Well. it happened. I was surfing and doing some research about spyware and bam...some pretty heavy-duty porno page popped on my screen and my Avast AV immediately went crazy and told me to unplug my network card, etc.

I'm thinking Avast stopped the nasty at the front door, but here is a fresh hjt log just to make sure. Thanks in advance.

Logfile of HijackThis v1.99.0
Scan saved at 18:40:41, on 02.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avast4AV\aswUpdSv.exe
C:\Programme\Avast4AV\ashServ.exe
C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Avast4AV\ashMaiSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\Avast4AV\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Siemens\Gigaset WLAN Adapter\WLM.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\DOKUME~1\Gary\LOKALE~1\Temp\Temporäres Verzeichnis 3 für hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Security\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Programme\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4AV\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Programme\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = C:\Programme\Siemens\Gigaset WLAN Adapter\WLM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104244182266
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GARYSPC
O17 - HKLM\Software\..\Telephony: DomainName = GARYSPC
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GARYSPC
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Programme\Avast4AV\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Programme\Avast4AV\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Avast4AV\ashMaiSv.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe

Nice clean log.

My usual prevention speech:-


Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications: Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed.
Spywareguard (http://www.wilderssecurity.net/spywareguard.html) <= SpywareGuard offers realtime protection from spyware installation attempts.
How to use Ad-Aware to remove Spyware (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/index.php?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.To protect yourself further: IE/Spyad (https://netfiles.uiuc.edu/ehowes/www/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Another very good method of preventing malware infestations is to dump Internet Explorer, and use Firefox as your default browser. Keep IE, as it is needed to access Windows Update.

Thanks David. Very good tips there. I guess I can't make use of IE Spyad since I only run Firefox, but I make very good use of Spyware Blaster, Sygate PF, Avast AV, Spybot, A squared, and Adaware SE. Guess I just got a little paranoid by the way my Avast responded to the threat. Great to hear that I'm still clean.

Quick question: Is there any way to automate the cleaning out of .tif's to occur during boot down. Also, is there another place I need to empty out from within Firefox?

Thanks again for verifying my hjt log.

To clear the firefox cache, go to Tools>Options>Privacy. That gives you the options to delete cache ( temporary Internet files), cookies etc. AFAIK, there is no way of cleaning out the cache at boot, but a batch file could be written to do the job, and set to run at startup.

Newbie:

here's a little article for you to read:

http://www.pcworld.com/howto/article/0,aid,17118,pg,2,00.asp

that article from here: http://www.google.com/search?hl=en&q=emptying+.temp+folders+on+shut+down%22

on clearing .temp files and the index.dat file

David: I was certain there is a way to empty .temp files on shut down. I thought it was in control panel > folder options, but now I cannot find it. Where is that (I'm Win ME).

Thanks lads. I'll check those links out asap. Also writing a batch file shouldn't be too tough for completing that task at boot up or boot down.

DONN

From Internet Explorer -- tools | internet options | advanced
page down to the SECURITY heading and the fourth item is:
"Empty Temporary Internet Files folder when browser is closed". Be sure there is a check mark in front of this item.

Tommy, yes, that works OK for Internet Explorer, but it's not an option for Firefox unfortunately.

Found it, thanks Tommy :D

I came across the following archive, which also explains how to do this in Win xp (classicsoftware was a key part of this thread):
http://www.pcguide.com/vb/archive/index.php/t-25943.html

In my folder:
C:\Documents and Settings\Username\Local Settings\Temp\

I have 100 MB worth of text documents, xml documents, and .tmp files, in addition to many sub-folders. One of these folders is Temporary Internet files, which I deleted from within Windows Explorer without fear. My question is if it's safe to delete all of the other temporary folders (including hidden system folders) from the folder above--and not just the Internet files, as long as they were last accessed before my last reboot?

Thanks.