homepage Welcome to WebmasterWorld Guest from 54.197.183.230
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Help with Spyware please!
I've run Spybot S&D and Spyscanner and still no luck!
Didgery

5+ Year Member



 
Msg#: 8550 posted 5:48 am on Apr 29, 2005 (gmt 0)

I'm not much good with computers - Spybot S&D has gotten rid of most of our spyware and adware trouble but there are still popups, including a lot of "Aurora" messages and some "registry cleaner" messages as well as ads for online colleges,health products, etc, etc, etc. I ran HijackThis and came up with the following Logfile - being a beginner, I'm not sure what to do next. Help? Thanks so much!

Logfile of HijackThis v1.99.1
Scan saved at 10:33:04 PM, on 4/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\3197dbf6\3197dbf6.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\3197dbf6\46793539.exe
C:\Program Files\3197dbf6\3197dbf6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jones\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [srch-us4.hpwis.com...]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [us4.hpwis.com...]
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemhg32.exe
O4 - HKLM\..\Run: [3197dbf6] C:\Program Files\3197dbf6\3197dbf6.exe
O4 - HKLM\..\Run: [ws8j35U] nvqpress.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [licecn] C:\WINDOWS\System32\licecn.exe
O4 - HKCU\..\Run: [hBrtRRYmR] msxepad.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} - [content.hiwirenetworks.net...]
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [us.chat1.yimg.com...]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [207.188.7.150...]
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - [toolbar.google.com...]
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - [instantsupport.hp.com...]
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} - https://www4.lsac.org/OIFActiveX/ofmctlnew.cab
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - [download.sidestep.com...]
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - [a840.g.akamai.net...]
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

Essex_boy

WebmasterWorld Senior Member essex_boy us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 8550 posted 6:17 am on Apr 29, 2005 (gmt 0)

Try panda software they have a free daily updated anti virus program.

frenzy77

10+ Year Member



 
Msg#: 8550 posted 9:23 am on Apr 29, 2005 (gmt 0)

Hi didgery:)

<snip>

Hope this helps:)

frenzy77

[edited by: Brett_Tabke at 1:48 pm (utc) on April 30, 2005]
[edit reason] no solicitations please [/edit]

rocknbil

WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 8550 posted 3:40 pm on Apr 29, 2005 (gmt 0)

Also Didgery I sent you a URL of a tech support friend's site, since you already have that log, you can send it to him and he'll review it. Be sure to drop him a donation. :-)

bcolflesh

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 8550 posted 3:51 pm on Apr 29, 2005 (gmt 0)

Hi-Wire adware infection - removal info here:

[www3.ca.com...]

<edit>

And here's the Aurora remover:

[mypctuneup.com...]

</edit>

papachumba

10+ Year Member



 
Msg#: 8550 posted 4:36 pm on Apr 29, 2005 (gmt 0)

when you run out of all the options, the BEST solution to your problem is:

1. Backup
2. The Windows XP disk - stick that in the drive, boot up, format, install,
3 Reinstall all the applications

and you'll find your PC runs about 30% faster too.

I do it every 6 months or so...

renee

10+ Year Member



 
Msg#: 8550 posted 10:07 pm on Apr 29, 2005 (gmt 0)

before you backup which is too drastic a process, you might want to just restore your system to an earlier version. this assumes that your xp has been periodically storing a copy of your system. there are usually several copies so you may have to iterate to choose the oldest copy that is clean from the spyware.

from your control panel choose your computer. then click help. if you don't see restoring your computer, you may have to do a search.

good luck.

Didgery

5+ Year Member



 
Msg#: 8550 posted 6:34 pm on Apr 30, 2005 (gmt 0)

Well, I've tried most of the suggestions given - thanks, everyone! I haven't yet tried the drastic step of reinstalling Windows XP, because somehow when we moved across the country recently the disk vanished! I DID try the system restore feature, and that was unsuccessful.
At least there's less adware on my system now, even if it's not entirely gone!

I've appreciated your advice. Thanks!

4crests

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 8550 posted 7:26 pm on Apr 30, 2005 (gmt 0)

I had a nasty one recently. It installed a couple different viruses, a dialer and a bunch of different Adware/Spyware. It was like a big combo of a bunch of junk that installed onto my computer all at once, like a VIRUS BOMB or some darn thing. Was horrible. Took a day and a half, but finally got rid of everything.

Go to START and RUN and type MSCONFIG, then into the STARTUP tab in MSCONFIG. Go through each item and do a google search on each item. You can find out if each item is supposed to be there or not, and if not, how to get rid of it. Also, do a CTRL-ALT-DELETE and click on the Processes tab, and do the same google search on each item. Also, go to CONTROL PANEL, ADD/REMOVE PROGRAMS and remove anything that shouldn't be there.

Along the way, I found LAVASOFTS AD-AWARE program very useful. But some stuff was still not going away. Finally, I purchased NORTON INTERNET SECURITY suite, and it finished fixing the rest. I also at some point used HIJACKTHIS and CWSHREDDER.

Good Luck

Didgery

5+ Year Member



 
Msg#: 8550 posted 7:45 pm on Apr 30, 2005 (gmt 0)

I downloaded a free trial of Spyware Doctor, and it claims to have found 671 infections that were not identified by Spybot S&D or Webroot Spyscanner. But it wants me to purchase the full version for thirty bucks before it will actually quarantine or remove these 671 offenders. Could it be the solution? Or are they pulling my leg?

Automan Empire

5+ Year Member



 
Msg#: 8550 posted 8:16 pm on Apr 30, 2005 (gmt 0)

During a previous problem, I tried a free scan from Spyware Begone, which also claimed to find things that Spyware S&D didn't... but I didn't buy it and I can't make it begone! Drat! Spyware S&D is a good program as far as it goes, but it won't catch everything.
I ended up buying Spyware Xterminator from stompsoft... it not only found and cleaned things S&D and Begone didn't, but it seems to be doing an excellent job of keeping these things from installing on my computer again.
Disclaimer: I have no stake in any companies mentioned; I'm just a fellow consumer here.

kwngian

10+ Year Member



 
Msg#: 8550 posted 5:26 pm on May 1, 2005 (gmt 0)


Some of the startup processes listed can be removed using regedit. (Start, Run, type regedit)

Suggest you delete following registry keys;

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [srch-us4.hpwis.com...]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [us4.hpwis.com...]
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemhg32.exe
O4 - HKLM\..\Run: [3197dbf6] C:\Program Files\3197dbf6\3197dbf6.exe
O4 - HKLM\..\Run: [ws8j35U] nvqpress.exe
O4 - HKCU\..\Run: [licecn] C:\WINDOWS\System32\licecn.exe
O4 - HKCU\..\Run: [hBrtRRYmR] msxepad.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

Edit and remove the following from your system.ini file, located in Windows directory. Sounds like a ip nailing software. If you're not running any server, remove it.

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Should delete the following too if I were you, but I am not sure. (Start, Run, type CMD, then type
c:\windows\system32\regsvr32 /u npdocbox.dll)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\..\Run as reported by hijackthis refers to registry entry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run

Update Windows thoroughly, disable install on demand for IE & Others & also disable third party browser extension under Internet Options, Advanced.

Uninstall all P2P softwares if you really want to be free of spyware.

Some entries will miraculously reappear by itself just after you restart so it is best to remove it in Safe mode. (press F8 on startup)

Didgery

5+ Year Member



 
Msg#: 8550 posted 8:17 pm on May 2, 2005 (gmt 0)

Thanks for all the suggestions - it's been 5 days, and FINALLY things seem to be back to normal (except my
Paint program seems to have disappeared, which really miffs my five year old). In any case, I'm grateful for the tips.

MrSchmidt

10+ Year Member



 
Msg#: 8550 posted 10:32 pm on May 2, 2005 (gmt 0)

Go to start, run and type in mspaint then hit ok and see if the paint program opens.
ED

rharri

10+ Year Member



 
Msg#: 8550 posted 12:20 am on May 3, 2005 (gmt 0)

Just saw this thread: Some spyware uses the system restore to re-infect after being delected. It may also help to boot into safe mode before running Spybot etc.

Bob

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved