36 mins 3 secs

    Detected spyware
    No spyware were found during this scan.


    Thanks for your help so far Neal.
    Greg
+ Reply to Thread
Page 1 of 2 1 2 LastLast
« need some help please(RESOLVED) | Please check this log and save my job! »