HiJackThis Scan

Discussion in 'Computer Information' started by SilverR1_04, Aug 29, 2004.

  1. SilverR1_04

    SilverR1_04 Guest

    I got some weird searchbar, pop up style junk on my PC and tried removing
    it. I ran HiJack This, here is my log, it there anything here that should be
    removed?

    Logfile of HijackThis v1.98.2
    Scan saved at 9:55:26 AM, on 8/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\QUICKENW\QAGENT.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\WINDOWS\System32\hphmon05.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\NCLAUNCH.EXe
    C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Registry Mechanic\RegMech.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller?state=CA
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://us3.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
    O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
    O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program
    Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital
    Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
    Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program
    Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P
    Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
    Software Update\HPWuSchd2.exe"
    O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
    O4 - HKCU\..\Run: [Active Desktop Calendar]
    C:\PROGRA~1\XEMICO~1\ACTIVE~1\ADC.exe
    O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
    Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: E-mail.lnk = ?
    O9 - Extra button: Yahoo! Messenger -
    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
    C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
    C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chat -
    http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Dominoes -
    http://download.games.yahoo.com/games/clients/y/dot7_x.cab
    O16 - DPF: Yahoo! Graffiti -
    http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: Yahoo! Pool 2 -
    http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} -
    http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) -
    http://mirror.worldwinner.com/games/v45/pool/pool.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
    http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl
    Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
    http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -
    C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    SilverR1_04, Aug 29, 2004
    #1
    1. Advertisements

  2. SilverR1_04

    Scotoma Guest

    free http://www.spybot.info/en/home/index.html
    http://www.javacoolsoftware.com/index.html
    http://www.lavasoftusa.com/
    not free http://pestpatrol.com/

    Or use google to look up and manually remove with HiJack This.

    Look below.
    Now you know what these are......



    Look up these..............
     
    Scotoma, Aug 29, 2004
    #2
    1. Advertisements

  3. SilverR1_04

    DeMoN LaG Guest

    Have HijackThis fix all of the lines below:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/
    *http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/
    *http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller?state=CA
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/
    *http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://us3.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/
    *http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
    O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
    O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program
    Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P
    Networking.exe /AUTOSTART
    Software Update\HPWuSchd2.exe"
    O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
    O4 - HKCU\..\Run: [Active Desktop Calendar]
    C:\PROGRA~1\XEMICO~1\ACTIVE~1\ADC.exe
    O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
    Files\Yahoo!\Messenger\ypager.exe -quiet
    O9 - Extra button: Yahoo! Messenger -
    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
    C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
    C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    Files\Messenger\MSMSGS.EXE
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} -
    http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) -
    http://mirror.worldwinner.com/games/v45/pool/pool.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl
    Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -
    C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    DeMoN LaG, Aug 30, 2004
    #3
  4. SilverR1_04

    Thor Guest

    Demon, with all due respect you are having him eliminate some legit stuff
    there that is not responsible for the pop-up problem he is having. You
    should at least tell the OP what the non-spyware stuff is so he can choose
    whether or not he wants to get rid of it, because it might affect how he
    normally uses his machine. I know lots of users who most definitely want
    most of that stuff running at startup, as well as plenty who don't.


    This isn't spyware it's part of quicken financial software. If he uses
    Quicken, he may want this running for the financial updates.


    All of the above can be annoying, but they aren't known to be spyware, and
    they do have purposes, albeit noncritical.


    HP software updater


    yahoo pager/messenger


    MSN messenger

    Clearly something installed with the factory software.
     
    Thor, Aug 30, 2004
    #4
  5. SilverR1_04

    SilverR1_04 Guest

    Thanks Thor, I didn't remove most of them for that reason.


     
    SilverR1_04, Aug 30, 2004
    #5
  6. SilverR1_04

    Jim Berwick Guest

    Not responsible for popups, true. Not necessary to run and won't cause any
    ill effects to remove from startup.
     
    Jim Berwick, Aug 30, 2004
    #6
  7. SilverR1_04

    Thor Guest

    true but it may also cause frustration for the user when suddenly his
    quicken isn't receiving automatic updates any longer, or his yahoo pager
    isn't automatically launching with his connection any longer, etc. Depending
    on the user's level of expertise, it may be difficult for some to restore
    those items. Especially if they end up deleting the HijackThis! backup
    folder before they realize what happened. All I'm suggesting is to give more
    information along with the recommendation so they can know what non-spyware
    stuff they are being told to get rid of, and what it does. Not everyone
    wants their machine competely devoid of startup TSRs. Many do want the
    features they bring. I've had to learn to reign in my own preferences when
    working on customer's machines. Sometimes it drives me nuts when I see what
    they have running, but I always ask before getting rid of stuff like that,
    because as soon as I don't, that will be the customer who complains about
    something not running the way they are accustomed to using it.
     
    Thor, Aug 30, 2004
    #7
  8. SilverR1_04

    Jim Berwick Guest

    The only Yahoo pager entry I recommended removing (that I remember, at
    least) is that annoying button on the IE toolbar.
    True. I don't randomly remove stuff off of people's machines that I deal
    with at work for the same reason. But outside of work I stick firm to
    lose the fat. Stuff like TKbell (realplayer) is completely worthless. I
    can't understand why anyone would want that running unless they
    completely don't understand what it is.
     
    Jim Berwick, Aug 30, 2004
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.