Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT LOG - baytownick


  • Please log in to reply
2 replies to this topic

#1 baytownick

baytownick

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Baytown,Texas
  • Local time:02:17 PM

Posted 05 January 2005 - 11:03 AM

Please review and advise, Thanks

Logfile of HijackThis v1.98.2
Scan saved at 9:59:04 AM, on 1/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\HijackThis.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.houston.rr.com/intros/N3
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {72B45B6F-A3E0-439C-8C91-50A266B7AE09} - https://www.opinionsquare.com/globalconfig/ngc_activex.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323

BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:11:17 AM

Posted 05 January 2005 - 06:38 PM

Checking. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#3 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:11:17 AM

Posted 06 January 2005 - 05:25 PM

baytowick,
I find a couple entries not good
and several others that are possibly not needed by you at startup.
Instead of telling you what to delete, information is provided.
Disregard any entries you want to keep.
Just don't delete them. Follow the steps, please.
The bad ones should be apparent.
The rest are OK to delete, but they are not malware.
Deleting them simply frees up system resources, etc.

Print out, Copy/paste these instructions to a notepad/wordpad or choose file-->save page as: HJT instructions.

Read these links before you decide on deletions:
OSE.exe info
add'l OSE.exe info
realplay.exe info
qttask.exe info
ct.exe info
ps2.exe info
hpsysdrv.exe info
igfxtray.exe info
hkcmd.exe info

nwiz.exe info (I delete this & have no ill effects).
(NvCplDaemon)rundll.exe info (I delete this & have no ill effects).
System Tray icon used to change display settings, change the clock rate and memory speed for nVidia based graphics cards.
This is unnecessary since you can easily configure these settings the way you want them in the Display Properties
and not have to mess with them again.
Also disable the "NVIDIA Driver Helper Service" if enabled as it can cause this entry to be re-enabled on re-boot
(note that this service can also cause extreme shutdown delays if enabled - see next link)

add'l info

shadowbar/backweb info
From: Answers That Work
BackWeb started life as push technology software which enabled you to subscribe to various information channels
of your choice so that your selected information channels would pop up on your screen with the latest world news,
entertainment news, etc…, whatever you might have chosen.
You can configure the original BackWeb to download the news for later viewing,
to display the news as desktop background, ticker, or popup window.
This did not take off as well as expected and, crucially, it was also not paying for itself.
As a result BackWeb quickly went into other markets, two of them significant ones.
(1) Advertising adware where websites, ISPs, or software manufacturers include BackWeb on their site,
in their ISP software, or in their software and, whenever you connect to the Internet,
BackWeb also connects to retrieve advertisements which are then displayed on your screen or in your browser.
(2) BackWeb is also routinely installed on new PCs by specific computer manufacturers with the aim being that BackWeb will
automatically check for vital updates to the PC’s setup whenever the end-user connects to the web.
Such manufacturers include Compaq, Hewlett-Packard, LogiTech, Kodak, although some or all of these may have stopped
this practice at the time of writing of this entry (April 2002).
Recommendation :
Unless you are using BackWeb for news content, we strongly recommend de-installing it.
It is often a serious resource hog, in most cases it is also advertising adware, it slows down your Internet connection,
unacceptably if you connect by modem, and it has the potential for sending out information from your PC.
De-install via the "Add/Remove Program" icon in the Control Panel.


Download & Install System Security Suite Install this program, look it over, read about it, but don't run it quite yet.

You are using an outdated version of HijackThis.
While not critical, we recommend using the latest version.

Download Hijack This 1.99 installer.
This will install to C:\Program Files\HijackThis automatically when you unzip it.
Simply delete the 1.98.2 folder & file.

Set your PC to: Show Hidden Files. (click tutorial for instructions)

Open your C:\Program Files\HijackThis folder and double-click the icon.
Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects:

O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe


Continue placing checkmarks next to any of these you choose to,
based on your decisions after reading the information.

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

Fix Checked button is clicked when you are certain of the deletions.

Reboot your computer into Safe Mode by tapping F8 until
the DOS screen appears. Yes. Use the up arrow to choose safe mode. Hit enter. OK.

From the safe mode desktop:
Search for, locate and delete the following file(s) or folder(s)
(Don't be concerned if they don't exist, the previous steps may have eliminated them.)
Do not delete the main folders C:\WINDOWS or C:\Program Files.
To find them use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->
check search "system folders", "hidden files & folders" & "sub-folders". Enter the filename. Hit "search".

Or simply navigate to the appropriate folder, right-click-->delete individual file(s) or folder(s).

Delete manually:
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe<--this file only
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe<--this file only

Depending on which deletions you chose to use HJT for,
continue with the appropriate manual deletions:

C:\Program Files\Microsoft Office\Office10\OSA.EXE<--this file only
C:\Program Files\QuickTime\qttask.exe<--this file only
C:\Program Files\Real\RealOne Player\RealPlay.exe<--this file only
C:\nwiz.exe<--this file only
c:\program files\HPSelect\Frontend\ct.exe<--this file only
C:\WINDOWS\system32\ps2.exe<--this file only
C:\WINDOWS\System32\NvCpl.dll<--this file only
C:\WINDOWS\System32\igfxtray.exe<--this file only
c:\windows\system\hpsysdrv.exe<--this file only

If you get an error when deleting a file.
Right click on the file and check to see if the read only attribute is checked.
if it is, uncheck it and try again.


Run System Security Suite. (All windows and browsers closed) To clean out Temp and Temporary Internet Files, In the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

Open Internet Explorer, and click on the Tools menu and then Internet Options.
At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

Reboot your computer to go back to normal mode.

Scan online for viruses at Bitdefender if you'd like an extra measure of assurance.

Run HijackThis again and post the new log as a reply to this post.
Please include comments.
Is it running better?
Did the information provided help in any way?
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users