Trojan.Agent.ALCE

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages

1 2 >

Trojan.Agent.ALCE, A few other trojans as well that I cant seem to rid myself of

Options

WarBlade View Member Profile	Nov 19 2008, 01:33 AM Post #1
Member Group: Members Posts: 18 Joined: 13-October 05 Member No.: 37,137	Hi there Ive been a fan of this site for some while now. Lots of great info but now I definitly need some help. I doesnt seem to matter what I do (have manged to remove a bunch of the critters) now I just can seem to rid myself of the last few. I have seen as many as 15 svchost.exe processes running at once on this computer at any one time. This computer is going out on the net and firing off several emails. Enough that I have been contacted by my ISP. I went through the check list for before posting and here are some of the trojans that have shown up. Trojan.Agent.ALCE Trojan.Dropper.SHN Trojan.FakeAlert.AB2 Troajn.Dropper.Kobcka.EN Trojan.Qhosts.ARE BehavesLike:Win32.Explore_Hijack I have removed this computer from net access after I did the required scans. When this comp first came to me I was unable to log in to a user without being logged off right away in either normal mode or safe mode. I have gotten past that and cleaned most of it but the rest just doesnt want to clear out. Here is a HJT log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:50:51 AM, on 11/19/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\WINDOWS\Mixer.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wpabaln.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1033 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: targetedbanner browser enhancer - {E54F56DD-104D-5BBB-111D-7912D14EE471} - C:\WINDOWS\system32\xzxffwzmof.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [kczrgvgeyxuagqwip] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\xzxffwzmof.dll" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [Logitech Desktop Messenger] C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Courtney\NewVersion\setup-8876480.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.sxload.net (HKLM) O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {17DF9D0D-036E-424B-98D7-A41E4CE783EF} - ms-its:mhtml:file://c:\\nores.mht!http://adxcnet.net/code/chm/xpre.chm::/xpreload.ocx O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O18 - Protocol: bw+0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw+0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: bwg0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwg0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0s - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: offline-8876480 - {4E510A45-31AA-45CC-9944-0C9407B7C05A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: priarsz - priarsz.dll (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing) O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing) -- End of file - 19110 bytes

Billy O'Neal View Member Profile	Nov 26 2008, 10:15 PM Post #2
Run from the Sandvitch! Group: HJT Team Coach Posts: 7,971 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	Hello, WarBlade to BleepingComputer.com My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.) Please give me some time to look over your computer's log(s). Please take note of the following: In the meantime, please refrain from making any changes to your computer. Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken. Finally, please reply using the button in the lower left hand corner of your screen. We need to run a Scan with DDS Please download DDS, and save it to your desktop, from one of the following mirrors: This is a mirror This is another mirror Disable any type of "Script Blockers" or "Script Protection" installed on your system. Double click on your desktop. If prompted by any script blocking tools, please allow any actions taken by DDS. When prompted to preform an Optional Scan, please select Two reports will open. Please reply with the generated reports: DDS.txt <-- Copy and paste into your next post Attach.txt <-- Attach to your next post We need to scan for rootkits with GMER Please download gmer.zip and save to your desktop. alternate download site 1 alternate download site 2 Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.) When you have done this, disconnect from the Internet and close all running programs. Note: There is a small chance this application may crash your computer so save any work you have open. Double-click on Gmer.exe to start the program. Allow the gmer.sys driver to load if asked. If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO. Click on "Settings", then check the first five settings: System Protection and Tracing Processes Save created processes to the log Drivers Save loaded drivers to the log You will be prompted to restart your computer. Please do so. Run Gmer again and click on the Rootkit tab. Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive. Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All". Important! Please do not select the "Show all" checkbox during the scan. Click on the "Scan" and wait for the scan to finish. Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply. Note: If you have any problems, try running GMER in Safe Mode In your next reply, please include the following: DDS.txt Attach.txt GMER's Log Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM. Have I helped you? If so, please consider a donation (by clicking this link). All donations go towards a license of Camtasia Studio, with which I will write video tutorials for BleepingComputer.

WarBlade View Member Profile	Nov 27 2008, 08:59 PM Post #3
Member Group: Members Posts: 18 Joined: 13-October 05 Member No.: 37,137	Hi Billy, Thx for helping me out. Ok heres the first problem we have right off the bat. The DDS thing you wanted me to run didnt seem to want to work, on this system at least. It would open a dos window that had a description about it and mentioning it was meant for 1 time use etc. Then it seemed to be working but after a bit it would say sort.exe not recognized and it would close. I tried about 5 times but could never catch the whole error message. I then went ahead with the gmer scan and here is the report for that. Hope that is ok. GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-11-27 20:46:02 Windows 5.1.2600 Service Pack 3 ---- Devices - GMER 1.0.14 ---- Device \Driver\Tcpip \Device\Ip 8243783A Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\Tcpip \Device\Tcp 8243783A Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\Tcpip \Device\Udp 8243783A Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\Tcpip \Device\RawIp 8243783A Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\Tcpip \Device\IPMULTICAST 8243783A Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Threads - GMER 1.0.14 ---- Thread 4:504 82430602 Thread 4:508 82430602 Thread 4:512 82430602 Thread 4:516 82430602 Thread 4:520 82430602 Thread 4:524 82430602 Thread 4:528 82430602 Thread 4:532 82430602 Thread 4:536 82430602 Thread 4:540 82430602 Thread 4:544 82430602 Thread 4:548 82430602 Thread 4:552 82430602 Thread 4:556 82430602 Thread 4:560 82430602 Thread 4:564 82430602 Thread 4:568 82430602 Thread 4:572 82430602 Thread 4:576 82430602 Thread 4:580 82430602 Thread 4:584 82430602 Thread 4:588 82430602 Thread 4:592 82430602 Thread 4:596 82430602 Thread 4:600 82430602 Thread 4:604 82430602 Thread 4:608 82430602 Thread 4:612 82430602 Thread 4:616 82430602 Thread 4:620 82430602 Thread 4:624 82430602 Thread 4:628 82430602 Thread 4:632 82430602 Thread 4:636 82430602 Thread 4:640 82430602 Thread 4:644 82430602 Thread 4:648 82430602 Thread 4:652 82430602 ---- Registry - GMER 1.0.14 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{FD853CE1-7F86-11d0-8252-00C04FD85AB4}\InprocServer32@ %SystemRoot%\system32\inetcomm.dll ---- Disk sectors - GMER 1.0.14 ---- Disk \Device\Harddisk0\DR0 sector 12: copy of MBR ---- EOF - GMER 1.0.14 ---- Thanks again

Billy O'Neal View Member Profile	Nov 27 2008, 11:50 PM Post #4
Run from the Sandvitch! Group: HJT Team Coach Posts: 7,971 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	Hello, WarBlade We need to execute an OTMoveIt3 script Please download OTMoveIt3 by OldTimer and save it to your desktop. Double click the icon on your desktop. Paste the following code under the area. Do not include the word "Code". CODE :processes explorer.exe :services FCI ICF :files @C:\WINDOWS\system32\svchost.exe:ext.exe c:\nores.mht C:\WINDOWS\system32\xzxffwzmof.dll :reg [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\.sxload.net] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}] [-HKEY_CLASSES_ROOT\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E54F56DD-104D-5BBB-111D-7912D14EE471}] [-HKEY_CLASSES_ROOT\CLSID\{E54F56DD-104D-5BBB-111D-7912D14EE471}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\priarsz] :commands [Reboot] Push the large button. OTMI3 may ask to reboot the machine. Please do so if asked.* Copy/Paste the contents under the line here in your next reply. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter .log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. We need to create an OTViewIt Report Please download OTViewIt by OldTimer. Save it to your desktop. Double click on the icon on your desktop. Click the "Scan All Users" checkbox. Push the button. Two reports will open, copy and paste them in a reply here: OTViewIt.txt <-- Will be opened Extra.txt <-- Will be minimized In your next reply, please include the following: OTMoveIt3's Log OTViewIt.txt Extra.txt Billy3 This post has been edited by Billy O'Neal: Nov 27 2008, 11:51 PM -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM. Have I helped you? If so, please consider a donation (by clicking this link). All donations go towards a license of Camtasia Studio, with which I will write video tutorials for BleepingComputer.

Billy O'Neal View Member Profile	Nov 29 2008, 07:44 PM Post #6
Run from the Sandvitch! Group: HJT Team Coach Posts: 7,971 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	Hello, WarBlade After you run the batch file below, a log.txt will exist on your desktop. Please post that file's contents here. We need to execute a Batch File Go to Start -> Run, and type "notepad" into the box. Press ok. Copy and paste the following code into notepad: CODE IF EXIST %systemroot%\System32\sort.exe echo EXISTS > "%userprofile%\Desktop\Log.txt" IF NOT EXIST %systemroot%\System32\sort.exe echo "Does Not Exist" > "%userprofile%\Desktop\Log.txt" del fix.bat Go to File -> Save To the right of "Save as Type:" in the bottom of the window, change the ComboBox to "All Files" Enter fix.bat into the "File name:" box just above the "Save as Type" box. Double click fix.bat on your desktop. We Need to Run ComboFix Note to readers of this post other than the starter of this thread: ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert. How to run ComboFix: Please download ComboFix from one of the following mirrors, and save it to your desktop. This is a mirror. This is another mirror. This is yet another mirror. Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix. Double click on your desktop. Read and accept (Press Yes) to the disclaimer. For Windows XP Systems: Install the Recovery Console: If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted. When prompted to accept the EULA, press OK. Accept Microsoft's EULA (Press Yes). When you are told that the RC is installed correctly, please press YES to continue scanning for malware. ComboFix will run. Simply wait for it to finish. When it finishes, ComboFix will produce a log. Please post that log in your next reply here In your next reply, please include the following: Batch file Log.txt ComboFix.txt Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM. Have I helped you? If so, please consider a donation (by clicking this link). All donations go towards a license of Camtasia Studio, with which I will write video tutorials for BleepingComputer.

WarBlade View Member Profile	Nov 29 2008, 10:10 PM Post #7
Member Group: Members Posts: 18 Joined: 13-October 05 Member No.: 37,137	Hi Billy, Ok ran into a snag again. I ran the fix.bat file. A momentary dos window appeared then disappeared. I will assume that is normal. However when I went to run the Combo fix. It started to work (never got to the disclaimer screen) a black dos window opened then the black part switched to blue(dunno if the color is improtant or not but I thought I better mention it). After a bit and some hard drive activity a message in the dos box appeared stating..... sort.exe is not recognized as an internal or external command, operable program or batch file. then nothing else happens. I tried to rerun the fix.bat file after making it again but ened with the same results. Hope what I decribed helps you out. Thanks again, WarBlade

Billy O'Neal View Member Profile	Nov 30 2008, 02:39 PM Post #8
Run from the Sandvitch! Group: HJT Team Coach Posts: 7,971 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	Hello, WarBlade Hmm... that's strange. Please try this: We need to create an OTViewIt Report Double click on the icon on your desktop. Click the "Scan All Users" checkbox. In the "Custom Scans" area, enter the following text: CODE C:\Windows\System32\Sort.exe /md5 C:\Windows\Sort.exe /md5 Push the button. Two reports will open, copy and paste them in a reply here: OTViewIt.txt <-- Will be opened Extra.txt <-- Will be minimized In your next reply, please include the following: OTViewIt.txt Extra.txt Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM. Have I helped you? If so, please consider a donation (by clicking this link). All donations go towards a license of Camtasia Studio, with which I will write video tutorials for BleepingComputer.

Billy O'Neal View Member Profile	Dec 1 2008, 05:17 PM Post #10
Run from the Sandvitch! Group: HJT Team Coach Posts: 7,971 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	Alright... that indicates that the operating system is damaged. Do you have your windows installation media? Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM. Have I helped you? If so, please consider a donation (by clicking this link). All donations go towards a license of Camtasia Studio, with which I will write video tutorials for BleepingComputer.

WarBlade View Member Profile	Dec 1 2008, 07:15 PM Post #11
Member Group: Members Posts: 18 Joined: 13-October 05 Member No.: 37,137	I will have to ask him if he still has his disk. I have access to a copy of Windows Xp Home but it is not the disk that was installed on this system.

Billy O'Neal View Member Profile	Dec 1 2008, 11:45 PM Post #12
Run from the Sandvitch! Group: HJT Team Coach Posts: 7,971 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	Alright.. see if you can find that disk. Parts of windows itself are missing which is causing problems for our tools. Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM. Have I helped you? If so, please consider a donation (by clicking this link). All donations go towards a license of Camtasia Studio, with which I will write video tutorials for BleepingComputer.

WarBlade View Member Profile	Dec 2 2008, 01:50 PM Post #13
Member Group: Members Posts: 18 Joined: 13-October 05 Member No.: 37,137	Ok Billy, i go a hold of the disk. Are you thinking of a in place repair? This disk is only a sp1 disk so there will be alot of updating to do. As well as setting it back up to update. Or do you have something else in mind? Dunno why I just asked that. Because you were going to instruct me on what to do anyway. lol

Billy O'Neal View Member Profile	Dec 2 2008, 07:48 PM Post #14
Run from the Sandvitch! Group: HJT Team Coach Posts: 7,971 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	Yep.. I've got something else in mind. Please go to start -> Run and enter CMD. Then press enter. Then type in the following: CODE sfc /purgecache sfc /scannow This will take some time to verify that windows' files are in the correct locations. After that please redownload and retry running ComboFix. Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM. Have I helped you? If so, please consider a donation (by clicking this link). All donations go towards a license of Camtasia Studio, with which I will write video tutorials for BleepingComputer.

WarBlade View Member Profile	Dec 3 2008, 11:37 AM Post #15
Member Group: Members Posts: 18 Joined: 13-October 05 Member No.: 37,137	So just to be sure. I do not need to have the disk in the drive when doing the next step?

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 4th July 2009 - 09:11 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List \| Virus Removal Guides
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides Archive