Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer Desktop Hijacked


  • This topic is locked This topic is locked
15 replies to this topic

#1 SOTY

SOTY

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 01 November 2007 - 07:20 AM

I have run all the programs ad aware,AVG,CWS Shedder etc. My desktop icon for explorer,and my computer etc are not working. Had two downloader agent SUO and downloader Generic6.QHV trojans attack the machine.

Please Help!!!

Here is Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:18 PM, on 10/31/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\system32\dtxftx6bv.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msupd18375.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wspvs.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - (no file)
O2 - BHO: (no name) - {1834CBF4-F519-4888-987F-02926B77C19F} - C:\WINDOWS\System32\HpWiaPtpu.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D7EE5B1B-3360-498F-A652-1CF5D32E370A} - c:\windows\system32\qba32t.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dtxftx6bv] C:\WINDOWS\system32\dtxftx6bv.exe
O4 - HKCU\..\Run: [dtxftx6bv] C:\WINDOWS\system32\dtxftx6bv.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: msupd18375.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Netnews - {29C63EA0-E3FF-11D3-B3FE-82FE36C08720} - news:worldnet.help.new-users (file missing) (HKCU)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {1C854D5E-66D9-11D3-81DD-00A0C9B62983} (TestX Class) - http://www.expressit.com/Plugin/3DGreetings/PlayerX.CAB
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
O16 - DPF: {340FBD92-B7BB-11D2-8299-00104B27F81B} (ScanCtl Class) - http://outpost.zdnet.com/updates/resources/updates.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shopintuit.com/Executables/IE/IDA.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/components/ocx/Survid/MSSurVid.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {BC879464-FEA5-11D3-80FD-005004C3CC3F} (DownLoadPhoneFree Class) - http://phonefree.interactive.net/ClientDownLoad.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: bw+0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw+0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw-0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw-0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw00 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw00s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw10 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw10s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw20 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw20s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw30 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw30s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw40 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw40s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw50 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw50s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw60 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw60s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw70 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw70s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw80 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw80s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw90 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw90s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwa0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwa0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwb0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwb0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwc0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwc0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwd0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwd0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwe0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwe0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwf0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwf0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\GAPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwg0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwg0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwh0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwh0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwi0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwi0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwj0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwj0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwk0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwk0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwl0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwl0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwm0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwm0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwn0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwn0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwo0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwo0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwp0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwp0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwq0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwq0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwr0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwr0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bws0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bws0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwt0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwt0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwu0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwu0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwv0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwv0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bww0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bww0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwx0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwx0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwy0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwy0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwz0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwz0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: offline-8876480 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O20 - Winlogon Notify: crypt - crypts.dll (file missing)
O20 - Winlogon Notify: tkcderci - qba32t.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Server Peer Verification Service (wspvs) - Unknown owner - C:\WINDOWS\system32\wspvs.exe (file missing)

--
End of file - 19781 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 01 November 2007 - 09:48 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum SOTY :thumbsup:
My name is Richie and i'll be helping you to fix your problems.


Turn off Logitech Desktop Messenger.
This program is not required to start automatically as you can run it when you need to.
It is advised that you disable it so that it does not take up necessary system resources.
Go to Start>All Programs>Logitech,click on Desktop Messenger.
There are two check boxes which are self descriptive.
You can choose to disable either or both check boxes.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O18 - Protocol: bw+0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw+0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw-0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw-0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw00 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw00s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw10 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw10s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw20 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw20s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw30 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw30s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw40 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw40s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw50 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw50s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw60 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw60s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw70 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw70s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw80 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw80s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw90 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bw90s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwa0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwa0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwb0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwb0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwc0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwc0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwd0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwd0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwe0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwe0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwf0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwf0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\GAPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwg0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwg0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwh0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwh0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwi0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwi0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwj0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwj0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwk0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwk0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwl0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwl0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwm0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwm0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwn0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwn0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwo0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwo0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwp0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwp0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwq0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwq0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwr0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwr0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bws0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bws0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwt0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwt0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwu0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwu0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwv0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwv0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bww0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bww0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwx0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwx0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwy0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwy0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwz0 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: bwz0s - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
O18 - Protocol: offline-8876480 - {189A8621-A966-11DB-B403-B992FD2C7E35} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
Exit Hijackthis.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.

Edited by RichieUK, 01 November 2007 - 09:59 AM.

Posted Image
Posted Image

#3 SOTY

SOTY
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 01 November 2007 - 10:16 AM

Richie,
Thanks for the help!!! I will create the HJT folder,fix the messenger and I have downloaded Combofix. Please be patient with me as I have to do this at work and then apply the actions at home. Obviously this will take a while. Also I cannot download at home as Explorer is hosed. Some of the other commands may test my old DOS expertise.

Edited by SOTY, 01 November 2007 - 10:24 AM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 01 November 2007 - 04:39 PM

Ok,thanks for the update.
Posted Image
Posted Image

#5 SOTY

SOTY
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 02 November 2007 - 07:15 AM

As instructed, here is the Combo Fix log and an updated HiJackThis log. The 10/28 entries appear to be the suspicious ones as that is the day I updated my NVidia drivers. Thanks again for all your help!

ComboFix 07-11-01.1 - Ed Sota 11/01/2007 17:35:30.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.3.1252.1.1033.18.161 [GMT -5:00]
Running from: C:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\hosts
C:\WINDOWS\start.exe
C:\WINDOWS\system32\smsc.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

2007-11-01 17:35 16,384 --a----t- C:\WINDOWS\SYSTEM32\Perflib_Perfdata_2f8.dat
2007-11-01 17:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 17:28 1,531,444 --a------ C:\ComboFix.exe
2007-10-31 20:12 <DIR> d-------- C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy
2007-10-31 19:18 <DIR> d-------- C:\FOUND.004
2007-10-30 05:35 <DIR> d-------- C:\Program Files\RegCure
2007-10-28 11:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\AppCert
2007-10-28 11:06 94,208 --a------ C:\WINDOWS\SYSTEM32\HpWiaPtpu.dll
2007-10-28 11:06 15,872 --a------ C:\WINDOWS\SYSTEM32\dtxftx6bv.exe
2007-10-28 06:09 <DIR> d-------- C:\FOUND.003
2007-10-28 04:53 <DIR> d-------- C:\WINDOWS\All Users\Application Data\nView_Profiles
2007-10-28 04:49 <DIR> d-------- C:\WINDOWS\nview
2007-10-28 04:49 172,032 --a------ C:\WINDOWS\SYSTEM32\nvudisp.exe
2007-10-28 04:48 <DIR> d-------- C:\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-09 02:57 103,441 ----a-w C:\my2.exe
2007-08-08 03:38 5,319,297 ------w C:\avg7qt.dat
2007-04-08 22:12 305 ---h--w C:\Program Files\desktop.ini
2007-04-08 22:08 21,952 ---h--w C:\Program Files\folder.htt
2004-10-22 15:41 82,808 ----a-w C:\Documents and Settings\Ed Sota\Application Data\GDIPFONTCACHEV1.DAT
2003-08-18 12:14 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2002-07-24 17:00 32,528 ----a-w C:\WINDOWS\inf\wbfirdma.sys
2001-01-18 21:13 12,400 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1834CBF4-F519-4888-987F-02926B77C19F}]
10/25/01 02:55p 94208 --a------ C:\WINDOWS\System32\HpWiaPtpu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7EE5B1B-3360-498F-A652-1CF5D32E370A}]
c:\windows\system32\qba32t.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [07/24/02 12:00p C:\WINDOWS\SYSTEM32\systray.exe]
"Synchronization Manager"="mobsync.exe" [07/24/02 12:00p C:\WINDOWS\SYSTEM32\mobsync.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [10/25/01 10:55a]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [10/24/07 08:06p]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [03/26/05 06:38a]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [08/18/03 07:12a]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/03 10:22a]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [03/12/04 09:09p]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [03/12/04 09:17p]
"WINDVDPatch"="CTHELPER.EXE" [07/02/02 05:56p C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/00 01:00a]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [11/29/01 01:00a]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [07/15/04 11:42a]
"nwiz"="nwiz.exe" [07/15/04 11:42a C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [07/15/04 11:42a]
"dtxftx6bv"="C:\WINDOWS\system32\dtxftx6bv.exe" [08/25/03 10:30a]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dtxftx6bv"="C:\WINDOWS\system32\dtxftx6bv.exe" [08/25/03 10:30a]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/07 04:46p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"Printing Migration"=rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Windows Server Peer Verification Service"="C:\WINDOWS\system32\wspvs.exe" *

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-01-21 15:43:06]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
msupd18375.exe [2007-10-28 11:06:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tkcderci]
qba32t.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PhotoShow Deluxe Media Manager"=C:\PROGRA~1\AHEAD\NEROPH~2\DATA\XTRAS\MSSYSMGR.EXE
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Multi-function Keyboard"=GWHotKey.exe
"Iomega Startup Options"=C:\Program Files\Iomega\Common\ImgStart.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\hpztsb04.exe
"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
"Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
"Propel Accelerator"="C:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
"Symantec Core LC"=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" -atboottime
"mdac_runonce"=C:\WINDOWS\system32\RUNONCE.EXE
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"IndexSearch"=C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
"OneTouch Monitor"=C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
"StillImageMonitor"=C:\WINDOWS\system32\STIMON.EXE
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"Disc Detector"=C:\Program Files\Creative\ShareDLL\CtNotify.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"ScanRegistry"=C:\WINDOWS\scanregw.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"CSINJECT.EXE"=C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinject.exe

R0 ultra66;ultra66;C:\WINDOWS\System32\DRIVERS\ultra66.sys
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINDOWS\System32\Drivers\avg7rsnt.sys
R3 3cpciadi;3Com Windows Modem Driver PCI ADI;C:\WINDOWS\System32\DRIVERS\3cpciadi.sys
R3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\System32\DRIVERS\hphid409.sys
R3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\System32\DRIVERS\hphipr09.sys
R3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\System32\Drivers\hphs2k09.sys
R3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\System32\drivers\hphius09.sys
R3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\lne100v5.sys
R3 pmxscan;Visioneer USB Kernel;C:\WINDOWS\System32\DRIVERS\usbscan.sys
S2 mshexdefx;ms hexidecimal defx;"C:\WINDOWS\system32\dllcache\ivchost.exe"
S2 wspvs;Windows Server Peer Verification Service;C:\WINDOWS\system32\wspvs.exe
Start Pending2 oiwqmhqq;Microsoft USB Standard Hub Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
oiwqmhqq

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]
C:\WINDOWS\System32\tcpconn.exe /r
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 14:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-10-28 23:49:48 C:\WINDOWS\Tasks\At1.job"
"2007-10-30 10:35:52 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-01 22:00:08 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 17:37:56
Windows 5.0.2195 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 11/01/2007 17:38:33
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:47:02 PM, on 11/1/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\system32\dtxftx6bv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
D:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wspvs.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - (no file)
O2 - BHO: (no name) - {1834CBF4-F519-4888-987F-02926B77C19F} - C:\WINDOWS\System32\HpWiaPtpu.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D7EE5B1B-3360-498F-A652-1CF5D32E370A} - c:\windows\system32\qba32t.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dtxftx6bv] C:\WINDOWS\system32\dtxftx6bv.exe
O4 - HKCU\..\Run: [dtxftx6bv] C:\WINDOWS\system32\dtxftx6bv.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: msupd18375.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Netnews - {29C63EA0-E3FF-11D3-B3FE-82FE36C08720} - news:worldnet.help.new-users (file missing) (HKCU)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {1C854D5E-66D9-11D3-81DD-00A0C9B62983} (TestX Class) - http://www.expressit.com/Plugin/3DGreetings/PlayerX.CAB
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
O16 - DPF: {340FBD92-B7BB-11D2-8299-00104B27F81B} (ScanCtl Class) - http://outpost.zdnet.com/updates/resources/updates.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shopintuit.com/Executables/IE/IDA.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/components/ocx/Survid/MSSurVid.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {BC879464-FEA5-11D3-80FD-005004C3CC3F} (DownLoadPhoneFree Class) - http://phonefree.interactive.net/ClientDownLoad.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O20 - Winlogon Notify: tkcderci - qba32t.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Server Peer Verification Service (wspvs) - Unknown owner - C:\WINDOWS\system32\wspvs.exe (file missing)

--
End of file - 7691 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 02 November 2007 - 12:09 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\SYSTEM32\HpWiaPtpu.dll
C:\WINDOWS\SYSTEM32\dtxftx6bv.exe
C:\my2.exe
C:\WINDOWS\Tasks\At1.job
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1834CBF4-F519-4888-987F-02926B77C19F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7EE5B1B-3360-498F-A652-1CF5D32E370A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dtxftx6bv"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dtxftx6bv"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Windows Server Peer Verification Service"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tkcderci]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]
Driver::
mshexdefx
wspvs

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 SOTY

SOTY
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 02 November 2007 - 12:28 PM

I ran Combo Fix from the C drive as I cannot drag and drop as the desktop is locked. Cannnot open any folders or Control Panel or find files , My computer etc. Can I use a DOS command to merge the txt with the ComboFix.exe? I have been using Command Prompt to move files. Hopefully I can do as you instruct-will give it my best try.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 02 November 2007 - 01:23 PM

Are you able to follow the above Combofix instructions in Safe Mode:
Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".
Posted Image
Posted Image

#9 SOTY

SOTY
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 02 November 2007 - 02:22 PM

I will try safe Mode tonight. It is awkward as I have to take the instructions home and then report to you the next day. Any thoughts if safe mode does not work?

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 02 November 2007 - 05:02 PM

If the above does'nt work,delete the following if you can,then restart your pc:
C:\WINDOWS\SYSTEM32\HpWiaPtpu.dll
C:\WINDOWS\SYSTEM32\dtxftx6bv.exe
C:\my2.exe
C:\WINDOWS\Tasks\At1.job

If you've still no desktop etc,you might want to try a Repair Install if you have the Windows 2000 Pro install disk.
Windows 2000 Professional Repair install:
http://www.windows2000.windowsreinstall.com/Repair/
Posted Image
Posted Image

#11 SOTY

SOTY
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 05 November 2007 - 07:41 AM

Success!!! I was able to get ComboFix to the desktop to do the drag and drop-It is nice to have the desktop back. Thanks for your patience . Here are the logs from that effort. I think I need to do some security upgrades- I did run AVG again .

ComboFix 07-11-01.1 - Ed Sota 11/02/2007 19:12:58.3 - FAT32x86
Running from: C:\Documents and Settings\Ed Sota\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ed Sota\Desktop\CFScript.txt

FILE::
C:\my2.exe
C:\WINDOWS\SYSTEM32\dtxftx6bv.exe
C:\WINDOWS\SYSTEM32\HpWiaPtpu.dll
C:\WINDOWS\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\my2.exe
C:\WINDOWS\SYSTEM32\dtxftx6bv.exe
C:\WINDOWS\SYSTEM32\HpWiaPtpu.dll
C:\WINDOWS\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSHEXDEFX
-------\LEGACY_WSPVS
-------\mshexdefx
-------\wspvs


((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-02 19:18 <DIR> d-------- C:\FOUND.005
2007-11-02 18:14 2,405 --a------ C:\ComboFix.PIF
2007-11-01 17:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 20:12 <DIR> d-------- C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy
2007-10-31 19:18 <DIR> d-------- C:\FOUND.004
2007-10-30 05:35 <DIR> d-------- C:\Program Files\RegCure
2007-10-28 11:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\AppCert
2007-10-28 06:09 <DIR> d-------- C:\FOUND.003
2007-10-28 04:53 <DIR> d-------- C:\WINDOWS\All Users\Application Data\nView_Profiles
2007-10-28 04:49 <DIR> d-------- C:\WINDOWS\nview
2007-10-28 04:49 172,032 --a------ C:\WINDOWS\SYSTEM32\nvudisp.exe
2007-10-28 04:48 <DIR> d-------- C:\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-08 03:38 5,319,297 ------w C:\avg7qt.dat
2007-04-08 22:12 305 ---h--w C:\Program Files\desktop.ini
2007-04-08 22:08 21,952 ---h--w C:\Program Files\folder.htt
2004-10-22 15:41 82,808 ----a-w C:\Documents and Settings\Ed Sota\Application Data\GDIPFONTCACHEV1.DAT
2003-08-18 12:14 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2002-07-24 17:00 32,528 ----a-w C:\WINDOWS\inf\wbfirdma.sys
2001-01-18 21:13 12,400 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((( snapshot@Thu 11-01-2007_17.38.02.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-01 21:58:48 6,780 ----a-w C:\WINDOWS\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
+ 2007-11-03 00:15:48 6,780 ----a-w C:\WINDOWS\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
- 2007-11-01 21:58:48 6,780 ----a-w C:\WINDOWS\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
+ 2007-11-03 00:15:48 6,780 ----a-w C:\WINDOWS\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
+ 2007-03-13 15:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [02-07-24 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"Synchronization Manager"="mobsync.exe" [02-07-24 12:00 C:\WINDOWS\SYSTEM32\mobsync.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [01-10-25 10:55 ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-10-24 20:06 ]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [05-03-26 06:38 ]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [03-08-18 07:12 ]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [03-10-14 10:22 ]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [04-03-12 21:09 ]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [04-03-12 21:17 ]
"WINDVDPatch"="CTHELPER.EXE" [02-07-02 17:56 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [00-05-11 01:00 ]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [01-11-29 01:00 ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [04-07-15 11:42 ]
"nwiz"="nwiz.exe" [04-07-15 11:42 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [04-07-15 11:42 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07-08-31 16:46 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"Printing Migration"=rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-01-21 15:43:06]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
msupd18375.exe [2007-10-28 11:06:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PhotoShow Deluxe Media Manager"=C:\PROGRA~1\AHEAD\NEROPH~2\DATA\XTRAS\MSSYSMGR.EXE
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Multi-function Keyboard"=GWHotKey.exe
"Iomega Startup Options"=C:\Program Files\Iomega\Common\ImgStart.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\hpztsb04.exe
"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
"Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
"Propel Accelerator"="C:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
"Symantec Core LC"=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" -atboottime
"mdac_runonce"=C:\WINDOWS\system32\RUNONCE.EXE
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"IndexSearch"=C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
"OneTouch Monitor"=C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
"StillImageMonitor"=C:\WINDOWS\system32\STIMON.EXE
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"Disc Detector"=C:\Program Files\Creative\ShareDLL\CtNotify.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"ScanRegistry"=C:\WINDOWS\scanregw.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"CSINJECT.EXE"=C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinject.exe

R0 ultra66;ultra66;C:\WINDOWS\System32\DRIVERS\ultra66.sys
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINDOWS\System32\Drivers\avg7rsnt.sys
R3 3cpciadi;3Com Windows Modem Driver PCI ADI;C:\WINDOWS\System32\DRIVERS\3cpciadi.sys
R3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\System32\DRIVERS\hphid409.sys
R3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\System32\DRIVERS\hphipr09.sys
R3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\System32\Drivers\hphs2k09.sys
R3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\System32\drivers\hphius09.sys
R3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\lne100v5.sys
R3 pmxscan;Visioneer USB Kernel;C:\WINDOWS\System32\DRIVERS\usbscan.sys
Start Pending2 oiwqmhqq;Microsoft USB Standard Hub Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
oiwqmhqq

.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 14:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-10-30 10:35:52 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-03 00:19:24 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 19:19:15
Windows 5.0.2195 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 19:20:45 - machine was rebooted
C:\ComboFix2.txt ... 07-11-01 18:57
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:08 PM, on 11/2/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Ed Sota\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wspvs.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Netnews - {29C63EA0-E3FF-11D3-B3FE-82FE36C08720} - news:worldnet.help.new-users (file missing) (HKCU)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {1C854D5E-66D9-11D3-81DD-00A0C9B62983} (TestX Class) - http://www.expressit.com/Plugin/3DGreetings/PlayerX.CAB
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
O16 - DPF: {340FBD92-B7BB-11D2-8299-00104B27F81B} (ScanCtl Class) - http://outpost.zdnet.com/updates/resources/updates.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shopintuit.com/Executables/IE/IDA.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/components/ocx/Survid/MSSurVid.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {BC879464-FEA5-11D3-80FD-005004C3CC3F} (DownLoadPhoneFree Class) - http://phonefree.interactive.net/ClientDownLoad.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6918 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 05 November 2007 - 07:51 AM

Please disable Spybot S&Dís protection,or it will interfere.
You can enable it later once you're system is clean.

Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - (no file)
O3 - Toolbar: (no name) - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - (no file)
O9 - Extra button: Netnews - {29C63EA0-E3FF-11D3-B3FE-82FE36C08720} - news:worldnet.help.new-users (file missing) (HKCU)
O16 - DPF: {1C854D5E-66D9-11D3-81DD-00A0C9B62983} (TestX Class) - http://www.expressit.com/Plugin/3DGreetings/PlayerX.CAB
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
O16 - DPF: {340FBD92-B7BB-11D2-8299-00104B27F81B} (ScanCtl Class) - http://outpost.zdnet.com/updates/resources/updates.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shopintuit.com/Executables/IE/IDA.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {BC879464-FEA5-11D3-80FD-005004C3CC3F} (DownLoadPhoneFree Class) - http://phonefree.interactive.net/ClientDownLoad.cab

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#13 SOTY

SOTY
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 06 November 2007 - 08:00 AM

I ran the software and it looks like it only found cookies which were deleted. A question-Do I need to keep Superspyware as I have AVG, AdAware and Spybot? Also , Should I upgrade 2000 to SP4?
Thanks again for your help. The machine is also running faster since the other files were deleted.

Logs Below

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/05/2007 at 09:41 PM

Application Version : 3.9.1008

Core Rules Database Version : 3338
Trace Rules Database Version: 1339

Scan type : Complete Scan
Total Scan Time : 01:34:29

Memory items scanned : 299
Memory threats detected : 0
Registry items scanned : 4759
Registry threats detected : 0
File items scanned : 27544
File threats detected : 175

Adware.Tracking Cookie
C:\Documents and Settings\Ed Sota\Cookies\ed sota@adserver.tsgadv[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ehg-legacy.hitbox[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@questionmarket[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@hitbox[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@sales.liveperson[5].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@h.starware[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@eyewonder[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@tribalfusion[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ad.yieldmanager[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@tacoda[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@1069870899[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@realmedia[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@synacor.112.2o7[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.cnn[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@49866635[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.bridgetrack[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@56483237[4].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@1072226020[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.addynamix[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@doubleclick[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@bs.serving-sys[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@adinterax[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@specificclick[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@collective-media[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@financialcontent.advertserve[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@reference[5].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@www.burstbeacon[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@try.starware[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@greatermediaphiladelphia.advertserve[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@pre-roll.andomedia[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@serving-sys[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@brightcove.112.2o7[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@68017665[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@bluestreak[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@heavycom.122.2o7[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@perf.overture[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@atdmt[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.glispa[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.kissthisguy[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@2o7[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@1072740219[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@revsci[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@1054437230[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@74613876[3].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@windowsmedia[4].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@3.adbrite[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@1071182829[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@anad.tacoda[3].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@leeenterprises.112.2o7[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@adopt.euroclick[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@adopt.specificclick[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@zedo[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@1071814875[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@statcounter[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@1071865687[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@sitestat.mayoclinic[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@nextag[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@xiti[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@1071880308[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@atwola[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@1065087955[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@htmlgear.tripod[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@adserver[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@rotator.adjuggler[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@tremor.adbureau[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@findwhat[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@www.windowsmedia[3].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@advertising[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@trafficmp[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@1071977336[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@mediaplex[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@liveperson[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@anat.tacoda[3].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@partner2profit[7].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@1071868927[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@overture[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@www.liveperson[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@server.iad.liveperson[3].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@vitacost.122.2o7[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@enhance[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.pointroll[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@casalemedia[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@cgi-bin[9].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@e-2dj6wfkokndzecq.stats.esomniture[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@roiservice[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@open23.mpamedia[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@web4.realtracker[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@atlas.entrepreneur[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@cupolaventures.112.2o7[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ad[5].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@a.websponsors[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@superstats[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.mm.ap[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@intellisrv[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@partner2profit[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@focalex[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@superstats[3].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@anad.tacoda[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@partner2profit[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@superstats[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@clicklab[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@www.uclick[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@intellisrv[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@partner2profit[3].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@icc.intellisrv[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@optimost[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@spamblockerutility[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@advance-auto1932quality.crossmediaservices[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.addesktop[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@roskatrack.roskadirect[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@www.imediaconnection[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@windowsmedia[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@audit.median[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@kanoodle[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@superstats[4].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.cnn[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@partner2profit[4].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@www.0stats[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ad.admarketplace[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@adcentriconline[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@admarketplace[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@icc.intellisrv[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@adv.webmd[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@icc.intellisrv[4].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@trafficdashboard[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.as4x.tmcs[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@sales.liveperson[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@cpvfeed[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@qnsr[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@newegg.clicklab[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.as4x.tmcs[3].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@www.xctrk[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@login.tracking101[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.monster[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@www.precisioncounter[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@www.windowsmedia[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@creativeby.viewpoint[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@m1.webstats4u[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@banners.nbcupromotes[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.sheknows[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@partner2profit[5].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@leadgenetwork[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@anat.tacoda[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@windowsmedia[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@qnsr[3].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@image.masterstats[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@stats.manticoretechnology[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@kanoodle[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@og.advertserve[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@sales.liveperson[3].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@adv.medscape[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@ads.addesktop[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@analytics.clickpathmedia[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@counter.surfcounters[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@kanoodle[3].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@sales.liveperson[4].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@vhost.oddcast[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@track[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@sitestat.mayoclinic[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@www.topsailadvertiser[2].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@icc.intellisrv[5].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@track.searchignite[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@topsailadvertiser[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@partner2profit[6].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@kanoodle[4].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@burstnet[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@www.topsailadvertiser[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@partner2profit[8].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@topsailadvertiser[3].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@fishermansexpress[1].txt
C:\Documents and Settings\Ed Sota\Cookies\ed sota@regalinteractive[1].txt




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:16 PM, on 11/5/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Ed Sota\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wspvs.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1194050047193
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194096708019
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/components/ocx/Survid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6351 bytes

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 06 November 2007 - 08:45 AM

A question-Do I need to keep Superspyware as I have AVG, AdAware and Spybot? Also , Should I upgrade 2000 to SP4?

Uninstall SUPERAntiSpyware now if you like.
Keep AVG,AdAware and Spybot Search&Destroy.
Yes,upgrade to SP4.

Your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Download CCleaner to clear your temporary files.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
Uncheck "Cookies" under "Internet Explorer".
If you are running Firefox: , then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
Click Run Cleaner to run the program.
Caution:
It's not recommended to use the 'Issues' tab as it's known to find legitimate items.
Click Exit once CCleaner has done.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image

#15 SOTY

SOTY
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 06 November 2007 - 09:44 AM

I wil take the final steps and upgrade per your instruction
Looks like we are done-Thanks again for your help. I have contributed to your Pub fund. It will be under thestar@att.net.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users