Chaslang, Spybot, new thread

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Conklin, Jun 23, 2004.

  1. Conklin

    Conklin Private First Class

    Chas, As you said, lets have a new thread, since the others were getting pretty long and contained much which was no longer relevant. So we can let them drift back into the nether world of old pages!

    I, infact, did NOT know about page 1, 2 etc in a given thread. Thanks for telling me. That made it OK.

    I think maybe we're getting near the end. Sure hope so!

    Let's take them in order:

    =======================================
    1. LAPTOP
    Seems to be working fine. I still pick up a lot of stuff, though, when I run AA. I just ran it and since it found about 30 things I'll reproduce it here. It's odd because there has been no browsing on that computer since I cleaned it last night. My wife did check and reply to some eMail on it but no attachments, other than a couple of photos I sent her from mine.


    ArchiveData(auto-quarantine- 23-06-2004 14-18-58.bckp)
    ======================================================
    PEOPLEONPAGE
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[0]=Folder : c:\program files\SysAI
    obj[8]=File : c:\windows\system32\mllerror.exe
    obj[9]=File : c:\windows\system32\mmfbrand.exe
    obj[18]=File : c:\program files\sysai\ace.dll
    obj[19]=File : c:\program files\sysai\sysai.exe
    obj[20]=File : c:\program files\sysai\proxystub.dll
    obj[21]=File : c:\program files\sysai\libexpat.dll
    obj[22]=File : c:\program files\sysai\wingenerics.dll
    obj[23]=File : c:\program files\sysai\uninstaller.exe
    obj[24]=File : c:\program files\sysai\atl.dll
    obj[25]=File : c:\program files\sysai\data.bin
    obj[26]=File : c:\program files\sysai\ai_20-06-2004.log
    COOLWEBSEARCH
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[1]=RegValue : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    obj[10]=File : c:\windows\system32\iehost.exe
    obj[12]=File : c:\windows\system32\terrabyte.exe
    obj[27]=File : c:\windows\system32\searchbar.htm
    SECONDTHOUGHT
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[2]=RegKey : Software\2nd
    obj[3]=Folder : c:\\temporary
    obj[11]=File : c:\windows\system32\install2.exe
    obj[28]=File : c:\temporary\install53.exe
    obj[29]=File : c:\temporary\stcterms.html
    obj[30]=File : c:\temporary\vinca.jpg
    TRACKING COOKIE
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[4]=File : c:\documents and settings\default\cookies\default@qksrv[1].txt
    obj[5]=File : c:\documents and settings\default\cookies\default@z1.adserver[1].txt
    obj[6]=File : c:\documents and settings\default\cookies\default@tribalfusion[1].txt
    VX2.BETTERINTERNET
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[7]=File : c:\windows\system32\cmzeggno.exe
    obj[13]=File : c:\windows\inf\twtini.inf
    obj[14]=File : c:\windows\twaintec.dll
    obj[15]=File : c:\windows\twaintec.ini
    PROMULGATE
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[16]=File : c:\windows\system32\pcs\pcsvc.exe
    obj[17]=File : c:\windows\system32\pcs\pcsvc.dll

    In addition, I ran Spybot, and found Avenue A, 1 entry, and two other things I've never seen before: DyFuCa, 1 entry and Delfin Project 9 entries.

    I cleaned all in both AA and SB.
    I remain troubled that all this stuff accumulates.

    =======================================
    2. Desktop:

    I got the stuff you sent and did everything you said to.

    My Win XP was up to date except for some optional updates; the laptop required one update, which I installed. I then rebooted and ran Spybot, which again showed DSO Exploit, 5 items on both computers. So I setup SpyBot to ignore it, per your suggestion.

    Yes, both AA and SB are up to date.

    I removed ESPN Motion. I couldn't ever find Kontiki, KDS, Khost on the Add/remove panel.

    Now the Hijaak This log:

    I removed all of the items you specified, then rescanned with Hijaak. The DigStream and [kdx] lines returned. So I did it again, and again. They returned each time. So did the-exit.com/search. The others remained gone.

    I was tempted to open in safe mode and scan again, but thought i'd wait for your comments.

    I did LSPfix. Oddly the spsublsp.dll was ALREADY on the right side. So I moved it to the left, then back to the right and clicked "finish." per your instructions.

    I then ran AA on my desktop computer and got these cookies:
    atdmt
    ehg-neteller.hitbox[2]
    hitbox[2]
    tribalfusion[1]
    zl.adserver[1].

    I deleted those and then ran SpyBot, finding "Avenue A" and "coolwwwsearch," each with one entry and "hitbox" with two entries.

    In addition, I continue to get a pop-up from Ad-watch notifying me that "an attempt to alter a protected object has been detected."

    I sent you all this about Adwatch earlier (was it today or last night).
    Here's the gist of it:
    Value: search URL
    Data:http://www.the-exit.com/search
    New Dara:http://www.google.com
    angd the choice of how to procede. I have chosen "Block" each time. What does this mena and what can I do about it?


    So I'm left with:
    1. Laptop
    a) lots of cookies came quickly
    b) Spybot detected an old one, Avenue A and two new ones I've never seen before.

    2 Desktop
    a) a few cookies... what should I do?
    b) SpyBot finds several items.
    c) There are three items on Hijaak that keep coming back.
    d) there is an odd message that keeps coming from AdWatch

    I really don't understand Adwatch, or how to use it. The help screen is pretty turgid.

    I'll await your next...

    bill
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Bill,

    Let's start by downloading and running CWShredder and the CoolWWWSearch.SmartKiller

    http://www.majorgeeks.com/download4086.html
    http://www.majorgeeks.com/download4113.html

    Run those and on both PC's.

    Next we need to get some blocking in place. Use the Immunize feature of SpyBot on both PCs and then also download and install Spyware Blaster to both: http://www.majorgeeks.com/download2859.html

    One more thing, try cleaning both PCs with Ad-aware & SpyBot in safe mode too.

    I've go to run right now. Got a ball game. Be back in about 10:30 to 11:00 PM EST.
     
    Last edited: Jul 6, 2007
  3. Conklin

    Conklin Private First Class

    Chas, How'd the ballgame go? You a player? Or a watcher? ;~))


    I did the things you asked me to. I had a little problem with CWShredder and CoolWWWSearch.Smartkiller. They kept wanting to be saved in "PowerDesk Archive" (PD is my file mgr prgm). And when they'd get there, I couldn't get the programs to run. Finally I went to google and kept looking until I found a download site that would work, and let me run the program.

    I never was able to run anything named "CoolwwwSearch.SmartKiller. It kept coming up "Registry,,,something or other." can you believe I've forgotten the name? It's been a long day. In any case that was true of both computers. I finally gave up fighting and ran the damned thing on each, and it ran on both. "Registry Mechanic"... that's what it was. In its insistance I thought it acted a lot like spy-ware. But I figured I'd check with you.

    I ran SpyBlaster on both, and wasn't sure what options to choose so I just took all of them.

    I ran AdAware and SpyBot in safe mode on both; each got 6 of the usual suspects on AA, atdmt, doubleclick etc. Which I again deleted, and I got two entries each on Spy Bot. I also ran Hijaak on the desktop under Safe mode. DigStream and [kdx] were there and I deleted them once again. the-exit.com wasn't there.

    I guess it remains to be seen what happens next. I did have a few questions in my last note, especially about AdWatch and the oddball message it was sending me.

    Maybe if you get a few spare minutes (FAT chance!!) you could briefly explain it to me and suggest the best way to set it up, and how to respond to it.

    I also wonder about what's next. I have become more sensitized to what's going into my computer, and now, of course, I want ZERO trash! But that probably isn't realistic. How should I monitor? What shouild I look for? What should I do?

    Are we at the end? Nearly at the end? Or just beginning, as the last sentence in "Portnoy's Complaint" suggested?

    bill
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Some days I'm playing, some days I'm coaching and some days I'm watching. Tonight I was watching my son. They lost (in two different innings two errors cost them 5 runs). Tomorrow night I play. I'll get in after midnight EST.

    Back to your download problems and CWShredder and CoolWWWSearch.SmartKiller , I think you are clicking on the wrong things on MajorGeeks download page. When you get to the page for CWShredder for example (http://www.majorgeeks.com/download4086.html) on that page do not click the at the top where it says Download Now! That is an advertisement for (most of the time) Registry Mechanic. To download the items you are interested in you have to click on one of these:
    Download Sites:
    [​IMG] BTN
    [​IMG] MajorGeeks
    [​IMG] Planet Mirror

    Try it again and put them in their own directorys where you can run them from. They do not require installations. You just need to Unzip the executable and run it.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's fine. Did you update it too? Click Update?

    Have you used the Immunize feature on SpyBot yet like I suggested? I'm not sure why DigStream and Kontiki (KDX) keep coming back. Take a look in c:\windows\prefetch and see if those EXE files appear in there.


    I don't remember if we did this or not yet (I look at a load of threads every day) but download and run CrapCleaner from: http://www.majorgeeks.com/download4191.html
    Remember to click in the right place. ;)
    Install it and run it. When it first comes up you should be on its Windows tab. Leave the defaults and click Run Cleaner. See if this helps. But it could be that you have your home page locked some how and Adwatch is just warning you that something is trying to change it from http://www.the-exit.com/search to http://www.google.com which is what you wanted. I'm not familiar with Adwatch so I cannot say exactly what is going on but that's what it looks like . You should probably say yes.


    Well once you have all of the below covered you should be in good shape:
    1) Always stay current with Microsoft's Critical updates
    2) Have a virus scanner, keep up to date, run full scans periodically
    3) Have multiple spy/add-ware scanners, keep up to date, run frequently
    4) Have spy/add-ware blocker, keep up to date
    5) Have a firewall running hardware or software (or both)

    Once all that is in place things should be better. But remember your the one that is surfing and clicking with the mouse. You have to be careful what you say yes too. Read the software disclaimers don't just click yes and go.

    It will never be the end unless we can totally rid the world of the people creating spy/add-ware, torjans, and viruses. It is an evolution process.
     
  6. Conklin

    Conklin Private First Class

    Chas,

    It is the oddest thing. When I try to download either of those (Shredder and Coolwww) and specify a directory, then PowerDesk (my file mgr program) opens without me asking it to, and shows the zipped download in place. When I try to open it and run the unzipped program, eg miniremoval_coolwebsearch_smartkiller I get a message that the program is not found. I DID use the download sites you suggested on the MG site, and finally went to others; was able to run Shredder that way, but kept getting Registry Mechanic instead of "Cool" to the point where I thought maybe Cool had been renamed. I'm not sure I ever ran Cool.

    I have been using PowerDesk for nearly 10 yrs and it is a great program (IMHO!!) that has never given any trouble. What do you think about this?

    I did have the updates in place on SpyBlaster (I've been paying attention!).
    Yes, both computers are "immunized."
    I went to prefetch and didn't find DIGstream. I did find:
    Khost.exe-15F4F04D.pf
    I left that in place. My most recent running of HT didn't show either DIGstream or [kdx].

    Yes I have run CrapCleaner, several times over the past week on each of the two. But not for the last couple of days. I will do so again when I finish this.

    I'm surprised that you don't have info on AdWatch. As you know, there's a slot for it to be installed on AA, and I assumed it was an embellishment that made AA even better so I bought it. But the instructions are pretty obtuse, and it keeps popping up at the oddest times with problems I don't know how to solve.

    A couple other things and I'll stop:

    You mentioned clutter in my start-up menu. What can I do about that?

    You mentioned firewall. I had a Norton Firewall in place, but when I went wireless, I had to disable it because the wireless wouldn't work with it in place. I was told there is a fire wall built into the linkSys router. Do you have any opinions on that?

    Finally, my grandchildren like to play on the computer when they come over. I'm not keen on this, but in the interests of further happy congress with Grandma, it is advisable that I shut up about it and cope. These are little kids, and the kinds of places they go for games on the 'net are pretty unsophisticated, such as "Miniclip." I at least am able to keep them from downloading on my desktop computer, though the oldest does play some CD war games on it.
    The downloads are on Grandma's laptop (yes, THAT laptop!) My question is this: how much risk is associated with sites like Miniclip and Barbi.com? And what can I do about it other than the things we now have in place?

    Your references to baseball struck a happy chord, watching your son, and all. The year I graduated from HS, I played on three separate teams, playing at least one game and often more than one the same day/night. That was 49 yrs ago this summer!

    Best...

    bill
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hi Bill,

    You have to decide for yourself about Powerdesk. But to me it appears to be getting in your your way. Can it be shutdown temporarily while trying to download and unzip? Obviously if it is shutdown, you will need a copy of Winzip on your PC to extract from the ZIP. But then again Winzip will take over file associations that you now have setup Powerdesk to handle. I heard of it but have never used it so I cannot say exactly what your problem is. Answer these questions:
    1. Are you able to actually download the two files okay?
    2. Can you actually see the following files on you computer:
      - cwshredder.zip
      - delcwssk.zip
    3. If yes, when you double click on them, do you see these inside them respectively: CWShredder.exe and - miniremoval_coolwebsearch_smartkiller.exe
    4. If yes, you have downloaded the files okay. Is there an extract option for powerdesk? Make sure you are not trying to run it from inside the ZIP.
    I'm not sure what is going wrong but this is something that you need to be able to get past. You need to be able to download files to where you want to put them and to be able to extract from ZIPs and run the executables.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Bill,

    Delete Khost.exe-15F4F04D.pf from the Prefetch folder.

    Are you still getting the popup message from Adwatch that says "an attempt to alter a protected object has been detected" ?

    As startup clutter, give me a new HijaakThis log for the PC (choose which one - let's do one at a time) and we'll work on it.

    Your should not have to disable Norton Firewall to get your wireless cards to work. Something must have been setup wrong (like Trusted Zone settings). You need to verify that you definitely have a Linksys router with a firewall built in and check that it is enabled. This can be sufficient although many people do also enable a software firewall too. (Just do not have two software firewalls at the same time).

    I don't know about those game sites your grand children are going to but ones that teenagers might go to can become problems. Avoid places that have anything to do with WildTangent software.
     
  9. Conklin

    Conklin Private First Class

    I have used PowerDesk for 10 yrs and the main use I make of it is just what we're talking about; I download data in zipped files, open the files to get the data, and then mostly incorporate it in a database. I have never had a bit of trouble with any until these downloads from MG. I don't know what the cause is; obviously not on your end, as many downloads of those are OK. I'll see what I can figure out. I did just download some data before this message and PD worked just fine.

    I went to prefetch and removed Khost.
    No more messages from AdWatch.

    AA and SB scans of laptop this AM showed no items at all.

    Here's the HT log for the **DESKTOP** computer:
    :cool:
    Comments on the start list would be welcome.
    BTW I uninstalled Inbox Cop so you won't find that any more.


    Logfile of HijackThis v1.97.7
    Scan saved at 10:26:44 AM, on 6/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\ClipCache\clipc.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
    C:\ICSdownload\ics.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\My Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us10.hpwis.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p IP_192.168.1.75 -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ClipCache] C:\Program Files\ClipCache\clipc.exe /wait 3
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Print Using ClickBook (HKLM)
    O9 - Extra button: Research (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  11. Conklin

    Conklin Private First Class

    My broker's partner invented it, and he and I use it as a form of instant communication. The advantage is that one can attach even very large files and transport them. Is there a problem with it?

    Along other lines, look what I just found. After I sent you that last message I did other things, and when I just came back, I rebooted, and AdWatch showed me these three:


    Ad-watch Logfile, exported on 6/24/2004
    Total number of events:3
    ===============================================
    6/24/2004 11:27:02 AM - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:Software\Microsoft\Windows\CurrentVersion\Run
    Value:DIGStream
    Data:C:\Program Files\DIGStream\digstream.exe
    New Data:

    Attempt to alter the autostart section (Blocked)

    ===============================================
    6/24/2004 11:27:04 AM - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:Software\Microsoft\Windows\CurrentVersion\Run
    Value:kdx
    Data:C:\WINDOWS\kdx\KHost.exe
    New Data:

    Attempt to alter the autostart section (Blocked)

    ===============================================
    6/24/2004 11:27:06 AM - Registry modification detected
    Root:HKEY_CURRENT_USER
    Key:Software\Microsoft\Internet Explorer\Main
    Value:SearchURL
    Data:http://www.the-exit.com/search
    New Data:

    Possible browser hijack attempt (Blocked)

    ===============================================

    As you can see, I blocked all three.
    But they really aren't gone, are they?

    I'm going to be goine for a few hours. I'll look forward to hearing from you on this.

    PS BTW, is there a way to view the messages with the newest one at the TOP of the page?

    bill
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I do not have a problem with ICS. I just wanted to be sure you put it there and have a use for it.

    We need to find out how those three programs are coming back. Use windows explorer to look and see if the directories and files are really there. Make sure you have enabled view of hidden files and folders under the Tools, Folder Options, View tab.

    To view new messages at the top: Click on Display Modes on top right and use Switch to Linear Mode
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Here are some items to start with that I would think about removing. It's up to you to determine whether or not you real feel these are useful and or necessary to you.

    mm_tray.exe - This program is installed by MusicMatch Jukebox and enables you to access MusicMatch from the System Tray.

    Recommendation :
    If you like the feature, keep it. Otherwise disable the Tray feature in MusicMatch Jukebox.



    mmtask.exe - Background task installed by MusicMatch Jukebox and which detects the insertion or removal of a CD so that MusicMatch Jukebox can update its display accordingly.

    Recommendation :
    This task is provided purely to allow MusicMatch Jukebox to still be able to detect the insertion or removal of a CD on PCs where the CD‑ROM drives are not set to Auto-Play ( “Auto-insert notification” not turned ON in Win9x/ME, or “Autorun” registry key set to Zero in WinNT4/2000/XP). If you know that your PC automatically plays or opens CDs, then, as part of streamlining your PC’s environment, you may try disabling this task


    hphmon05.exe - Users Choice (application need to be run at startup, but is not system critical
    Comments: Monitors the status of the memory card reader slot on a HP printers and displays a tray icon if a memory card isn\'t inserted. Also creates a virtual drive and assigns it the first available drive letter - which can lead to problems with drive management.Disable if you don\'t use the reader.



    realsched.exe - Go here: http://www.answersthatwork.com/Tasklist_pages/tasklist_e.htm and scroll down to Evntsvc, TkBelleExe, Realsched and read the info.
    Then go to here: http://www.answersthatwork.com/Tasklist_pages/tasklist_r.htm and scroll down to Rndal and read. Also on the same page read about Realevent and RealPlay.
    No again you decide. Do you use this software? You already have MusicMatch to play CD's.



    HPWuSchd2.exe - Go here: http://www.answersthatwork.com/Tasklist_pages/tasklist_h.htm and scroll down to Hpwuschd and Hpwuschd2.
    I personally don't like auto updates either unless for a virus scanner or spy/ad-ware scanner. If sofware is working as is I do not want an update automatically installed. Old rule applies, "if it ain't broke, don't fix it".


    backweb-8876480.exe - Process Name: Logitech Desktop Messenger. Go here: http://www.answersthatwork.com/Tasklist_pages/tasklist_b.htm and read about Backwebagent and Backweb.



    hpotdd01.exe - Go here: http://www.answersthatwork.com/Tasklist_pages/tasklist_h.htm and scroll down to Hpotdd01 to see how stupic HP is.


    BackWeb-137903.exe - Go here http://www.windowsstartup.com/wso/browse.php?l=2&start=75&end=100 and scroll down to Backweb-137903.exe. Looks like adware to me.


    HPZipm12.exe - Go here http://www.answersthatwork.com/Tasklist_pages/tasklist_h.htm and scroll down to HPzipm12
     
  14. Conklin

    Conklin Private First Class

    Regarding the three interlopers that AdWatch found, I was able to locate C:\WINDOWS\kdx\Khost.exe. I deleted the entire kdx file with all contents.

    I could not find Digstream.exe, even using a search. I didn't know where or how to find http://www.the-exit.com/search, so can't verify it.

    I thought we were done with all three of them. Where do they hide?

    I went down the list of items for removal. mmtask.exe was in two places, and "Access denied" at both. However later I got an AdWatch message asking if I wanted to allow it, and I clicked that I did. I couldn't delete hpmon05.exe. I'll find it again and rename it. I do use and enjoy the jukebox while I work at the computer. But I don't think that will be huindered by getting rid of the files you suggest.

    I do use RealPlay for some streaming Video applications. However the "blurb" said this thing could be deactivated by rnaming it; I did so. It is now Realsched.old.exe.

    I disabled HPWuSched2.exe.

    At this point I had been using PowerDesk to find files. It began to act very strange, opening when I didn't want it to, and finally, when I went to open control panel, PowerDesk kept opening, along with a message that PowerDesk needed to shut down. I have no explanation. I have never had any problem with it before. But if you recall, it was acting strangely with those downloads today, too.
    I uninstalled it. Maybe later I can reinstall it. I don't think it's Adware. It has been an extremely valuable piece of software for me over the years. I use it pretty much every day. So I hope I'll be able to reinstall it and use it again. Your comments?

    Without it, however, I no longer had my file finder. It's been so long since I used Explorer that I've forgotten how to find things with it!

    I was able to find Logitech Desktop Messenger and deleted it in toto.

    The last three,
    hpotdd01.exe
    Back-Web-137903.exe
    HPZipm12.exe

    all need to go, but without my file finder, I didn't know where to find them.
    Suggestions?

    I am puzzled that my Desktop computer, which was having no trouble at all until after my wife's began acting up, is now the one with the most problems. I had mentioned my concern that I had somehow infected the desktop with the Hijaak files I was sending over. Is this an actual possibility?

    bill
     
  15. Conklin

    Conklin Private First Class

    Chas,

    Ran SpyBot on Desktop.
    Only finding is, guess what... WWWcoolsearch.

    I have tried again and again to download and open coolwwwsearch.smartkiller.exe.
    I have put it in 6 different folders.
    It seems to open, and a file called Miniremoval_coolwebseaqrch_smartkiller.exe is in place. But when I double=click it, I get5 a message that the program is not found on my system. I don't get it.

    bill
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Bill, I still puzzle how Digstream and www.the-exit.com have come back too. Let me know it you see another problem with them (I think Ad-aware found them last time).

    Uninstalling Power Desk was probably a good idea for now since it was behaving strange anyway. Yes, try re-installing again later (whenever) and see how it works afterwards.

    To find files you don't use explorer, you click Start, Search, All File and Folders, choose the More advanced options (we need this because some of this crap has been hidden). The make sure these 3 options are selected:
    1) Search system folders
    2) Search hidden files and folders
    3) Seach subfolders

    Then click back, then click All File and Folders again, now enter your file name in the top box.

    You can use explorer to find files by opening and closing directorys and scrolling thru them. This is sort of a manual search. Also make sure your Win Explorer options are set to view Hidden files too. See this: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Using this you should be able to find anything you need too.

    Remember I gave you a list of possible things to delete and said you could decide for youself based upon the info given whether or not you need them.

    As far as tranferring files and causing problems on the other PC, anything is possible. Don't forget they are on the same network. Some trojans and viruses look for shared drives and spread thru them. That's why it is important to have all PCs on a network protected. One weak link..... yada yada.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now I understand what you mean!!! That message is okay. It ran and did not find the problem. When it said the program is not found, it means the coolwebsearch_smart problem is not found. I though you were telling me you were getting a system error message saying that the executable file you were click on was not found.

    Did SpyBot clean the WWWcoolsearch problem?
     
  18. Conklin

    Conklin Private First Class

    Chas,

    That's funny about coolweb! I was wracking my brains trying to figure out what was wrong!

    SpyBot and AA this AM showed no problems on the desktop computer. (Nor on the laptop).

    Last night I was looking at the options for taskbar, and clicked on "advanced." This offered the option for hiding or not hiding various programs. Among those were these two:

    "Digstream...94%"
    "Digstream...100%"

    The latter had an icon that looks like a little steaming cup of coffee. I (again) wracked my brain where I had seen that, and then I recalled a similar, and perhaps identical icon in a web site I use. Could that be where this Digstream is coming from? And is it a serious threat, or is it just an unknown? I really need to use that website, so I'd rather not stop using it unless I had to, especially since it isn't definitely the origin.

    I am also wondering about AdWatch. One of the options I have checked is "Lock startup sections in registry." Could that be locking *IN* the things we have been chasing? The idea, of course is to block *OUT* things you don't want in.

    I finally allowed google to replace "exit" and have no discernable problems as yet.

    I wonder if you could look over those three AdWatch messages I sent along, pertaining to "exit", "dig" and "cool" and tell me just what they mean?

    I think maybe this AdWatch is a good agressive program, but if I'm going to use it, I better understand the options! The way to use it is layed out in the "help" section of AdAware. It's pretty tough reading, but maybe it would make sense to you!

    Good advice on how to get rid of those other things running at startup. I have something I have to do until this evening, but will revisit it again then and report in, Major!

    One other thing: Microsoft kept sending popups about privacy and I kept knocking thm off. Last night I clicked "OK" and now have an icon at the bottom of my screen, riught next to thge globe icon and "Internet." Is this a good thing, or a bad thing? What does it mean to me? When I double click it I get a "privacy report" that shows that atdmt has been blocked.

    Later, Chas...

    bill
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What's the website you are referring too?

    It's good to use Ad-watch to look your startup options; however, you have to remember you are doing that so it does not cause you a problem at a later date. For example, I had one person telling me that the could not change their home page. It would always revert back. They kept saying they had a hijacker. Not true! They had locked their home page with SpyBot S&D. This is just a heads up for you. It's good to do this but you just have to understand the ramifications. It may also cause items to show in a HijaakThis log indicating restrictions being place on IE and or Control Panel. Again this is because you asked for it.

    Were the three AdWatch messages you wanted me to look at in one of the old threads?

    Those Microsoft popups about privacy are most likely due to blocking of restricted zone items. Remember when we used the SpyBot Immunize feature? It place a load of items into your Restricted Zone for internet explore. Double click on the little eyeball/red minus sign and you can read what it is complaining about. Probably some cookies being blocked.
     
  20. Conklin

    Conklin Private First Class

     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Oooh! Betting on sports are we! ;)

    Those three messages were just telling you that those programs were trying to making changes to the registry and they were blocked from doing so.

    We have gotten rid of KDX and th-exit.com now, right?

    Does the pinnaclesports website send you videos or other files? As far as I could find out DigStream is used by ESPN Motion and Disney Motion to check the availability for new videos/clips.

    >> Are there others I could get rid of?

    Maybe! Post another log.

    >> How do I find the list of such items in my computer?

    The HijaakThis log gives you this. You can also find things by running msconfig and looking at the startup tab. This does not mean you don't need those items. It's just a list of items loading at Startup via one procedure or another. You have to be the one to determine exactly what it is you need or don't need.
     
  22. Conklin

    Conklin Private First Class

    Chas,

    I would like to trim my start list. You asked for another log:


    Logfile of HijackThis v1.97.7
    Scan saved at 9:45:25 PM, on 6/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\ClipCache\clipc.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\Program Files\Norton AntiVirus\OPScan.exe
    C:\My Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us10.hpwis.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p IP_192.168.1.75 -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ClipCache] C:\Program Files\ClipCache\clipc.exe /wait 3
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Print Using ClickBook (HKLM)
    O9 - Extra button: Research (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab



    bill
     
  23. Conklin

    Conklin Private First Class

    Chas,
    I was kind of out of commission yesterday. It was my grandson's 8th b'day (he's my ballplayer!) and I spent the day with him and his family.

    But I just looked over the log I sent, and a lot of the stuff I thought we had gotten out of there is still with us, including [kdx] and digstream. I don't understand it. I did the things you said, and did them the way I thought you said to do them.

    I also ran msconfig=>starters and found these:
    hphmon056
    Realsched
    digstream
    Khost
    "Backup Notify" from HP
    Backweb-8876480
    hpoddt01.exe

    SpyBot showed no activity.

    What shall I do?
    bill
     
  24. Conklin

    Conklin Private First Class

    I used Hijaak and "fixed" hphmon05, [kdx] and digstream, yet again.
    bill
     
  25. Conklin

    Conklin Private First Class

    Chas,
    This is mostly a "Bump" so I don't drift off into the nether regions of SpyWare hell!

    Here's a log from tonight:

    I had rebooted (not in safe mode) but the three didn't come back that I can tell.

    bill

    Logfile of HijackThis v1.97.7
    Scan saved at 7:37:02 PM, on 6/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\ClipCache\clipc.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
    C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
    C:\My Downloads\HijackThis.exe
    C:\WINDOWS\System32\HPBPRO.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us10.hpwis.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p IP_192.168.1.75 -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ClipCache] C:\Program Files\ClipCache\clipc.exe /wait 3
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-1379034.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Print Using ClickBook (HKLM)
    O9 - Extra button: Research (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
     
  26. Conklin

    Conklin Private First Class

    Also, Chas...

    The other evening you gave me a list of things to delete or disable. One of them was BackWeb-137903.exe.

    I couldn't delete it "not allowed..." so I put an extra digit on it.

    Now when I boot up I get a message:
    "Runner Error"
    Invalid BackWeb application id 1379034"
    "OK"

    What to do?

    bill
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Bill,

    When deleting any of these items, it most likely a good idea to turn off system restore otherwise they could come back. Also always double check the c:\windows\Prefetch folder too.

    In fact it may be a good idea to turn off System Restore on this PC until we think we are finished fixing it.
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run msconfig and uncheck all those Startup Applications. That should stop them from running. Then if still in the HijaakThis log fix them. Also,

    You should not rename BackWeb-137903.exe as you did. First rename it back to BackWeb-137903.exe. And then try having HijaakThis fix this line in your log (which I show with the correct number):
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    That should stop it from loading. If not, the next time you reboot click Start, Run, All Programs, find the Startup folder, if your see that program in there right click on it and delete it.
     
  29. Conklin

    Conklin Private First Class

    Chas,

    I again turned off "System Restore." Don't recall turning it back on, but must have.

    Went Run>msconfig>startup; three things no longer there:
    hphmon05
    digstream
    Khost

    (After finding those three earlier today, had "fixed them" again on Hijaak, so apparently they have not as yet returned.)

    I unchecked:

    Realsched
    Backup-Notify
    BackWeb-8876480
    hpoddt01.
    I found "mmtask" there, from MusicMatch on our original delete list so I unchecked it.

    I rebooted and then went back again to look at Startup.
    BackWeb-8876480 showed an empty box, but was again present and checked, as well.

    Here's a log.
    I have become suspicious of all with "hP" designations.
    Logfile of HijackThis v1.97.7
    Scan saved at 9:54:30 PM, on 6/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\ClipCache\clipc.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
    C:\My Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us10.hpwis.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p IP_192.168.1.75 -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ClipCache] C:\Program Files\ClipCache\clipc.exe /wait 3
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Print Using ClickBook (HKLM)
    O9 - Extra button: Research (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

    Our correspondence has grown massive. I truly appreciate your interest.
    Goodnight, Chas...


    bc
     
  30. Conklin

    Conklin Private First Class

    Oh, yes. I went back and renamed BackWeb-137903, as you said to.
    That was a dumb thing I did!
    bill :rolleyes:
     
  31. Conklin

    Conklin Private First Class

    Chas,
    The last for toinght, I promise!
    I rebooted again, and again, BackWeb-8876480 appears and is checked again, even though I had just fixed it with Hijaak.

    I went to Program Files/Logitech.
    There are two folders:
    Mouseware
    Desktop Manager

    Under the latter is a folder called 8876480, and under that a lot of sub-folders, files, etc.

    I really have no interest in Logitech Desktop mgr. I do happen to use a mouse of theirs.

    Can I just delete the entire folder 8876480?

    bill
     
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I believe just deleting the folder will cause an error at run time. You need to first stop the program from trying to run. We need to find out where it is loading. Search your registry to see if you can find any lines with BackWeb-8876480 in them.
     
  33. Conklin

    Conklin Private First Class

    Chas,

    Alas, I don't know how to search the registry.
    What to do?

    When we get all the stuff out that we want out, we'll be done.

    BTW, on the laptop (remember it? That's how we started!) AA and SB scans show no probs. I ran Hijaak, and there are only a couple of things I wonder about, and they are from HP and Logitech. The mouse I had bought for the laptop is a logitech mouse, so 8876480 is on there too.

    When we finally finish with the desktop, which should be soon, I'll send you a log on the laptop. I figure if we find out how to get rid of 8876480 on the deasktop, the same thing will work on the laptop.

    I wouldn't mind getting rid of MS Msgr which I don't use, and which I find annoying.

    Later...

    bill
     
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    To search or edit the registry, click Start, Run, and in the Open box enter "regedit" without the quotes. The registry editor will come up. If you now click on Edit and then Find a window comes up for you to enter what you want to find. It will search and stop with a highlighted line when it finds a match. At that point, just hitting the F3 key will continue the search for the same thing again.

    Be careful what you do in the registry. You can break things.

    Since you don't use MSN Messenger, look in Add/Remove programs for an uninstall!
     
  35. Conklin

    Conklin Private First Class

    Chas,
    Went to regedit, did as you said. Was VERY careful! Changed NOTHING!
    There was considerable mention of BackWeb-8876480
    Here is my reproduction of what was on that screen as I printed it out.

    ==========================================

    Key name: HKEY_LOCAL_MACHINE\SOFTWARE\Backweb\Backweb-Client\Applications\88764080\ComponentsToRegister\backweb-8876480.exe
    Class Name: <No Class>
    Last Write Time: 6/24/2004 - 11:38 AM
    Value 0
    Name: Path
    Type: REG SZ
    Data: C:\Program Files\Logitech\Desktop Messenger\8876480\Program

    Value 1
    Name: RegType
    Type: REG_SZ
    Data: ComEXE

    Value 2
    Name: Type
    Type: REG_SZ
    Data: BW

    =========================================

    In looking at the "Tree" as shown above, on the leftb side of the page,
    the tree is as above.

    Under ComponentsToRegister I found:

    BackWeb-8876480.exe
    BWCHelper-8876480.dll
    BW Files-8876480.dll
    BWscripttext-8876480.dll
    and several others that don't mention BW.

    What do we do now?

    If it wasn't for all the hP and Logitech crap, we'd be done now!

    bill
     
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    To disable the Logitech Desktop Messenger try this:

    Simply go to "Start," "Programs," "Logitech," and click on "Desktop Messenger." There are two check boxes which are self descriptive. You can choose to disable either or both check boxes.

    Maybe the HP stuff is similar. Also check Add/Remove programs to see whats in there that can be uninstalled.
     
  37. Conklin

    Conklin Private First Class

    Chas,

    I disabled the Logitech Desktop Mgr as you said.
    There was no similar box for hP.
    I took out a few things with Add/Remove.

    What about all that stuff you had me find in Registry?

    bill :)
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  39. Conklin

    Conklin Private First Class

    I removed a couple of games that came with the computer. Not the main games like Solitaire, but some stuff that hP threw in. And I removed one thing that hP has that is somesort of "Update." I forget the exact name.

    I think I have the computers about where both need to be, and we can end this for now, at least until I get into further trouble!

    Chas, your help has been wonderful. You have been patient, kind, and informative. I feel like I've not only gotten my computers fixed, but it's been very educational too.

    Thank you very much!

    Bill Conklin
     
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Bill,

    Your welcome! It's been fun. Talk to you again. :)

    Chas
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds