Jump to content

Change Mode


Trusted Malware Techs
  • Content Count

  • Joined

  • Last visited

Posts posted by Indrid_Cold

  1. Thank you for the kind thoughts DougH. You are most welcome. It was my pleasure.


    To reduce the potential for spyware infection in the future, I recommend installing the following free products



    It will prevent spyware from being installed and consumes no system resources.




    It offers realtime protection from spyware installation attempts.




    It places over 4000 websites and domains in your IE's restricted zone.



    I would also recommend that you read this thread written by Expert Tony Klein.

    So how did I get infected in the first place


    Stay safe out there DougH

  2. I think these 8 items did not appear in the prior HJT and then appeared after I deleted some items in C:\hp\bin.

    These entries have shown up in your previous logs.


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/

    These entries are just a matter of preference. You can change your start page to any URL you desire any time you desire.


    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} –

    This is a Spybot BHO. The file 'SDHelper.dll' should be listed. If this was just a CutnPaste error no problem. If the file is now missing in your log, uninstall Spybot and reinstall it to fix.


    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL (file missing

    Go ahead and fix this entry.


    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

    If you want this entry gone, I would suggest looking in Add/Remove Programs first before fixing with HJT.


    O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll


    O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

    I would again suggest you look to remove these entries through Add/Remove Programs before fixing with HJT. Word of Advice! Do Not delete the shdocvw.dll file. It is a legit M$ file.


    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    This is a Real Com button. It may be missing or due to a bug in HJT it will only appear to be missing. It's an optional and can be fixed if you so desire.


    Hope that clears things up.

  3. Hi Doug.


    Looks like I might have taken a small step backward when fooling around trying to delete items from C:\hp\bin\

    Unsure why you are listing some of these entries from the log.


    The last log you posted is clean as a hound's tooth.


    At this point I can only assume you may have some process/es running that are taking up cycles. If they are bad, none of the security apps we/you have run are identifying them. My advice would be to carefully look over what processes are running on the PC. Google them and if you find no information on the file or the only hits that show up are in the malware forums, they are most likely bad. Here is a tool that may offer some assistance.


    Find out detailed information about the processes running under Windows. This utility gives you the full list of DLLs for each running application, including full path and version information. You can also write scripts and debuggers to more closely examine processes. The program shows all parent/child relationships to system processes. This latest version displays all DLLs currently in use, as well as which processes use a DLL you select.


    Download PrcView HERE

  4. I will do my best to address your concerns.


    I have internet connectivity from the "target HP computer" and have run a few Pit Tests and done other browsing. I can get to Microsoft.com all the way to XP Home, but when I "click" for Windows Updates, it takes me to that page and displays "Checking for the latest version of Windows Update software..." The page just stalls at that point. No error messages.... just no action. I am currently running XP Home SP1 on that HP machine without much in the way of current updates beyond that. Had hoped to update to SP2. But alas, no joy.

    I would recommend that you hold off with any updates until you are clean. Let's see how things progress after removing those Trojans in the mwav log.


    CD-RW/DVD-ROM is Philips CDD5301 in this HP Pavilion 515x.

    Though I can understand your inital suspicion, my guess would be this is nothing more sinister then a coincidental hardware failure.


    Kinda/sorta problem or new info... I decided to try a-squared (a2) It identifies C:\hp\bin\terminator.exe. I removed that item, but it didn't improve anything.

    You may find these links enlighting. Castlecops McAfee


    Tried to clean up my Temporary Internet Files.

    Those .js files are JScript While that does not mean that they are malware, they can be. You may want to Google those and if you find they are bad, remove them. If you are denied access, they may be running and will need to be deleted in Safe Mode.


    Let's nuke those trojans.


    Delete these files and/or folders listed in bold

    C:\WINDOWS\wt<-----this folder

    C:\WINDOWS\adjvdg.exe<-----this file

    C:\WINDOWS\iodoa.dll<-----this file

    C:\WINDOWS\mm19.ocx<-----this file

    C:\WINDOWS\mm20.ocx<-----this file

    C:\WINDOWS\newj.exe<-----this file

    C:\WINDOWS\roing18.ocx<-----this file

    C:\WINDOWS\uqtcx.exe<-----this file

    C:\WINDOWS\adjvdg.exe<-----this file

    C:\WINDOWS\iodoa.dll<-----this file

    C:\WINDOWS\mm19.ocx<-----this file

    C:\WINDOWS\mm20.ocx<-----this file

    C:\WINDOWS\newj.exe<-----this file

    C:\WINDOWS\roing18.ocx<-----this file

    C:\WINDOWS\uqtcx.exe<-----this file




    Let me know how you get on.

  5. You are most welcome DougH


    Let's turn over a few more rocks to see what else we may find.


    - Download eScan's mwav application HERE

    *Launch mwav

    *Select all local drives

    *Scan all files

    *Click 'scan'

    When it has completed, what was found will be displayed in the lower pane.

    Highlight it, press CTRL C and then paste it here.

  6. Except for a few minor entries that log looks good.


    You mentioned having uninstalled NetZero so I have included a few leftovers entries to clean up.


    Place a check mark for these entries.


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/

    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228

    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227


    With ALL Windows and Browsers, including this one, Closed and click 'Fix checked'


    Delete this folder listed in bold

    C:\Program Files\NetZero<-----this folder


    - REBOOT and you are good to go.

  7. O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx (Don't recognize anything about this one)

    Harmless. That is the Internet Explorer Radio Bar.


    O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

    O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

    Also harmless.


    Software Publisher's Description


    MarketBrowser allows investors to monitor and analyze their most important investments at a glance from a convenient PC desktop toolbar. Track every individual stock, mutual fund or an index; pivot to stock research sources on the Web; quickly run studies like moving averages, spreads and oscillators; chart and manipulate economic data.


    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) Again harmless. Real.com button.


    Known bug in HJT where it will report some O9's as having no name and no file.


    Your log, while lean compared to most, looks good. I trust you are not using a utility to disable anything in startup. If you are, I cannot fix what I cannot see. Please enable all startup items and post another log.

  • Create New...