Forum Home
Press F1
Thread ID: 57884	2005-05-15 08:25:00	how to stop popupz and spyware	lmv4 (8123)	Press F1

Post ID	Timestamp	Content	User
355378	2005-05-17 08:37:00	Have you try booting into safe mode to scan your computer using Ad-aware and Spybot Search & Destroy? Bear in mind that as an Internet user, you should always have this utilities and softwares in your computer: Antivirus, Anti-Spyware / Adware and Firewall. Keep these softwares constantly updated. Cheers :)	Renmoo (66)
355379	2005-05-17 09:04:00	Logfile of HijackThis v1.99.1 Scan saved at 7:57:47 PM, on 5/17/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\popuper.exe C:\WINDOWS\System32\intmonp.exe C:\WINDOWS\System32\shnlog.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\Program Files\Microsoft Works\WksSb.exe C:\WINDOWS\System32\intmon.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\ISTsvc\istsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\seeve.exe c:\windows\system32\ulemzsu.exe C:\WINDOWS\System32\cpudbg.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\hp center\137903\Program\BackWeb-137903.exe C:\Program Files\ Yahoo! \Messenger\ymsgr_tray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.startsearches.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.startsearches.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp7B07.tmp O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [AutoPlay] C:\HP\BIN\AUTOPLAY.EXE O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [bluestart] C:\\rraut.exe O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\new_zealand.exe -N O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenrv32.exe O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe O4 - HKLM\..\Run: [p36U3Fi] cpudbg.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [fxnjwke] c:\windows\system32\ulemzsu.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [ Yahoo! Pager] C:\Program Files\ Yahoo! \Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [Y0p8RPGFX] cmmbase.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\ Yahoo! \MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\ Yahoo! \MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Microsoft AntiSpyware helper - {22C2392B-D087-41E0-A953-2290836996A5} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {22C2392B-D087-41E0-A953-2290836996A5} - (no file) (HKCU) O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU) O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O15 - Trusted Zone: *.media-motor.net O15 - Trusted Zone: *.popuppers.com O16 - DPF: Yahoo! Pool 2 - download.games.yahoo.com O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - groups.msn.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - v5.windowsupdate.microsoft.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - a840.g.akamai.net O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - advnt01.com O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - messenger.msn.com O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - www.windowsecurity.com O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - www.mngt.waikato.ac.nz O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - download.mcafee.com O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe	lmv4 (8123)
355380	2005-05-17 09:06:00	ty every1 4 help; here is my log.	lmv4 (8123)
355381	2005-05-17 09:21:00	kumaraguy - I have moved the post you made of your hijackthis log from this thread and into a separate new thread (pressf1.pcworld.co.nz). This is to stop confusion of having two different problems and two different people being given advice in lmv4's thread. :)	Jen (38)
355382	2005-05-17 09:44:00	OK, well I am no expert on hijackthis logs, but you can run your log through a online analyser which can flag suspect entries . Run Hijackthis again, and this time select the following entries to be fixed: C:\Program Files\ISTsvc\istsvc . exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = . startsearches . net/search . php?qq=%1" target="_blank">www . startsearches . net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = . startsearches . net/bar . html" target="_blank">www . startsearches . net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = . startsearches . net/search . php?qq=%1" target="_blank">www . startsearches . net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = . startsearches . net/search . php?qq=%1" target="_blank">www . startsearches . net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = . startsearches . net/search . php?qq=%1" target="_blank">www . startsearches . net R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = . startsearches . net/search . php?qq=%1" target="_blank">www . startsearches . net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www . startsearches . net/ R3 - Default URLSearchHook is missing O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp7B07 . tmp O4 - HKLM\ . . \Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs . exe O4 - HKLM\ . . \Run: [IST Service] C:\Program Files\ISTsvc\istsvc . exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - . g . akamai . net/7/840/537/ . . . all/xscan53 . cab" target="_blank">a840 . g . akamai . net O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro . internazionale_ver10) - . com/dialer/internazionale_ver10 . CAB" target="_blank">advnt01 . com ------------------------------------------------------- online analyser ( . hijackthis . de/index . php" target="_blank">www . hijackthis . de) There are possibly other entries as well that might need fixing, so see what others also suggest . Have you updated your Antivirus program and scanned your PC recently?	Jen (38)
355383	2005-05-17 10:01:00	can you please jen put it up onto the online scanner? i just wanna ask u something about the results coming up most say nasty, and some say fix then delete, what do i do here?	lmv4 (8123)
355384	2005-05-17 10:06:00	I've already run your log through one online scanner and posted the ones that jumped out as being nasty. The ones that mention blackweb are to do with your Hewlett-Packard computer and some of the software that HP install on it to provide a way of updating your computer - some consider this as "spyware", but I have ignored those entries for the time being. You have indications of viruses/trojans as well being present and I have spotted a few more entries that will need fixing. Run the first lot of items to be fixed that I listed before and then re-run hijackthis again to create a new log and again post that back here. I think this will take several goes to get rid of everything as there are quite a few nasties lurking on your system. Persistance will win I hope! :)	Jen (38)
355385	2005-05-17 10:08:00	list of suspects. google first then delete. kinda suprised adaware etc didn't pick these up. make sure you have the latest ver and you run it in safe mode. i suspect that there are other parts to the infection that is hiding and you won't see them unless in safe mode. C:\WINDOWS\popuper.exe C:\WINDOWS\System32\intmonp.exe C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\System32\intmon.exe C:\Program Files\ISTsvc\istsvc.exe C:\WINDOWS\seeve.exe c:\windows\system32\ulemzsu.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.startsearches.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.startsearches.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp7B07.tmp O4 - HKLM\..\Run: [bluestart] C:\\rraut.exe O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\new_zealand.exe -N O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenrv32.exe O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe O4 - HKLM\..\Run: [p36U3Fi] cpudbg.exe O4 - HKLM\..\Run: [fxnjwke] c:\windows\system32\ulemzsu.exe O4 - HKCU\..\Run: [Y0p8RPGFX] cmmbase.exe O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU) O15 - Trusted Zone: *.media-motor.net O15 - Trusted Zone: *.popuppers.com O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - advnt01.com O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - www.mngt.waikato.ac.nz	tweak'e (69)
355386	2005-05-17 10:20:00	here is my 2nd scan, ive run through the other things u told me to fix also, and this what came up after i had done so . :badpc: Logfile of HijackThis v1 . 99 . 1 Scan saved at 9:12:44 PM, on 5/17/2005 Platform: Windows XP SP1 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v6 . 00 SP1 (6 . 00 . 2800 . 1106) Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\WINDOWS\system32\spoolsv . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc . exe C:\WINDOWS\System32\nvsvc32 . exe C:\WINDOWS\System32\svchost . exe C:\WINDOWS\Explorer . exe C:\WINDOWS\popuper . exe C:\WINDOWS\System32\intmonp . exe C:\WINDOWS\System32\shnlog . exe C:\windows\system\hpsysdrv . exe C:\HP\KBD\KBD . EXE C:\Program Files\Microsoft Works\WksSb . exe C:\WINDOWS\System32\intmon . exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4 . exe C:\Program Files\QuickTime\qttask . exe C:\Program Files\Java\jre1 . 5 . 0_01\bin\jusched . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe C:\WINDOWS\seeve . exe c:\windows\system32\ulemzsu . exe C:\WINDOWS\System32\cpudbg . exe C:\WINDOWS\System32\ctfmon . exe C:\WINDOWS\System32\wuauclt . exe C:\Program Files\hp center\137903\Program\BackWeb-137903 . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb . dat C:\Program Files\MSN Messenger\msnmsgr . exe C:\Program Files\Internet Explorer\iexplore . exe C:\HijackThis\HijackThis . exe C:\Program Files\Messenger\msmsgs . exe C:\Program Files\Internet Explorer\iexplore . exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = . startsearches . net/search . php?qq=%1" target="_blank">www . startsearches . net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = . startsearches . net/bar . html" target="_blank">www . startsearches . net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = . startsearches . net/search . php?qq=%1" target="_blank">www . startsearches . net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = . startsearches . net/search . php?qq=%1" target="_blank">www . startsearches . net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = . startsearches . net/search . php?qq=%1" target="_blank">www . startsearches . net R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = . startsearches . net/search . php?qq=%1" target="_blank">www . startsearches . net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www . startsearches . net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system . ini: Shell=Explorer . exe C:\WINDOWS\Nail . exe O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp7B07 . tmp O4 - HKLM\ . . \Run: [hpsysdrv] c:\windows\system\hpsysdrv . exe O4 - HKLM\ . . \Run: [KBD] C:\HP\KBD\KBD . EXE O4 - HKLM\ . . \Run: [NvCplDaemon] RUNDLL32 . EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\ . . \Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud . exe O4 - HKLM\ . . \Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb . exe /AllUsers O4 - HKLM\ . . \Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect . exe O4 - HKLM\ . . \Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD . EXE O4 - HKLM\ . . \Run: [IgfxTray] C:\WINDOWS\System32\igfxtray . exe O4 - HKLM\ . . \Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd . exe O4 - HKLM\ . . \Run: [PS2] C:\WINDOWS\system32\ps2 . exe O4 - HKLM\ . . \Run: [AutoPlay] C:\HP\BIN\AUTOPLAY . EXE O4 - HKLM\ . . \Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4 . exe O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask . exe" -atboottime O4 - HKLM\ . . \Run: [bluestart] C:\\rraut . exe O4 - HKLM\ . . \Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst . exe /remove O4 - HKLM\ . . \Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr . exe O4 - HKLM\ . . \Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1 . 5 . 0_01\bin\jusched . exe O4 - HKLM\ . . \Run: [HELPER] C:\WINDOWS\System32\new_zealand . exe -N O4 - HKLM\ . . \Run: [checkrun] C:\windows\system32\elitenrv32 . exe O4 - HKLM\ . . \Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan . exe O4 - HKLM\ . . \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe /STARTUP O4 - HKLM\ . . \Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe O4 - HKLM\ . . \Run: [seeve] C:\WINDOWS\seeve . exe O4 - HKLM\ . . \Run: [p36U3Fi] cpudbg . exe O4 - HKLM\ . . \Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig . exe /auto O4 - HKLM\ . . \Run: [fxnjwke] c:\windows\system32\ulemzsu . exe O4 - HKCU\ . . \Run: [ctfmon . exe] C:\WINDOWS\System32\ctfmon . exe O4 - HKCU\ . . \Run: [ Yahoo! Pager] C:\Program Files\ Yahoo! \Messenger\ypager . exe -quiet O4 - HKCU\ . . \Run: [Y0p8RPGFX] cmmbase . exe O4 - Global Startup: hp center . lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903 . exe O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF . HTM O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC . HTM O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC . HTM O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC . HTM O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF . HTM O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF . HTM O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\ Yahoo! \MESSEN~1\YPager . exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\ Yahoo! \MESSEN~1\YPager . exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS . EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS . EXE O9 - Extra button: Microsoft AntiSpyware helper - {22C2392B-D087-41E0-A953-2290836996A5} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {22C2392B-D087-41E0-A953-2290836996A5} - (no file) (HKCU) O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a . ht m (file missing) (HKCU) O12 - Plugin for . mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2 . dll O12 - Plugin for . spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox . dll O12 - Plugin for . wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin . dll O15 - Trusted Zone: * . media-motor . net O15 - Trusted Zone: * . popuppers . com O16 - DPF: Yahoo! Pool 2 - . games . yahoo . com/games/clients/y/pote_x . cab" target="_blank">download . games . yahoo . com O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - . msn . com/controls/PhotoUC/MsnPUpld . cab" target="_blank">groups . msn . com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - . windowsupdate . microsoft . com/v5consumer/V5Controls/en/x86/client/wuweb_site . cab?1099954962078" target="_blank">v5 . windowsupdate . microsoft . com O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - . msn . com/download/MsnMessengerSetupDownloader . cab" target="_blank">messenger . msn . com O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - . windowsecurity . com/trojanscan/axscan . cab" target="_blank">www . windowsecurity . com O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - . mngt . waikato . ac . nz/myweb/papers/filemgr/filemgr/filearea/XUpload . ocx" target="_blank">www . mngt . waikato . ac . nz O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - . mcafee . com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4489/mcfscan . cab" target="_blank">download . mcafee . com O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr . exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc . exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32 . exe	lmv4 (8123)
355387	2005-05-17 10:26:00	install sp2. it seems you still have that start page, hjt will fix it. your (www.hijackthis.de) log file checked out, (valid for 3 days)	Prescott (11)
1 2 3 4 5