Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Infections (7fasst, Accoona, Aconti, Adbreak, Cusmin, Deskwizz, Inetspeak, Smitfraud-c, Swagent, Trojan.downloader-fakerx)


  • This topic is locked This topic is locked
14 replies to this topic

#1 bart_central

bart_central

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 02 October 2007 - 09:03 PM

Multiple infections (7FaSSt, Accoona, Aconti, AdBreak, CusMin, DeskWizz, INetSpeak, SmitFraud-C, SWAgent, Trojan.Downloader-FakeRx) - which I think I have mostly fixed. This is an updated version (including a couple of corrections) of my original post. That post was moved over to the “Am I Infected...” forum for assistance in getting my infected system to the point where I could produce an HJT log. The HJT log is at the end of this post.

Before that, here is the (updated) information on my situation...

The infection happened on 9/15/2007 at around 7:30am. An active-x object was inadvertently allowed to install onto my system. It then began to install various other nasties (including changing the screen background to a "your system's been infected" display and then attempting to get you to download some bogus anti-spyware). S&D Tea Timer was getting flooded with registry change attempts. In any case, I killed all of the running browser sessions and disconnected my network cable.

Before continuing, here are some details on my system...

System: Gateway P4 2.4Ghz (a little over 5 years old)
Memory: 2Gb
Hard drives: 2 (non SCSI)
OS: Windows XP Professional SP2 (with autoupdate enabled)
Browser: IE7
(also had the firewall (that comes with SP2) and S&D tea timer active as well)

I also have a second (uninfected) system that is effectively the infected system's twin (there are some differences in the software that is loaded on each).

I started off by running a Spybot S&D (version 1.4) scan - which came back reporting most of the above infections (plus a registry entry that disabled the Task Manager). It was able to take care of a number of them, but said there were some files that it could not delete. I allowed it to try again on reboot (to delete the files). Upon rebooting, most of what it had removed was back - and it again failed to delete the files that it had failed to delete before (see below for a list of files - I have marked the ones that could not be deleted by Spybot or, apparently, though any other means (Spybot didn't catch them all) with an asterisk). I reran Spybot. Instead of rebooting, I then ran an Adaware SE (version 1.06r1) scan. It found and I removed a few more things. I then ran AVG 7.5 anti-virus (free) - which didn't report anything new.

I reconnected the network cable and downloaded the latest profiles for these three apps. I also installed AVG Anti-Spyware, SpywareBlaster and a-squared (free). I also wiped out my browser temp files, cookies and history. I then did the following...

1) changed my file-view settings so that system/hidden files would be displayed and all file extensions would appear as well
2) turned off system restore
3) ran the disk clean in System Tools
4) ran an Ad-Aware scan (which found a bunch of cookies)
5) ran Spybot S&D (which found the same stuff as before that it could not delete - this time, I removed any reportedly suspicious active-x items, blank or suspicious BHOs, startup items, etc.)
6) ran a-squared (trial version) for a full scan (which found one more thing that I then deleted)
7) ran AVG anti-virus (nothing new)
8) ran SpywareBlaster (resident protection, not a malware scanner) – nothing new.
9) ran AVG Anti-Spyware. Mid way through the scan, the computer rebooted itself.

When the crash happended, I started hitting F8 until I was able to boot into safe mode. After once again disconnecting the network cable and then logging in, I...

1) ran msconfig and set the system to automatically boot into safe mode the next time it was reset. I had as little enabled as possible (using msconfig). Selective startup with a check by "Process SYSTEM.INI File" and a dimmed check by "Load Startup Items". ctfmon is the only process checked in the startup list. Everything is checked in the SYSTEM.INI list. In services, DCOM Server Process, RPC Locator and RPC are the only things checked (and the locator is stopped). This is curious since the services group is unchecked. Finally, "Use Modified BOOT.INI" was selected and the SAFEBOOT option was selected in the BOOT.INI tab.
2) changed windows explorer's file view to details and re-enabled being able to see system/hidden files and all file extensions (this always seems to get reset when I reboot in safe mode).
3) re-ran steps 3-8 (see above). AVG Anti-Spyware would not run in safe mode.

Noting that the files that the above apps had deleted (or attempted to delete) all had the same (or very similar) timestamp, I ran a search for everything that had been modified in the past week (it was 9/18 by this time). I sorted them by date (most recent first) and began working my way down. The top-most files were mostly system log files (a whole lot more than were on the infected system's twin). I googled a number of them and they seemed to be legitimate - though I don't know if the services/whatever that produce them should be running. I'm a bit concerned that some of the malware turned on a bunch of logging in order to try and get as much info about the infected system as possible. Over the following week, I worked my way down to the time period when the initial infection happened. I noted the files that were still present and continued on until it looked like I was well prior to when the infection happened. The entire time I was doing this, I was googling a lot of the files to see whether or not they were legitimate as well as comparing files between the infected system and its twin. This approach was far from perfect, (I suspect this was doing things "the hard way") but it did help identify a lot of the "bad" files. It turns out that almost all of them were in either WINNT or WINNT\System32.

Unfortunately, I don't have a list of all the log files that I came across at the time, but I have included a list (using the same type of search) of a number of the files that are more recent than the infection period (excluding stuff like the S&D updates). It's not a complete list as there are quite a number of them.

C:\Documents and Settings\test\ntuser.dat.LOG
C:\WINNT\system32\wbem\Logs\wbemprox.log
C:\WINNT\ntbt.log
C:\Documents and Settings\test\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
C:\WINNT\system32\config\SAM.LOG
C:\WINNT\system32\config\SECURITY.LOG
C:\WINNT\Debug\PASSWD.LOG
C:\WINNT\bootstat.dat
C:\WINNT\Debug\UserMode\userenv.log
C:\WINNT\system32\config\default.LOG
C:\WINNT\system32\wpa.dbl
C:\WINNT\system32\CatRoot2\edb.chk
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm

Here is the list of the "bad" files (that have a timestamp matching the time of infection) that survived the above scans or were able to somehow resurrect themselves. Note that comments in parenthesis that are to the right of the filename are my comments and not part of the filename. The same applies to asterisks to the right of filenames...

C:\WINNT\system32\stfv.bin
C:\WINNT\system32\oembios32.dll **
C:\WINNT\liqui-Uninstaller.exe *
C:\WINNT\hotporn.exe *
C:\WINNT\fhfmm-Uninstaller.exe *
C:\WINNT\daxtime.dll
C:\WINNT\wbeInst$.exe *
C:\WINNT\adbar.dll
C:\WINNT\xxxvideo.exe *
C:\WINNT\ie_32.exe *
C:\WINNT\spreadirect.dll
C:\WINNT\kkcomp$.exe *
C:\WINNT\jd2002.dll
C:\WINNT\system32\ESHOPEE.exe *
C:\WINNT\dp0.dll
C:\WINNT\aconti.exe *
C:\WINNT\liqad$.exe *
C:\WINNT\xadbrk_.exe *
C:\WINNT\eventlowg.dll
C:\WINNT\ngd.dll
C:\WINNT\system32\drivers\ (a bunch of jpg, gif, htm and css files)
C:\WINNT\acontidialer.txt
C:\WINNT\aconti.log
C:\WINNT\system32\wml.exe *
C:\WINNT\wml.exe *
C:\WINNT\system32\Vxddsk.exe *
C:\WINNT\Vxddsk.exe *
C:\WINNT\absolute key logger (empty folder)
C:\WINNT\flt.dll
C:\WINNT\764.exe *
C:\WINNT\7search.dll
C:\WINNT\pbar.dll
C:\WINNT\system32\acespy\__acelog.ndx
C:\WINNT\system32\acespy\systune.exe *
assist\asbar.dll (this and two other files in this folder - which seem to have no root)
C:\WINNT\gtv_sd.bin
C:\WINNT\sznf.ascii
C:\WINNT\din.ip
C:\WINNT\default.htm
C:\naVWanVd.ini

* These files could not be deleted. Spybot S&D could not do it and when I tried to delete them using windows explorer, the error message indicated that some other application was currently using them (I had no other application running). This happens to be a superset of the files that Spybot had detected and failed to delete.
** I tried to unregister each DLL before deleting it ("regsvr32 /u <disk:\path\filename.dll>" in a command window). The file oembios32.dll was the only dll file that actually turned out to be registered.

On a hunch, I started up a CMD window, pulled up the task manager and killed the explorer.exe task. I was then able to use the command window to delete each of the above files marked with a "*". Afterwards, I restarted explorer.exe with no apparent problem. Even after rebooting (I'm still in safe mode), the files did not return.

I then ran regedit with the intent of searching for the deleted filenames. On the first search, regedit sat and trundled for a bit (while searching) before the system displayed a blue screen for all of about a half of a second and then rebooted. I tried this again with several other strings (including some random characters) and found that the same thing would happen each time. If I searched for something that was near the top of the registry, the search would work - but anything that took it well down into the registry would cause the system to reboot.

Suspecting bad memory, I swapped memory sticks with the infected system's twin. The problem persisted. So much for the bad-memory-stick theory. Next, I wondered if it had to do with how little was actually loaded into memory. I thought perhaps there was some crucial "something or other" that might need to be loaded - so I ran msconfig to try and add some additional start-up items. I found that any time I hit "OK" to save my changes (even if I didn't actually make any change), a dialog would appear saying "An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes." The account I was using did have admin privileges. Also, despite the error, it seemed that the settings would persist (though I didn't test this too thoroughly). As this seemed rather suspicious, I had not yet tried rebooting with more stuff loaded (much less rebooting in "normal" mode) at this point.

I used the infected system’s twin to post the original version of this message to the HJT forum. That post was subsequently moved to the “Am I infected...” forum. The responses to my post started off by explaining that “...Smitfraud.C is Spybot S&D's name for a type of Vundo/Conhook infection. ...Smitfraud is a generic description of any application/trojan that hijacks the desktop to give fake warnings that you are infected or have errors and need to download their program to fix it, only telling you later you have to pay for the fix. Vundo is associated with the rogue app Winfixer, among others, but it is a completely different infection from what is more commonly known as Smitfraud and SmitfraudFix is not designed to fix it.”

I was instructed to boot back into “normal” mode and load the Vundofix tool at...
http://www.atribune.org/content/view/24/2/

...and then to install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

I was able to boot up into normal mode without any apparent problems. I loaded Vundofix and ran it. It found nothing whatsoever. I’m a bit concerned that since I deleted all of the files, the app didn’t go into the registry to try and fix whatever the malware had messed up.

After loading/updating Superantispyware and rebooting back into safe mode, that app found “Trojan.Downloader-FakeRx” and removed it. Rebooting back into normal mode, I reran Adaware – which found three “win32.trojan.crypt” objects in the registry (which I had it remove).

AVG Anti-Spyware still crashed my system, so I uninstalled it and downloaded the next step up (AVG Anti-Malware) and ran that (I made sure to update its profile information first). This app also crashed my system in seemingly the same way (half second flash of a blue screen and the system then reboots).

Suspecting a conflict between the various apps I had loaded, I uninstalled a-squared, spyware blaster and superantispyware professional (trial version). No change. I tried having it scan just the user area only. No change. I tried having it scan the system area only and found that it almost immediately caused the crash. On a hunch (after rebooting), I unloaded a bunch of in-memory apps (spybot, live messenger, windows desktop search, google toolbar, yahoo jukebox, winzip quickpick and quicktime) and reran the system scan. The system once again crashed (while the scan said it was doing a registry search), but this time, the blue screen stayed up while it started dumping physical memory to disk. The blue screen said it was a “REGISTRY_ERROR” (0x00000051 0x0000004 0x0000001 0xE2E6B320 0x00000618). The memory dump would count from 1 to 100, display a couple of lines of text that didn’t stay up long enough for me to read before the system would reset. It kind of looks like I have a registry corruption (perhaps this is why a regedit search crashes the system as well) I tried it a few times and found that it would consistently behave the same way. I also noticed that the fourth of the above five hex values would be different each time.

After rebooting I dismissed the (recovered from a serious error) dialog. I have the register values and dumpfile location if that would be of any help. This posting is already long enough, so I’m leaving them out unless you want me to add them.

I reloaded a-squared (free), spywareblaster and Superantispyware Professional. I also replaced my older HijackThis with a current version (2.0.2). I was also advised to rename the HJT .exe file to “scanner.exe” as some versions of the malware I was hit with will hide entries from HJT if it sees it running. I then started the process all over again (except that I didn’t bother with the AVG app)...

1) In normal mode with system restore turned off, automatic updates (MS) turned on, fileview to show all file extensions, system and hidden files. S&D Teatimer active, SpywareBlaster active, MS firewall active, AVG anti-malware active (though I disabled its scheduled scans since they crash my system).
2) Ran Adaware after updating profiles – nothing significant
3) Ran Spybot S&D – nothing significant found
4) Tried VundoFix.exe again – no files found
5) Ran the latest version of Stinger – no files found
6) Ran a-squared system scan – a couple of false positives, but no real threats
7) Ran Super AntiSpyware – no files found
8) Ran the renamed HJT (see posted log below)


To summarize...

1) System was infected with (7FaSSt, Accoona, Aconti, AdBreak, CusMin, DeskWizz, INetSpeak, SmitFraud-C (Vundo) , SWAgent) plus who-knows-what-else.
2) Updated adaware, Spybot, AVG antivirus (free) and loaded AVG anti-spyware, Spyware Blaster and a-squared.
3) Turned off system restore and set file properties to show system/hidden files, all file extensions
4) The scans reported multiple infections
5) The initial AVG anti-spyware run crashed the system - causing it to reboot.
6) Disconnected the network cable and booted into safe mode
7) Ran msconfig to make safe mode the default and have a little loaded as possible
8) Reran Adaware, Spybot S&D, AVG anti-virus, Spyware Blaster and a-squared and removed what threats I could.
9) Sorted all files on the hard drive in chrono order and began googling anything I didn’t recognize.
10) Hand deleted all of the “bad” files that I could - including trying to unregister each of the dll files (in the above list)
11) Started a command window, killed explorer.exe task and was able to delete the rest of the bad files.
12) Upon restarting (still in safe mode), system appeared to be clean
13) As instructed, booted back into normal mode and loaded/ran VundoFix (nothing found) before loading and running Super AntiSpyware (found one more group of items).
14) Determined that there is a registry corruption that causes regedit searches and AVG registry scans to crash the system.
15) Updated my HJT to 2.0.2 and created an HJT report (see below).
16) I’m concerned that by deleting all of the malware by hand, I have prevented the antispyware SW I have from detecting that anything is wrong – thereby causing them to not clean/fix the registry!

Any help/advice on how to proceed would be greatly appreciated...

Here is the HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:38 PM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ups.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINNT\system32\HPZinw12.exe
C:\Program Files\Hijack This\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [FinishOptions] C:\DOCUME~1\bart\LOCALS~1\Temp\hpbinxst.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.webassured.com/CFIDE/classes/CFJava.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../yse/ymmapi.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.0) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: bw+0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\WINNT\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

--
End of file - 24671 bytes

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:34 AM

Posted 12 October 2007 - 03:14 PM

Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new HijackThis log. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 bart_central

bart_central
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 12 October 2007 - 09:34 PM

As requested, here is an updated hijackthis log. It's run from the same user on the system and right after a fresh reboot...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:09 PM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ups.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hijack This\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [FinishOptions] C:\DOCUME~1\bart\LOCALS~1\Temp\hpbinxst.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.webassured.com/CFIDE/classes/CFJava.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../yse/ymmapi.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.0) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: bw+0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\WINNT\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

--
End of file - 24983 bytes

Edited by bart_central, 12 October 2007 - 09:35 PM.


#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:34 AM

Posted 15 October 2007 - 03:28 AM

Step 1

A Firewall is an essential part of computer security and you do not appear to have a third party software firewall running on your system. If you have one, and I missed it, please ignore this. If you are relying on the firewall that comes with Service Pack 2, then you need to install a third party software firewall. While the SP2 firewall is better than nothing, it does not monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will. There are several firewalls that provide better protection than the Windows SP2 firewall. Follow these steps to turn off/disable the Windows Firewall before installing a new firewall:
  • Download the new firewall to your desktop.
  • Disconnect from the Internet.
  • Click Start > Control Panel.
  • Switch to Classic View if you have not already done so.
  • Double click on the Windows Firewall icon.
  • Click Off (Not recommended).
  • Install the new Firewall.
Do not attempt to run two software firewalls since like running two antivirus programs, they will possibly cause problems and conflict with each other.
There are a few firewalls available for free that appear to be good and easy to use:For more information about firewalls, and why a two-way firewall is better than the Windows XP one-way firewall, please read Understanding and Using Firewalls.

Step 2

A few things you may do prior to cleaning:During the cleaning process, if any other issues appear, please let us know.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:34 AM

Posted 15 October 2007 - 03:44 AM

  • Please download ComboFix save it to your desktop. **Note: It is important that it is saved directly to your desktop**.
  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning. Type 1 and press Enter to begin the scan.
  • The scan will temporarily disable your desktop, and if interrupted, may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
  • Caution - do not touch your mouse/keyboard until the scan has completed. Touching your mouse/keyboard while the scan is running may cause it to stall.
  • When finished, ComboFix will produce a log for you and will automatically save the log file to C:\combofix.txt.
  • ComboFix will create a folder called QooBox in C: (C:\QooBox). It will contain any folders that were quarantined. When you are done, you can delete this folder - QooBox.
  • Please post the log from ComboFix and a new HijackThis log. Thanks.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#6 bart_central

bart_central
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 16 October 2007 - 04:17 AM

Thanks for the quick response and helpful advice. I now have ZoneAlarm up and running on my system.

So here's where I think we are with this...

1) System was originally infected with (7FaSSt, Accoona, Aconti, AdBreak, CusMin, DeskWizz, INetSpeak, SmitFraud-C (Vundo) , SWAgent) plus who-knows-what-else.
2) The antivirus / spyware / malware apps I currently have installed are adaware (free version), Spybot S&D (free version), AVG anti-malware (full featured trial version), Spyware Blaster (free version), a-squared (free version), SuperantiSpyware (free version). That last one had been the full featured trial version, but the trial period just expired - so I replaced it with the free version.
3) System restore is turned off and file properties are set to show system/hidden files, all file extensions
4) Although initial scans reported multiple infections, they currently seem to be coming up clean now that I sorted all of the drive's files by date and examined the ones whose timestamp was around the time of the initial infection - deleting those that a google (using the infected system's twin) revealed to be "bad" and which were either missed by the other apps or could not be deleted by the other apps. For some of the files, this required starting up a command window, killing explorer.exe and then hand deleting the files (which otherwise could not be deleted).
5) The exception to the above item is that a system scen by AVG anti-malware will crash the system - causing it to reboot (while it is digging through the registry).
6) A registry search using regedit will crash the system as well.
7) The above two items make it look like there is a registry corruption.
8) Vundofix found nothing (possibly because I had already deleted all of the files).
9) I’m concerned that by deleting all of the malware by hand, I have prevented Vundofix as well as the antispyware SW I have from detecting that anything is wrong – thereby causing them to not clean/fix the registry!
10) Installed ZoneAlarm and ComboFix (and ran ComboFix). As ComboFix was running, I did see the app flash a few messages about being unable to access certain files (I didn't have time to write down the exact text before it scrolled off the top of the window).

Here is the ComboFix.txt contents...
ComboFix 07-10-12.4 - test 2007-10-16 0:50:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1454 [GMT -7:00]
Running from: C:\Documents and Settings\test\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip

.
((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))))))))
.

2007-10-16 00:48 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-15 20:59 200,736 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2007-10-15 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-15 20:53 75,248 --------- C:\WINNT\zllsputility.exe
2007-10-15 20:53 11,264 --------- C:\WINNT\system32\SpOrder.dll
2007-10-15 20:53 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2007-10-15 20:51 <DIR> d-------- C:\WINNT\Internet Logs
2007-10-09 19:33 582,656 --------- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-10-02 18:29 <DIR> d-------- C:\Documents and Settings\test\Application Data\U3
2007-10-01 20:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-01 19:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-30 23:47 <DIR> d-------- C:\Documents and Settings\test\Application Data\AVG7
2007-09-30 23:47 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-30 23:46 9,216 --------- C:\WINNT\system32\avgwlntf.dll
2007-09-30 22:35 <DIR> d-------- C:\Documents and Settings\SysAdmin\Application Data\Yahoo!
2007-09-30 22:00 <DIR> d-------- C:\Program Files\Hijack This
2007-09-30 19:16 <DIR> d-------- C:\Documents and Settings\test\Application Data\DivX
2007-09-30 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-09-29 17:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-29 17:17 <DIR> d-------- C:\Documents and Settings\test\Application Data\SUPERAntiSpyware.com
2007-09-29 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-29 15:55 <DIR> d-------- C:\VundoFix Backups
2007-09-23 02:15 <DIR> d--h----- C:\WINNT\system32\GroupPolicy
2007-09-17 11:23 823,296 --------- C:\WINNT\system32\divx_xx0c.dll
2007-09-17 11:23 823,296 --------- C:\WINNT\system32\divx_xx07.dll
2007-09-17 11:22 802,816 --------- C:\WINNT\system32\divx_xx11.dll
2007-09-17 11:22 739,840 --------- C:\WINNT\system32\DivX.dll
2007-09-16 18:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-09-16 18:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-09-16 12:29 <DIR> d-------- C:\Program Files\a-squared Free
2007-09-16 12:12 <DIR> d-------- C:\Program Files\Common Files\Scanner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-16 03:59 32 --sh--w C:\WINNT\system32\drivers\fidbox.idx
2007-10-12 02:37 --------- d-----w C:\Program Files\Java
2007-10-01 09:17 --------- d-----w C:\Documents and Settings\test\Application Data\HP
2007-10-01 06:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-01 06:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-01 05:01 --------- d-----w C:\Program Files\HP
2007-10-01 03:08 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-10-01 02:44 --------- d-----w C:\Program Files\DivX
2007-09-16 19:11 --------- d-----w C:\Program Files\Yahoo!
2007-09-15 23:40 --------- d-----w C:\Documents and Settings\test\Application Data\Lavasoft
2007-09-11 23:14 156,992 ------w C:\WINNT\system32\DivXCodecVersionChecker.exe
2007-09-06 23:14 1,086,952 ------w C:\WINNT\system32\zpeng24.dll
2007-08-28 03:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-08-21 06:15 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINNT\system32\dllcache\inetcomm.dll
2007-08-21 00:26 81,920 ------w C:\WINNT\system32\dpl100.dll
2007-08-21 00:26 196,608 ------w C:\WINNT\system32\dtu100.dll
2007-08-20 10:04 824,832 ------w C:\WINNT\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINNT\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINNT\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINNT\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINNT\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ------w C:\WINNT\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINNT\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINNT\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINNT\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINNT\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ------w C:\WINNT\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ------w C:\WINNT\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINNT\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINNT\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINNT\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINNT\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINNT\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINNT\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINNT\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINNT\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINNT\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINNT\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINNT\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINNT\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINNT\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINNT\system32\dllcache\ieakui.dll
2007-08-15 22:33 524,288 ------w C:\WINNT\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ------w C:\WINNT\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ------w C:\WINNT\system32\ssldivx.dll
2007-08-15 22:33 129,784 ------w C:\WINNT\system32\PxAFS.DLL
2007-08-15 22:33 120,056 ------w C:\WINNT\system32\pxcpyi64.exe
2007-08-15 22:33 118,520 ------w C:\WINNT\system32\pxinsi64.exe
2007-08-15 22:33 1,044,480 ------w C:\WINNT\system32\libdivx.dll
2007-08-15 22:31 593,920 ------w C:\WINNT\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ------w C:\WINNT\system32\dpv11.dll
2007-08-15 22:31 53,248 ------w C:\WINNT\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ------w C:\WINNT\system32\dpus11.dll
2007-08-15 22:31 294,912 ------w C:\WINNT\system32\dpu11.dll
2007-08-15 22:31 294,912 ------w C:\WINNT\system32\dpu10.dll
2007-08-15 22:30 12,288 ------w C:\WINNT\system32\DivXWMPExtType.dll
2007-07-31 02:19 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-07-31 02:19 92,504 ------w C:\WINNT\system32\dllcache\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-07-31 02:19 549,720 ------w C:\WINNT\system32\dllcache\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-07-31 02:19 53,080 ------w C:\WINNT\system32\dllcache\wuauclt.exe
2007-07-31 02:19 43,352 ------w C:\WINNT\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-07-31 02:19 325,976 ------w C:\WINNT\system32\dllcache\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-07-31 02:19 203,096 ------w C:\WINNT\system32\dllcache\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINNT\system32\wuaueng.dll
2007-07-31 02:19 1,712,984 ------w C:\WINNT\system32\dllcache\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-07-31 02:18 33,624 ------w C:\WINNT\system32\dllcache\wups.dll
2007-07-19 02:48 72,472 ------w C:\Documents and Settings\bart\Application Data\GDIPFONTCACHEV1.DAT
2006-02-19 10:28 12,288 ------w C:\WINNT\Fonts\RandFont.dll
2000-12-12 18:17 100,432 ------w C:\Program Files\Win2000PPAHotfix.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 16:01 C:\WINNT\system32\CTHELPER.EXE]
"UpdReg"="C:\WINNT\UpdReg.EXE" [2000-05-10 23:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-12 22:56]
"nwiz"="nwiz.exe" [2003-07-28 15:19 C:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="C:\WINNT\System32\NvMcTray.dll" [2003-07-28 15:19]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [2003-07-28 15:19]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 C:\WINNT\LOGI_MWX.EXE]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-03 23:00]
"Iomega Startup Options"="C:\Program Files\Iomega\Common\ImgStart.exe" [2001-01-17 17:33]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2001-09-12 11:35]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 12:50 C:\WINNT\system32\SK9910DM.EXE]
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" [2002-03-06 08:08]
"GWMDMMSG"="GWMDMMSG.exe" [2002-03-06 08:08 C:\WINNT\GWMDMMSG.exe]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-30 19:48]
"FinishOptions"="C:\DOCUME~1\bart\LOCALS~1\Temp\hpbinxst.exe" [2004-05-31 20:13]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2006-03-13 23:30]
"2wSysTray"="C:\Program Files\2Wire\HomePortal\2PortalMon.exe" [2001-11-29 10:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-30 23:46]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 05:26]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 02:04]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 19:10:04]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-10-09 20:06:51]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-07-24 16:58:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-09-30 23:46 9216 C:\WINNT\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

R0 iomdisk;Iomega Devices Disk Filter Services;C:\WINNT\system32\DRIVERS\iomdisk.sys
R1 cdudf_xp;cdudf_xp;C:\WINNT\system32\drivers\cdudf_xp.sys
R1 pwd_2K;pwd_2K;C:\WINNT\system32\drivers\pwd_2K.sys
R1 Sk9920nt;PS/2 Keyboard Filter Driver for NT 4.0;C:\WINNT\system32\DRIVERS\Sk9920nt.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINNT\system32\drivers\UdfReadr_xp.sys
R2 paldrv;paldrv;\??\C:\WINNT\System32\pal_drv.sys
R3 dvd_2K;dvd_2K;C:\WINNT\system32\drivers\dvd_2K.sys
R3 GTWModem;GTW V.92 Voicemodem;C:\WINNT\system32\DRIVERS\GWMDM.sys
R3 hpusbfd;Hewlett-Packard USB Filter Class;C:\WINNT\system32\DRIVERS\hpusbfd.sys
R3 mmc_2K;mmc_2K;C:\WINNT\system32\drivers\mmc_2K.sys
R3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINNT\system32\DRIVERS\CamDrL21.sys
R3 Sk99202k;PS/2 Keyboard Filter Driver for Win2000;C:\WINNT\system32\DRIVERS\Sk99202k.sys
S3 BCMModem;BCM V.90 56K Modem;C:\WINNT\system32\DRIVERS\BCMDM.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys

*Newly Created Service* - CATCHME
*Newly Created Service* - KLIF
*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL
*Newly Created Service* - SRESCAN
*Newly Created Service* - VSMON
.
Contents of the 'Scheduled Tasks' folder
"2002-05-22 06:25:17 C:\WINNT\Tasks\ISP signup reminder 1.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 00:55:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-16 0:56:48
.
--- E O F ---


...and here is the HJT run I did right after rebooting...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:19 AM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINNT\system32\HPZinw12.exe
C:\Program Files\Hijack This\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [FinishOptions] C:\DOCUME~1\bart\LOCALS~1\Temp\hpbinxst.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.webassured.com/CFIDE/classes/CFJava.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../yse/ymmapi.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.0) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: bw+0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\WINNT\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 25196 bytes

#7 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:34 AM

Posted 16 October 2007 - 02:20 PM

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 1

I noticed that your "Adobe Reader" is out of date.
You may want to download the latest version, Adobe® Reader® 8.

Step 2

Please download Ad-Aware 2007.
Please check this link, Ad-Aware 2007 for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible.

Step 3

Please print out the following instructions as this page will be unavailable to you while you are working in Safe Mode.
  • Open AVG Anti-Spyware Free Edition
  • Update.
    • Next to Last Update, click on Update now. (You will need an active Internet connection to perform this)
    • Wait until you see the Update successful message.
    • Right-click the AVG Anti-Spyware Free Edition Tray Icon and uncheck Start with Windows.
    • Right-click the AVG Anti-Spyware Free Edition Tray Icon and select Exit. Confirm by clicking Yes.
    • If you are having problems with the updater, you can use this link to manually update ewido.
      AVG Anti-Spyware Free Edition manual updates.
    • Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware Free Edition is closed before installing the update.
    Scan With AVG Anti-Spyware Free Edition
  • Close ALL open Windows / Programs / Folders. Reboot to Safe Mode. (without networking support !) If you don’t know how to boot in Safe Mode, here is a tutorial, How To Start Windows in Safe Mode.
  • Please start AVG Anti-Spyware Free Edition and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?, Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?, all boxes should be checked.
      • Under Possibly unwanted software: all boxes should be checked.
      • Under Reports, select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?, select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.IMPORTANT : Don't click on the "Save Scan Report" button before you hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
    • When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Free Edition Tray Icon and select Exit. Confirm by clicking Yes.
Step 4

CCleaner is a tool for cleaning temporary files stored on your computer which may help improve performance.
  • Please download CCleaner
  • Starting with v1.27.260, "CCleaner" installs the "Yahoo Toolbar" as an option which IS checked by default during the installation. IF you do NOT want it, REMOVE the check when provided with the option OR download the toolbar free Basic version instead of the Standard Build.
  • Unzip the file to install.
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours.
  • Select the items you wish to clean up.
    • In the Windows Tab:
      • Clean all entries in the Internet Explorer section except Cookies.
      • Clean all the entries in the Windows Explorer section.
      • Clean all entries in the System section.
      • Clean all entries in the Advanced section.
      • Clean any others that you choose.
    • In the Applications Tab:
      • Clean all except cookies in the Firefox/Mozilla section if you use it.
      • Clean all in the Opera section if you use it.
      • Clean Sun Java in the Internet Section.
      • Clean any others that you choose.
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK. CCleaner will scan and clean your system.
  • Click Exit when done.
Do not run it yet.
CAUTION: Please use the "Issues" button ONLY if you know how to use it. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

Step 5

Please disable Spybot-Search and Destroy TeaTimer, as it will prevent HijackThis from fixing the infection. You can enable it after you're clean. To disable Spybot- S & D TeaTimer:
  • Open Spybot – S & D
  • Click on Mode and check Advanced Mode
  • Check yes to next window.
  • Click on Tools in bottom left hand corner.
  • Click on System Startup icon.
  • Uncheck Teatimer box.
  • Click Allow Change box.
  • If needed, How To Disable Spybot S&D TeaTimer.
Step 6

We need to disable SUPERAntiSpyware as it may interfere with the fixes that we need to make.
  • Right click on the icon in your System Tray.
  • Click Exit
  • Make sure that the program, SUPERAntiSpyware itself, is also closed/not running.
Step 7

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

The O6's above should only be present for one or more of the following reasons:
  • You set the restrictions on purpose.
  • You used an anti-spyware program like Spybot -S&D's Home Page and Option Lock down features in the Immunize section of Spybot-S&D.
  • Your workplace administrator or network administrator set the restrictions.
If none of the above reasons apply, check them to be fixed with HijackThis.

Step 8

Please disconnect from the Internet. Please close ALL browser windows (including this one).

Now we will address the HijackThis fixes.

Please run HijackThis and click Scan Place checks next to the following entries (make sure not to miss any):

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [FinishOptions] C:\DOCUME~1\bart\LOCALS~1\Temp\hpbinxst.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.0) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -


These are optional fixes. These programs are not required to start automatically as you can start them manually if you need them.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. It is advised that you disable these programs so that they do not take up necessary resources. Many users have reported these processes slow their boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow_Computer_Check_here_first_it_may_not_be_malware.
Help! My computer is slow!
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues Please run HijackThis and click Scan. Place checks next to the following entries.

mspmspsv.exe (Windows Media player) process can be removed to free up resources without compromising system performance. This is the WMDM PMSP Service. mspmspsv.exe is a process which normally comes with a specific update of Windows Media player. It allows for the SDMI protocol (Secure Digital Music Initiative) to be used during dealing with music media. You can disable this service if you don't use Media Player. This is a non-essential process. Disabling or enabling it is down to user preference.
  • Click Start > Run.
  • In the Open: dialog box, type services.msc.
  • Click OK.
  • In the Services window, find WMDM PMSP;
  • Right click and choose Properties.
  • On the General tab under Service Status, click the Stop button to stop the service.
  • Beside Startup Type:, select Disabled in the drop down menu.
  • Click Apply then OK.
  • Exit the Services utility.
It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time.

CTHELPER.EXE (Creative drivers WINDVDpatch) process can be removed to free up resources without compromising system performance. CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are often problems with CTHELPER, most notably that it can use 100% of CPU time so it's best left disabled unless you need it. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

updreg – updreg.exe (Creative Register Reminder) process can be removed to free up resources without compromising system performance. updreg.exe is a process from Creative Technology Ltd. It is used to reminds users to register for their Creative Labs products. This is a non-essential process. Disabling or enabling it is down to user preference. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE

You have jusched.exe running at Startup. It checks with Sun's Java updates site to see if newer Java versions are available. This program is not required to start automatically. You can do this manually by visiting http://java.sun.com or just run the Java Plug-In Control Panel. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

You have QuickTime running at Startup. This is QuickTime's system tray icon and not necessary for the program to function properly. It is considered to be a resource hog. You will still be able to start it manually if you need it. You can fix this with HijackThis, but you will need to change the setting in QuickTime Player itself to keep it from resetting itself. Item(s) to fix in HijackThis:

O4 ‑ HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" ‑atboottime

There is a small program that will prevent QuickTime from resetting itself.
Please download Engraph-QuickTime-Killer This is a free utility from EnGraph software. For more information about EnGraph, go to www.engraph.com. This application is intended for people that use or consume Sprint Video Mail, as Sprint uses QuickTime for viewing thier movies. (or anybody that hates QuickTime) Of course, as soon as QuickTime is ran, it adds itself to startup, which is very annoying to me. This application will remove QuickTime from start up and kill any running QuickTime processes. This application runs silently at start up and closes itself as soon as it takes care of QuickTime.

nwiz.exe is a part of NVidia's Nview features installable alongside its graphics hardware products. This application will give the user access to additional features which allow the configuration of up to 32 monitors on a host or to expand the desktop across many monitors. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

You have NvMcTray.dll,NvTaskbarInit running at Startup. This is a System Tray icon used to manage settings for nVidia based graphics cards. May be required for some 3D applications to recognize your card correctly - such as the game "Everquest". Otherwise, settings can be changed manually via Display Properties. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit

NvCpl.dll,NvStartup initializes the clock and memory settings on nVidia based graphics cards. Enable if you overclock your card. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

lvcoms.exe (Logitech Quick Cam) process can be removed to free up resources without compromising system performance. Lvcomm server. Related to Logitech Quick Cam - works fine without it but it is needed for the Logitech ImageStudio software to connect to the camera. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE


Logi_MwX.exe (Logitech Mouseware) process can be removed to free up resources without compromising system performance. Logitech Mouseware driver. Needed to support some additional functionality of Logitech mice/trackballs such as "SmartMove". If you disable it and find you don't need it leave it disabled. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

ADGJDet.exe (SoundBlaster Live! or Audigy soundcards) process can be removed to free up resources without compromising system performance. Added with SoundBlaster Live! or Audigy soundcards for headphone auto-detection. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"

ImgStart.exe (Iomega drives) process can be removed to free up resources without compromising system performance. Used by Iomega drives. Details of its purpose can be found here. Available via Start -> Programs. This is a valid program but it is not required to run on startup. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe

ImgIcon.exe (Iomega Drive Icons) process can be removed to free up resources without compromising system performance. Displays Iomega icons in Explorer/My Computer, ejects Zip disks on shutdown and displays a special delete confirmation box when deleting files on an Iomega drive. Available via Start -> Programs. If you disable it remember to eject disks first before powering the drive down - hence the "U" recommendation. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

HPWuSchd2.exe and HPWuSchd.exe (HP software updates) process can be removed to free up resources without compromising system performance. This is the HP software updates. If a shortcut doesn't exist, create your own and run it manually This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

SK9910DM.exe (Multimedia keyboard manager) process can be removed to free up resources without compromising system performance. The Hot Key Kbd 2690 Daemon (sk9910dm.exe) is installed on mostly Gateway PCs and allows the use of programmable keys on mulimedia keyboards. Required if you use the additional keysand allows configurations for the one-touch programmable keys on a gateway keyboard. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

GWMDMpi.exe (Gateway Modem) process can be removed to free up resources without compromising system performance. Used with internal modems on Gateway PCs such as the 450SX Notebook. Required for audio settings to be maintained and does not remain in memory once run. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

GWMDMMSG.exe (internal modems on Gateway and vprMatrix PCs) process can be removed to free up resources without compromising system performance. Used with internal modems on Gateway and vprMatrix PCs. This is the "GTW modem messaging applet" and is not required for the modem to work correctly. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

GoogleDesktop.exe (Google Desktop Search) process can be removed to free up resources without compromising system performance. Google Desktop Search - "a desktop search application that provides full text search over your email, computer files, chats, and the web pages you've viewed. By making your computer searchable, Google Desktop Search puts your information easily within your reach and frees you from having to manually organize your files, emails, and bookmarks". This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

DIRECTCD.EXE (DirectCD) process can be removed to free up resources without compromising system performance. DirectCD primarily allows you to drag and drop files onto a suitably formatted CD-RW disc. Unless you use this on a frequent basis, it isn't required and is available via Start -> Programs. Start the program before inserting a DirectCD formatted CD-RW in the drive. A re-boot is recommended if you close Adaptec DirectCD before re-opening it again later. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

2PortalMon.exe (2wSysTray - 2Wire Homeportal user interface) process can be removed to free up resources without compromising system performance. 2Wire Homeportal user interface. This is a valid program, but it is up to you whether or not you want it to run on startup. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe

You have iTunesHelper.exe running at Startup. iTunesHelper.exe is a process belonging to Itunes MP3 streaming tool by Apple which allows you to play MP3's. This process speeds up iTunes when it starts, and the program also monitors for connected iPod devices. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

googletoolbarnotifier or googletoolbarnotifier.exe process can be removed to free up resources without compromising system performance. googletoolbarnotifier or googletoolbarnotifier.exe is a process associated with the GoogleToolbarNotifier from Google Inc.. Disabling or enabling it is down to user preference. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

msnmsgr.exe (MSN Messenger From Microsoft) (Windows Messenger) is the Microsoft instant messaging program built into Windows XP. There is also a Windows Messenger service built into Windows XP that helps produce pop up ads via IP addresses. The two programs are completely separate and do different things even though Microsoft has essentially named them the same. MSN Messenger from Microsoft is an online chat, instant messaging program and file sharing program bundled with Windows and Microsoft Office. MSN Messenger is another chat program from Microsoft that can run simultaneously with Windows Messenger. If you don't use Windows Messenger, you can
  • Rename the "Messenger" folder.
  • Uninstall, Stop, Disable or Remove "Windows Messenger".
Item(s) to fix in HijackThis:

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

hpqtra08.exe (Hewlett Packard Imaging) process can be removed to free up resources without compromising system performance. hpqtra08.exe is installed alongside the drivers for Hewlett Packard Imaging devices and installs an easy-to-use tray bar icon for quick access to diagnostics. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

hpqthb08.exe (hp image zone fast start) process can be removed to free up resources without compromising system performance. It improves the startup time of HP Image Zone. If you disable it, HP Image Zone takes a long time to start up only the first time you run it. Subsequent startups are much faster than the first time. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

windowssearch.exe (Windows Desktop Search Tray) process can be removed to free up resources without compromising system performance. windowssearch.exe is a process associated with Windows Desktop Search Tray from Microsoft. It is used by the MSN Search Toolbar. This is a non-essential process. Disabling or enabling it is down to user preference. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

wzqkpick.exe (WinZip) process can be removed to free up resources without compromising system performance. wzqkpick.exe is the tray bar process for WinZip. The process is used to access WinZip from the tray bar. To save resources this process can safely be removed. If you use the WinZip system tray icon, you should leave this process running. Otherwise, this process is not required for the WinZip application to work correctly. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

ymetray.exe (Yahoo!_Music_utility) process can be removed to free up resources without compromising system performance. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

You appear to have a program on your system called Logitech® Desktop Messenger. This is a background process that can automatically access the Internet without your knowledge or permission. Although it does provide updates for your Logitech products, the fact that it can access the Internet without your consent is potentially dangerous. It does download and update your Logitech products but this can be done manually by visiting the Logitech web site. My advice would be to uninstall this program (Start > Control Panel > Add or Remove Programs) but this is entirely your decision. I suggest doing all updates yourself and removing this application! Item(s) to fix in HijackThis:

O18 - Protocol: bw+0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll


Ctsvccda.exe (Creative's PlayCenter-- Soundblaster Audigy sound cards) process can be removed to free up resources without compromising system performance. Resident program for Creative's PlayCenter included with Soundblaster Audigy sound cards - speeds up detection of some media CDs if the system doesn't natively support them. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. To change the service to Manual.
  • Right-click on My Computer and choose Manage.
  • Expand the Services and Applications section and click on Services.
  • On the right-side of the screen, find the entry for name of O23 service identified in HijackThis and double-click on it.
  • Change the Startup Type: to Manual.
  • Hit the OK button and close the Computer Management screen.
It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe

GoogleDesktop.exe (Google Desktop Search) process can be removed to free up resources without compromising system performance. Google Desktop Search - "a desktop search application that provides full text search over your email, computer files, chats, and the web pages you've viewed. By making your computer searchable, Google Desktop Search puts your information easily within your reach and frees you from having to manually organize your files, emails, and bookmarks". This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. b]To change the service to Manual[/b].
  • Right-click on My Computer and choose Manage.
  • Expand the Services and Applications section and click on Services.
  • On the right-side of the screen, find the entry for name of O23 service identified in HijackThis and double-click on it.
  • Change the Startup Type: to Manual.
  • Hit the OK button and close the Computer Management screen.
Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

IDriverT.exe (InstallShield- InstallDriver Table Manager) process can be removed to free up resources without compromising system performance. idrivert.exe is a process which belongs to the InstallShield product installation service which should only appear when you are installing a new piece of software. This program is not required to start automatically as you can start it manually if you need it. To change to Manual:
  • Right-click on My Computer and choose Manage.
  • Expand the Services and Applications section and click on Services.
  • On the right-side of the screen, find the entry for the service identified in the 023 line of HijackThis and double-click on it.
  • Change the Startup Type: to Manual.
  • Hit the OK button and close the Computer Management screen.
Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

ipodservice.exe is a process belonging to Apple's iTunes peer-to-peer download tool. The ipodservice.exe process is a utility used to download mp3 files for your iPod. If you do not use it, or do not have an iPod, you can safely disable this process. This process can be removed to free up resources without compromising system performance. It is advised that you disable this program so that it does not take up necessary resources. To disable ipodservice, click Start > Settings > Control Panel > Performance and Maintenance > Administrative Tools > Services. Find the IpodService, Right-click and select Properties. Change the setting in StartUp type: to Disabled or click Start > Run. Type services.msc Find the IpodService, Right-click and select Properties. Change the setting in StartUp type to Disabled to disable the service. Item(s) to fix in HijackThis:

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

PCTKRNT.SYS (LANovation's PictureTaker Enterprise Edition) process can be removed to free up resources without compromising system performance. Part of LANovation's PictureTaker Enterprise Edition. This lets administrators deploy software update package to network PCs. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. To change the service to Manual.
  • Right-click on My Computer and choose Manage.
  • Expand the Services and Applications section and click on Services.
  • On the right-side of the screen, find the entry for PictureTaker and double-click on it.
  • Change the Startup Type: to Manual.
  • Hit the OK button and close the Computer Management screen.
It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 9

Let’s run CCleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 10

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post the logs from AVG Anti-Spyware and the list of filenames and locations for any files that can’t be cleaned / deleted that were reported after you completed the online scans.

Please advise me of any problems you still have.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#8 bart_central

bart_central
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 16 October 2007 - 11:38 PM

Hi...

I didn't get very far with your process...

Step 1:

I updated my Adobe reader to version 8.1

Step 2:

I replaced my Adaware SE installation with Adaware 2007.
I then updated its profiles
I then started a full scan.

It appears that this new version is a lot more thorough when it comes to going through the registry because, unlike Adaware SE, this version causes my system to reboot shortly after beginning to scan the registry. I believe this is being caused by the same problem that causes AVG and regedit searches to do the same thing.

Skipping the Adaware scan (didn't have much choice), I proceeded to step 3.

Step 3:

Unfortunately, I have AVG AntiMalware, not AVG AntiSpyware (I'm sorry if my previous post led you to believe that I still had AVG AntiSpyware installed as opposed to AVG AntiMalware). I upgraded it after AVG AntiSpyware had crashed my system. I thought it might be a bad image. As I understand it, AVG AntiMalware is the next step up - so I installed a trial version of it. Unfortunately, I found that it also crashed my system when going through my registry.

AVG AntiMalware tray icon also does not seem to have a "Start with Windows" box to uncheck. It has the following...
Minimize Control Center
Quit Control Center
Launch Virus Vault
Launch Test Center
Check for Updates

The subsequent portions of this step dealt with updating AVG AntiSpyware (wrong product for my system), so I figured that I'd better stop at this point and ask for some further feedback.

Despite that, I when ahead and updated its profiles. I can do profile updates without any problem. The problem is when it is scanning my registry (same with the new AdAware and with regedit searches that go very far down i.e. a regedit search that finds something that is already on-screen seems to work okay).

P.S. Selecting "Quit Control Center" will unload control center (no more tray icon) but leaves several processes running according to Windows Task Manager (avgrssvc.exe, avgupsvc.exe, avgamsvr.exe are obvious - there may be other's whose names are less obvious). When you reboot, though, everything is once again up and running since "Quit" only unloads it until the next time the system is rebooted (or you run the app).

Edited by bart_central, 16 October 2007 - 11:51 PM.


#9 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:34 AM

Posted 22 October 2007 - 01:53 PM

Sorry for the delay in responding. I thought I had posted this reply but I did not. Must have been a Senior Moment!

3) System restore is turned off and file properties are set to show system/hidden files, all file extensions

It is usually better to turn System Restore ON before you begin the fixes so that you will have a restore point to use just in case.

5) The exception to the above item is that a system scen by AVG anti-malware will crash the system - causing it to reboot (while it is digging through the registry).
6) A registry search using regedit will crash the system as well.

Suggestions:
1.If you feel comfortable dealing with the Windows Registry, please download and install Free Window Registry Repair (Free edition).
2.Uninstall and reinstall AVG anti-malware.

The subsequent portions of this step dealt with updating AVG AntiSpyware (wrong product for my system), so I figured that I'd better stop at this point and ask for some further feedback.

http://free.grisoft.com/doc/download-free-...pyware/us/frt/0 indicates that the AVG Anti-Spyware Free Edition is compatible with Vista. However, since you have SUPERAntiSpyware , ignore the AVG Anti-Spyware Free Edition instructions for now and run SUPERAntiSpyware.
Please continue with the HijackThis fixes Step 4 and Step 6 through Step 10.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#10 bart_central

bart_central
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 24 October 2007 - 03:09 AM

I have modified the instructions you provided (in your response before last) in accordance with your last response...

a) System restore is back on.
b. loaded free window registry repair and ran it...
b.1) scan reported 1,318 errors
b.2) after fixing and running a rescan, 189 errors reported
b.3) after fixing and running a rescan, 21 errors reported
b.4) after fixing and running a rescan, 11 errors reported
b.5) subsequent fix/scan combinations return the same 11 errors.
b.6) rebooted and reran the scan, 87 errors reported
b.7) subsequent fix/rescan combos dropped the error count to 23, 17, 12 and 11 errors respectively. Once again, I could not get it to go below 11 errors in subsequent fix/scan cycles.
b.8) another reboot yielded similar results.

Moving on, I started at step 4 (in the process you outlined)

Step 4: This step says not to run CCleaner yet - so I did not.

Step 5: Skipped per your last instructions (though I did turn off the S&D tea timer)

Step 6: Stopped SuperAntiSpyware, Exited AVG Control Center, killed processes avgrssvc.exe, avgupsvc.exe, avgamsvr.exe, a2service.exe, aawservice.exe.

Step 7: Restrictions set by S&D. I removed the S&D settings to make sure I could remove this registry entry.

Step 8: Done...
a) Checked all 8 of the required entries (plus the "06" from step 7)
b. Decided to keep a lot of the other items you listed. I checked the following...
04-updreg.exe
04-nwiz.exe
04-NvCpl.dll, NvStartup
04-HPWuSchd2.exe
04-GoogleDesktop.exe
04-iTunesHelper.exe
04-hpqthb08.exe
04-WindowsSearch.exe
04-WZQKPICK.exe
023-googledesktop.exe
023-ipodservice.exe
023-PCTKRNT.sys

Step 9: Completed

Step 10: See below (more comments after the hijackthis log)...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:40 PM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINNT\system32\HPZinw12.exe
C:\Program Files\Hijack This\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.webassured.com/CFIDE/classes/CFJava.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../yse/ymmapi.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: bw+0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {51D3D4F7-EAC9-46F9-8CD0-C1CABA69D293} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\WINNT\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 22662 bytes

Additional comments...
I reran the Windows Registry Repair app at this point.

It reported 1368 errors.
Subsequent repair/rescan cycles reported 29, 18 and 11 errors respectively. Further scans always reported 11 errors (all of which were either "Non-existent File or Folder" or "Empty Registry Keys").

After rebooting, a series of repair/rescan cycles reported the following error counts: 77, 22, 13, 9, 18, 12, 11 (and 11 repeating after that).

One final reboot and scan produced 78 errors (didn't bother fixing them).

I then tried the regedit search, AVG AntiMalware system scan and the AdAware 2007 scan in turn...

1) Regedit search - same bluescreen as reported in my 10/02 entry in this thread followed by a reboot (same as before). The fourth reported hex value (in the bluescreen) was 0xE2DBB680 this time. This value seems to be different every time while the other register values remain the same - along with the "REGISTRY_ERROR" error that is reported.

2) AVG system scan - same (fourth reported hex value was E1278170).

3) AdAware 2007 scan - same (didn't get the register values reported)


It unfortunately looks like one of the errors that didn't get fixed is the one that causes my machine to reboot if any of the above three things are done. :thumbsup:

As an aside, I didn't quite follow your mention of Vista (near the end of your last response). As I understand it, AVG AntiMalware works with Windows XP (among others). I'm using Windows XP Pro.

Edited by bart_central, 24 October 2007 - 03:11 AM.


#11 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:34 AM

Posted 24 October 2007 - 12:48 PM

As an aside, I didn't quite follow your mention of Vista (near the end of your last response). As I understand it, AVG AntiMalware works with Windows XP (among others). I'm using Windows XP Pro.

I was referring to AVG Anti-Spyware not AVG Anti-Malware. However, AVG Anti-Malware protects from spyware, adware and other malicious programs. Have you tried running SuperAntiSpyware Free?

Just for your information, the program, Free Window Registry Repair (Free edition), can be used the same way that Windows Regedit is used.

1) Regedit search - same bluescreen as reported in my 10/02 entry in this thread followed by a reboot (same as before). The fourth reported hex value (in the bluescreen) was 0xE2DBB680 this time. This value seems to be different every time while the other register values remain the same - along with the "REGISTRY_ERROR" error that is reported.
2) AVG system scan - same (fourth reported hex value was E1278170).
3) AdAware 2007 scan - same (didn't get the register values reported)

Uninstall both programs. Blue Screen of Death, this frequent, although less so in newer operating systems, error occurs whenever Windows senses a software, hardware or driver error which will not allow it to continue operating properly.
Reinstall the programs and try running them and Regedit again. If you still get the Blue Screen of Death and if you feel comfortable doing these methods, you could try the methods below to discover what is causing the Blue Screen of Death.
  • Please download and install the Microsoft Debugging Tools.
  • After installing, open the Debugging Tools by going to the Start menu > Programs > Debugging Tools for Windows > windbg .
  • When the Debugging Tools for Windows program opens, click on File then Symbol file path. Put this in the text box:

    SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols

  • Click the OK button.
  • Open the dump file by clicking b]File[/b] then Open Crash Dump.
  • Browse to the C:\windows\minidump folder and choose the dump file we would like to look at. When it is done loading, you'll see the words BUG CHECK ANALYSIS in an * box.
  • In the text box below (to the right of kd>) type in !analyze -v to get a word-for-word output of the error. After it is completed, look for the section text right after BUG CHECK ANALYSIS.
  • There you will have some words with underscores in between each word similar to IRQL_NOT_LESS_OR EQUAL. That will help you find a solution to your problem.
  • Scroll to the section IMAGE NAME:. The words after that will tell you what file caused the error.
  • Do a Google search for that file name to get the program name.
  • Get an updated version for it or see if someone else is experiencing the same problem.
  • If you are unable to find any kind of information for that file, then it is a good idea to do a memory test and a hard drive test.
  • Download memtest86+ for a memory test.
  • Go to your hard drive manufacturer's website to download diagnostic tools for your hard drive.
or

Use the Windows Vista Check Disk utility:

Windows Vista, like previous versions of Windows, has an integrated Check Disk utility which can automatically repair many disk errors. In order to start using the Check Disk utility, follow these simple steps:
  • Open Computer or Windows Explorer, right click on the partition you want to scan for disk errors, and choose Properties from the menu.
  • Select the Tools tab and you will see the Error-checking utility there. Press the Check now button. You may be prompted for an administrator password or confirmation, (type the password or provide confirmation).
  • The Check Disk, dialog box will appear, from which you can select two options:
    • Automatically fix file system errors will let Windows automatically repair errors on files and folders that the scan detects. Unselecting this option will only report the disk errors it finds, without fixing them.
    • Scan for and attempt recovery of bad sectors will let Windows perform a thorough disk check, in an attempt to find and repair physical errors on the hard drive, such as bad sectors, and recover data stored in unreadable locations. Note that this action may last some time, depending on the size of the drive.
  • If you are scanning the partition on which Vista is installed, a dialog box will appear stating that Windows is unable to check the disk while it is in use. In this case, you can choose Schedule disk check or Cancel. Selecting Schedule disk check will run the disk error check next time you will boot up your computer.
  • It is recommended not to use the computer while it is checking for disk errors.
Please let me know how your computer is doing.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#12 bart_central

bart_central
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 25 October 2007 - 05:35 AM

Yes, I have been running SuperAntiSpyware

I was also running AVG 7.5, Ad-Aware 2007, Spybot S&D, SpywareBlaster and A2 (all free versions except for AVG which was a full featured trial version with a few days left before it expires)

I uninstalled both AVG and Ad-Aware. I also uninstalled SpywareBlaster and A2 just to be sure.

regedit still produces a BSOD. One point I had not mentioned before (don't know if it really matters), the search sits for a good 30 seconds or more before producing the BSOD. Is it possible that there is some sort of circular reference thats causing the machine to run out of resources (and crash)?

Next, I installed the debugging tool and ran it. Here is the information it provided...
------------------------------------------------------------
Microsoft ® Windows Debugger Version 6.8.0004.0 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINNT\Minidump\Mini102407-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Wed Oct 24 00:47:53.593 2007 (GMT-7)
System Uptime: 0 days 0:09:18.171
Loading Kernel Symbols
..............................................................................................................................................................
Loading User Symbols
Loading unloaded module list
...............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 51, {4, 1, e2dbb680, 618}



Probably caused by : ntoskrnl.exe ( nt!CmpAssignSecurityToKcb+3f )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

REGISTRY_ERROR (51)
Something has gone badly wrong with the registry. If a kernel debugger
is available, get a stack trace. It can also indicate that the registry got
an I/O error while trying to read one of its files, so it can be caused by
hardware problems or filesystem corruption.
It may occur due to a failure in a refresh operation, which is used only
in by the security system, and then only when resource limits are encountered.
Arguments:
Arg1: 00000004, (reserved)
Arg2: 00000001, (reserved)
Arg3: e2dbb680, depends on where Windows bugchecked, may be pointer to hive
Arg4: 00000618, depends on where Windows bugchecked, may be return code of
HvCheckHive if the hive is corrupt.

Debugging Details:
------------------




CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x51

LAST_CONTROL_TRANSFER: from 8060c2a6 to 8053354e

STACK_TEXT:
af8fa90c 8060c2a6 00000051 00000004 00000001 nt!KeBugCheckEx+0x1b
af8fa930 8058d544 00000008 00000618 dab07e1c nt!CmpAssignSecurityToKcb+0x3f
af8fa958 8058b6c7 e1035b60 00406e18 dab07e1c nt!CmpCreateKeyControlBlock+0x1b5
af8fa9a8 805679a0 e1035b60 00406e18 dab07e1c nt!CmpDoOpen+0xf4
af8faba0 805676b5 00406e18 00406e18 88b47b70 nt!CmpParseKey+0x558
af8fac28 8056749a 000000cc af8fac68 00000040 nt!ObpLookupObjectName+0x119
af8fac7c 80567dfd 00000000 8a738650 00000001 nt!ObOpenObjectByName+0xeb
af8fad50 804de7ec 0007f478 00000009 0007f3d8 nt!NtOpenKey+0x1af
af8fad50 7c90eb94 0007f478 00000009 0007f3d8 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0007f418 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!CmpAssignSecurityToKcb+3f
8060c2a6 ff33 push dword ptr [ebx]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!CmpAssignSecurityToKcb+3f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 45e54711

FAILURE_BUCKET_ID: 0x51_nt!CmpAssignSecurityToKcb+3f

BUCKET_ID: 0x51_nt!CmpAssignSecurityToKcb+3f

Followup: MachineOwner
---------

------------------------------------------------------------------------------

When I googled ntoskrnl.exe, the entries seemed to focus on corrupted or missing versions of this file. In my case, it seems as if something that ntoskrnl.exe is using is what is actually bad.

In the very recent past (near the top of this thread), I have swapped memory with a twin of my system (it was one of the first things I thought of) and it did not have any affect on the REGISTRY_ERROR problem - so I don't think the problem is with the system's memory.

My next step was to run the Windows XP Disk Check Utility (I'm running XP, not Vista).
The process was the same as you described for Vista. I checked neither option ("Automatically fix file system errors" and "Scan for and attempt recovery of bad sectors") before starting the check.

The check moved along until it got to the second tick in stage 2. It then sat there, seemingly frozen, for several minutes before producing a dialog that read "Windows was unable to complete the disk check". When I dismissed the dialog, the diskcheck screen went away as well.

I then tried the disk check and checked both options this time. The app came back with the "cannot be performed right now" dialog (as expected) and I scheduled it for the next reboot.

Upon rebooting the system, the check began. Stage 1 (file verification) completed and Stage 2 (verifying indexes) got as far as 6% before grinding to a halt. The machine sat that way for some time. The next time I checked on it, it had apparently started up again and completed stage 2 as well as stage 3 (security description verification followed by Usn Journal verification) and was moving very slowly through stage 4 (verifying file data). Eventually it completed stage 4 and began stage 5 (verifying free space). Upon completing this stage, it reported some information but restarted before I could read it all. It appears to have made some corrections and found some free space that had been marked as allocated. I didn't catch the rest.

Upon rebooting, I tried the regedit search again and still got the same BSOD.

So with runnig the above apps, it looks like the hard drive and file structure seems good, and the consistency of the failures (along with my having swapped all of the system's memory with that of a duplicate system) seems to me to make bad memory an unlikely candidate. It all seems to come back to it being a problem with the registry (?!?)

#13 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:34 AM

Posted 28 October 2007 - 09:26 AM

was also running AVG 7.5, Ad-Aware 2007, Spybot S&D, SpywareBlaster and A2 (all free versions except for AVG which was a full featured trial version with a few days left before it expires)

I uninstalled both AVG and Ad-Aware. I also uninstalled SpywareBlaster and A2 just to be sure.

Did you reinstall AVG 7? It is very important that your computer has an antivirus software running on your machine.

I did not see any obvious signs of malware.

I recommend that you read the following: Demystifying the Blue Screen of Death and NTOSKRNL.EXE is missing or corrupt. Reading these two articles may give you more information.

Please post your question(s) in BleepingComputer's Computer Forum, Windows XP Home and Professional, where the computer experts may help you. My expertise is dealing with malware and I prefer that you get the help of computer expert(s) in solving your problem. Please include a link to this thread so that the computer experts may see what we have done.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#14 bart_central

bart_central
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 29 October 2007 - 04:34 PM

I did reinstall AVG 7.5, Ad-Aware, Spywareblaster and A2 Free. AVG still crashes my system when doing a registry scan. I checked out the two links. Alas, I don't think my problem is a bad ntoskrnl.exe since everything else seems to work just fine. I'll go ahead and post something to "Windows XP Home and Professional" and pick it up from there (with a link back to this topic). Thanks for all the help over on the HijackThis/malware removal side.

#15 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:34 AM

Posted 29 October 2007 - 07:08 PM

You are welcome. I feel sure that someone in the WindowsXP Home and Professional Forum will be able to help you.

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users