View Full Version : Help getting rid of malware/spyware
Hi,
I've run spybot several times. It got rid of some, but not all of the problems. I would like to post a log here for you to look at and give me some advice, but I can't find where in spybot to get a log. Can you help me with that first?
The problems I am still having are a red triangle with an exclamation point in it in my task bar. That makes virus and spyware alerts pop up. My browser has also been hijacked. It won't let me set my own homepage. It adds bookmarks to my favorites and it adds icons that lead to antivirus websites on my desktop.
Could you please let me know how to post a log so that you can look at it? I have to go to work soon, so depending on when you answer, I might not be able to get back to you until later tonight or early tomorrow morning. Thank you in advance for your help!!
Gina
pskelley
2007-06-27, 18:06
Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.
Hi Gina, what you need to do is look up top the top of the forum, that is where most forums post the instructions you need to start. I also posted those at the top of this page. Follow the instructions and when it is time to get the HJT log, please follow these instructions:
Download Trend Micro Hijack This™
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download
Download it to your Program Files folder.
Doubleclick the HijackThis_V2.exe to start it.
Click "Do a System Scan and save a logfile"
This will create a HijackThislog.
Copy and paste the contents of the log in your next reply
Thanks
Thank you. I hope I am doing this correctly. The instructions on how to post are a bit confusing. I apologize if I am not doing it correctly. Here is my hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 10:12:32 PM, on 6/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\cscript.exe
C:\Documents and Settings\user\My Documents\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: MSVPS System - {A1770FD6-A7CB-44DA-AD2C-692D2A2B521B} - C:\WINDOWS\vpsnetwork.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playgames.comcast.net/online2/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: vpssup - {94B3BCE9-560B-47F0-8931-2D3E5B568AFC} - C:\WINDOWS\vpssup.dll
O21 - SSODL: expro - {016E653E-2BE5-48C6-9D10-538E7214EC18} - C:\WINDOWS\expro.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Thank you!
Gina
pskelley
2007-06-28, 12:36
Hi Gina, you are doing fine:bigthumb: not to worry, we will get through this. I apologize, you have a lot of issues I have to resolve to help you clean up. Please be patient with me also. To be sure we do not have a hidden Vundo infection, please return here:
My Documents\Hijack This\HijackThis.exe <<< rename HJT.exe, call it opghost.exe or whatever you wish.
I see this junk, click and read the information in the link:
O2 - BHO: MSVPS System - {A1770FD6-A7CB-44DA-AD2C-692D2A2B521B} - C:\WINDOWS\vpsnetwork.dll
http://sunbeltblog.blogspot.com/2006/04/is-mygeekcom-helping-security-scammer.html
Please read this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe <<< this is the Java scheduler and Java is out of date, download the newest version and uninstall all old versions in Add Remove programs.
When time permits, have a look at how that scheduler is set, if it is set correctly then I suggest you turn it off to save resources and update manually, that is what I do. The scheduler has a history of being buggy. You can complain to Java if you wish.
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
Do you know what this is: C:\WINDOWS\system32\cscript.exe see the Google:
http://www.google.com/search?hl=en&q=cscript.exe&btnG=Google+Search
It can be a trojan worm or a valid Microsoft script and we have to know. If you know, make me aware, if not use one or more of these free online scanners to find out:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
C:\Program Files\IncrediMail\ <<< did you install this on purpose and do you use it?
Is the the homepage you use: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
Let's clean out some of the junk now to see what happens, read and follow the directions carefully:
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: MSVPS System - {A1770FD6-A7CB-44DA-AD2C-692D2A2B521B} - C:\WINDOWS\vpsnetwork.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playgames.comcast.net/online2...ploader_v6.cab
O21 - SSODL: vpssup - {94B3BCE9-560B-47F0-8931-2D3E5B568AFC} - C:\WINDOWS\vpssup.dll
O21 - SSODL: expro - {016E653E-2BE5-48C6-9D10-538E7214EC18} - C:\WINDOWS\expro.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) RIGHT Click on Start then click on Explore. Locate and delete these items:
(these files may be gone, just do not miss them if they are there)
C:\WINDOWS\vpsnetwork.dll <<< delete that file
C:\WINDOWS\vpssup.dll <<< delete that file
C:\WINDOWS\expro.dll <<< delete that file
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Post the information I requested above and a new HJT log. Please add any comments you think will help.
Thanks...Phil
Here is how far I have gotten. What you wrote is in red and italics.
Please read this:
http://forums.spybot.info/showpost.p...80&postcount=2
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe <<< this is the Java scheduler and Java is out of date, download the newest version and uninstall all old versions in Add Remove programs.
I did remove the old, but don't have room in my computer to install the new. Is it ok to reinstall after I have done all of this and removed some of these new programs that I don't need anymore?
I did remove Viewpoint.
Do you know what this is: C:\WINDOWS\system32\cscript.exe see the Google:
http://www.google.com/search?hl=en&q...=Google+Search
I used all three scanners that you recommended and they all said that it was ok.
C:\Program Files\IncrediMail\ <<< did you install this on purpose and do you use it?
Yes, Incredimail is my mail program. I use it for all of my email.
Is the the homepage you use: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
No. That is the hijacked page. I have cleaned it a few times with Spybot, but it keeps coming back.
Did step 3 (Using HJT to delete lines that you told me to.)
4) RIGHT Click on Start then click on Explore. Locate and delete these items:
(these files may be gone, just do not miss them if they are there)
C:\WINDOWS\vpsnetwork.dll <<< delete that file
C:\WINDOWS\vpssup.dll <<< delete that file
C:\WINDOWS\expro.dll <<< delete that file
This is as far as I have gotten. The vpsnetwork file was not there. The other two are there, but when I try to delete them, it tells me that they are write-protected, in use or disc is full and it can't delete them. I did a control alt delete to see if I could see them running in processes, but they were not there. What should I do now?
Thank you!
Gina
pskelley
2007-06-28, 17:22
Thanks for the information, please do this.
1)
but don't have room in my computer to install the newExplain what you mean by that, "don't have room"
2) Open MyComputer then right click on your Local Disk C and click on Properties, when the Properties Window opens post for me the about of Used space and Free space. Post it in GB's
3) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)
4) Did you run the ATF-Cleaner you download?
5) Post a new HJT log along with whatever else I requested.
Thanks.
1) Explain what you mean by that, "don't have room"
2) Open MyComputer then right click on your Local Disk C and click on Properties, when the Properties Window opens post for me the about of Used space and Free space. Post it in GB's.
I have a very small hard drive. Here is the info:
Free Space: 183 MB
Total Size: 3.92 GB
Windows XP takes up most of my hard drive.
3) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list).
AOL Instant Messenger
eBay Toolbar
HijackThis 1.99.1
hp deskjet 3500
hp deskjet 3500 series
HP Software Update
Image Web Server IE Plugins 2,0,0,104
IncrediMail Xe
Kaspersky Online Scanner
Macromedia Flash Player 8
MailWasher Free
Microsoft Office 2000 Small Business
MSDNS Service
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
WINSP Service
4) Did you run the ATF-Cleaner you download?.
No. I wasn't sure if it was ok to continue without deleting those files. But, now I have done it and here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:35:34 AM, on 6/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\notepad.exe
C:\Documents and Settings\user\My Documents\Hijack This\opghost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: expro - {016E653E-2BE5-48C6-9D10-538E7214EC18} - C:\WINDOWS\expro.dll
O21 - SSODL: vpssup - {644CB6FA-DF62-450D-ACC4-0D83B1D68F70} - C:\WINDOWS\vpssup.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
pskelley
2007-06-28, 18:18
Thanks for the information, please do not post your log in red, hard for my old eyes to read it.
You have a MAJOR problem with hard drive space, not even enough room to download critical updates that you will seriously need.
and I would say doing a way with Windows IS NOT an option.
A look at your uninstall list shows nothing you can uninstall to save the space you need. You can look at this information:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx to see what Microsoft has to say but I do not believe that will free up much space. To give you an idea, I have a 30 GB hard drive and you have 4 GB. I seriously think you are in the market for a new computer. You know Dell is selling new Desktops for $399.00.
I believe you would benefit from a diagnostic scan here: http://www.pcpitstop.com/
Help with results: http://pcpitstop.invisionzone.com/index.php?showforum=6
Tutorial: http://www.pcpitstop.com/techexpress/howto1.asp
Register free and then post a link to the results so I can see them, I doubt it will be much help, but we can see what they suggest.
Now to the HJT log, those two items I asked you to remove a bad trojans, and they must be removed. Remember HJT is also a process manager so when you remove items it ends process so you can go to them and delete them, but you must do this without a reboot.
Read about those items:
C:\WINDOWS\expro.dll
http://www.google.com/search?hl=en&q=expro.dll&btnG=Search
C:\WINDOWS\vpssup.dll
http://www.google.com/search?hl=en&q=vpssup.dll&btnG=Search
as you can see they are very bad and must be removed from your computer.
This is what I would like you to do.
Make sure all files and folders are still unhidden or you won't see the junk.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
O21 - SSODL: expro - {016E653E-2BE5-48C6-9D10-538E7214EC18} - C:\WINDOWS\expro.dll
O21 - SSODL: vpssup - {644CB6FA-DF62-450D-ACC4-0D83B1D68F70} - C:\WINDOWS\vpssup.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\expro.dll <<< delete that file
C:\WINDOWS\vpssup.dll <<< delete that file
If you can not delete those files in that way, then do this:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\expro.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
You may be able to add the other file: C:\WINDOWS\vpssup.dll but if you can not, just go through the process again to delete the second file.
Post a new HJT log and any comments you think will help.
Thanks...Phil
Sorry about the red font. I thought you asked me to post the results in red.
You're right. I desperately need a new computer. I hope to be getting one in the next couple of months. I am just hoping that we can fix this on in the mean time. Ok, I ran the pitstop test. Here is the link:
http://www.pcpitstop.com/pcpitstop/Summary.asp?conid=18222489
I think (hope!) that the reboot thing that you had me do worked. I am not seeing the same things pop up in HJT again. I'll let you be the judge. Here is the new log:
Logfile of HijackThis v1.99.1
Scan saved at 12:55:30 PM, on 6/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\WgaTray.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\My Documents\Hijack This\opghost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [PCPitstop Registration Reminder] C:\Program Files\PCPitstop\Exterminate\Reminder.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: expro - {8AD07EA7-1F7E-4293-86D7-C6BE254F32AB} - C:\WINDOWS\expro.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
pskelley
2007-06-28, 20:48
No problem, I understand what it is to have a sick computer. We will get this one running as good as we can. I see one trojan is gone and the other has been deleted and we just need to move the dead line out of your HJT log, let's look at the log first, then I will look at your diagnostic report.
Logfile of HijackThis v1.99.1 Scan saved at 12:55:30 PM, on 6/28/2007
I'll make these suggestions:
Use HJT to remove this item, since the file is gone, it should remove with no problem now.
O21 - SSODL: expro - {8AD07EA7-1F7E-4293-86D7-C6BE254F32AB} - C:\WINDOWS\expro.dll (file missing)
You may use HJT to remove these also if you are done with them. If you ever needs them again, the Axtive X will install again.
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
I believe you just installed this one, I see no use for it, follow the instruction in the link:
O4 - HKLM\..\Run: [PCPitstop Registration Reminder] C:\Program Files\PCPitstop\Exterminate\Reminder.exe
http://forums.pcpitstop.com/index.php?showtopic=124223 The instructions vary a little, you should have no problem adjusting to them.
Look at this information for ideas to improve performance:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/atwork/getstarted/speed.mspx?wt_svl=20292a&mg_id=20292b
PCPitStop diagnostic:
I'm sorry, that is not a link to your test results. This is what the link I need to see will look like, this is not yours but another members.
http://www.pcpitstop.com/pcpitstop/Summary.asp?TechExpress=AHLXHWNP9TVSQ6PW
Thanks
Sorry. Is this the right link?
http://www.pcpitstop.com/pcpitstop/Summary.asp?TechExpress=LEAXHWW3WTVS6QKW
Ok. I've cleaned out the last things that you told me. Here is my new log.
Logfile of HijackThis v1.99.1
Scan saved at 4:17:47 PM, on 6/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\My Documents\Hijack This\opghost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [PCPitstop Registration Reminder] C:\Program Files\PCPitstop\Exterminate\Reminder.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
Phew! Do I have it now? Am I safe to do my online banking, applying for car loans, etc? Nothing is popping up anymore.
Thank you!
Gina
pskelley
2007-06-29, 00:14
Before I start, let me say that with those backdoor trojans you had, you can never be 100% sure you are safe. Change all of your passwords and watch things very, very carefully. Here is a link with information:
http://www.dslreports.com/faq/10451
I can give you all kinds of information about how to stay safe online and you can't get Windows Critical updates without which you will never stay clean. You must install Service Pack 2 and you do not have the room to so so.
http://www.pcpitstop.com/pcpitstop/Summary.asp?TechExpress=LEAXHWW3WTVS6QKW
You need to review all of this information to help you better understand the problems.
Each of those items under this: Customized Tune-up Tips are links you need to open and view.
the first two are critical as are two of the flags, Disk and Windows.
Disk: You have 3.93 GB and the recommended minium is 20 GB
It fairly bvious what your problems are, if you have any trouble understandng anything, let me know. They break it down so the layman can understand.
I fear it is a catch 22 in that you must have SP2 and you do not have space on the disk to install it?
If I can give you any good news, you HJT log is clean of malware, great job:bigthumb:
Strong passwords: How to create and use them
http://www.microsoft.com/athome/security/privacy/password.mspx
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
I may have posted this information earlier:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
If you have questions, or I can do more, please let me know.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Thank you so much for all of your help! I will read all of the links you gave me and do what I can to make my computer safer for the next month or two until I get my new one. My new one will have 120 GB's. So, I won't have a problem installing what I need to keep me safe on that one.
Thank you again for all of the time that you put into helping me. I couldn't have gotten through this without you. I was ready to shut down the computer and give up on it until I get my new one. Which, I must tell you, horrified my teenage daughter. 2 months without a computer to a teenager today is like 2 months without a phone when I was a teenager. LOL!
Best of everything to you!!!
Gina
pskelley
2007-06-29, 10:51
Hi Gina, I will make a few suggestion for you to consider.
You badly need a antivirus program and a firewall for protection now. Because of the fact you don't have Service Pack 2 and can not install it because of space requirement:
http://www.microsoft.com/windowsxp/sp2/sysreqs.mspx <<< alone it required 1.8 GB's of hard drive space, I am going to suggest you use this computer for nothing but email. Web surfing is to dangerous, you are going to get infected.
I would look at every program you can dispose of (yes including Incredimail) to remove so you can create space for the AV and firewall. Here are free one:
Antivirus programs:
http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
Firewalls:
http://www.jetico.com/index.htm#/jpfirewall.htm
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
These are all fair programs for the price, I would pick the one requiring the least space.
Look at the programs you have running and uninstall anything you can do without, the av and firewall are so much more important.
Run this Windows Cleaner and delete everything it finds:
http://spyware-free.us/tutorials/cleanmgr/
Delete anything we downloaded to clean with, free up all the space you can.
http://www.helpwithwindows.com/WindowsXP/howto-16.html
Your diagnostic shows this: Junk files 77 MB (2%) Hopefully clean manager will clean those, but you may want to check all of your temporary files and your Prefetch Folder and make sure they are empty.
If you have not defragged the computer yet, this tutorial will help.
http://artsweb.bham.ac.uk/artsit/Info/Guides/GoodPractice/defrag-win2kxp.htm
. Security At Home site
http://www.microsoft.com/athome/security/default.mspx
. Security Tips & Talk blog
http://blogs.msdn.com/securitytipstalk/default.aspx
. RSS feed: Get security information delivered to you
http://www.microsoft.com/athome/security/rss/default.mspx
. Security video tutorials
http://www.microsoft.com/athome/security/videos/default.mspx
. Security community for home users
http://www.microsoft.com/athome/security/newsgroup/default.mspx
. Support for your computer security issues
http://www.microsoft.com/athome/security/support/default.mspx
Thanks...Phil