Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Big Mess Here, Lsass One And Multi Iexplore


  • Please log in to reply
21 replies to this topic

#1 Fourclub

Fourclub

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 29 January 2006 - 03:12 AM

So Yeah, When I log on I Immeadiatly get like 12 Iexplore.exe's running, but no windows ever pop up. Also, I have two Lsass's, one of which tries to restart my coputer sometimes. I do Run- Shutdown -a to stop this. Ive done multiple scans in safe mode with both a registered XoftSpy and the free edition of Ad-Aware SE. Anyway, Here is the log and I hope you can help:

Logfile of HijackThis v1.99.1
Scan saved at 1:57:38 AM, on 1/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\inet20010\services.exe
C:\WINXP\System32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
C:\WINXP\System32\RUNDLL32.EXE
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINXP\System32\r?gedit.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Utopia\Angel\Angel.exe
C:\Program Files\oebr\mcct.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\inet20010\mm4.exe
C:\WINXP\System32\wdfmgr.exe
C:\WINXP\System32\dllcache\IExplore.exe
F:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\abcMover\abcMov13.exe
C:\WINXP\System32\dllcache\IExplore.exe
C:\WINXP\System32\dllcache\IExplore.exe
C:\WINXP\System32\dllcache\IExplore.exe
C:\WINXP\System32\dllcache\IExplore.exe
C:\Program Files\ARM Software\MacroMaker\MacroMaker.exe
C:\WINXP\System32\wuauclt.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINXP\System32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Matthew\LOCALS~1\Temp\Rar$EX00.485\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - {1BB661EF-8A27-FED9-06E0-834A418DA8B8} - C:\WINXP\System32\vbzjiq.dll
F3 - REG:win.ini: run=C:\WINXP\inet20010\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {17F63E3C-8BFF-A851-80C8-810A0658A5B9} - C:\WINXP\System32\sqtjoo.dll
O2 - BHO: (no name) - {1BB661EF-8A27-FED9-06E0-834A418DA8B8} - C:\WINXP\System32\vbzjiq.dll
O2 - BHO: (no name) - {39E50162-E8FB-CB04-8288-B56940FB8EEC} - C:\WINXP\System32\rbctuuxd.dll (file missing)
O2 - BHO: (no name) - {42E363ED-8C26-FED2-06E0-834A418EFAE8} - C:\WINXP\System32\uufijcsx.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_14.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINXP\system32\j0i9v.dll (file missing)
O2 - BHO: (no name) - {D26FA082-174B-6FEC-3BC3-11F3CA4435B4} - C:\WINXP\System32\qcmd.dll
O2 - BHO: (no name) - {E87D7D9F-CC5D-BEF8-7B97-C49E8F6752B7} - C:\WINXP\System32\lhqla.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Zolero Translator] C:\Program Files\Zolero Translator\ZoleroTranslator.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [xp_system] C:\WINXP\inet20010\services.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Coast to Coast AM] C:\Program Files\Coast to Coast AM Media Center\Coast to Coast AM Media Center.exe
O4 - HKCU\..\Run: [Fxaucbo] C:\WINXP\System32\r?gedit.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Assr] "C:\Program Files\oebr\mcct.exe" -vt tzt
O4 - HKCU\..\Run: [xp_system] C:\WINXP\inet20010\services.exe
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Matthew\Local

Settings\Temp\{1B521C4E-C8C4-4E64-81C9-C6009B73289F}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Startup: abcMover1.3.lnk = C:\Program Files\abcMover\abcMov13.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Matthew\Local

Settings\Temp\{AA9048CD-D99E-4775-9190-3D6A73DC4845}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Startup: MacroMaker.lnk = ?
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Matthew\Local

Settings\Temp\{1AFD215A-6E87-4A5E-9E99-B27FE794DFCC}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.hotbar.com/installs/hbtool...ams/hbtools.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/180solutio...bridge-c266.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O18 - Protocol: bw+0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: avpe32 - C:\WINXP\SYSTEM32\avpe32.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINXP\System32\jjgpdoio.dll
O21 - SSODL: NlWkjVZwn - {23291C06-8983-B6AC-4B75-08EC5B2A90D5} - C:\WINXP\System32\ykuah.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINXP\TWF0dA\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINXP\System32\perfont.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:59 AM

Posted 31 January 2006 - 02:54 PM

Hi There! :thumbsup:

I am currently working on your log and am checking it with a teacher.

I will get back to you as soon as possible.

David :flowers:

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:59 AM

Posted 01 February 2006 - 01:43 PM

Hi Fourclub

Unfortunatley you have a badly infected system. There are a number of things we will need to complete but i think we should get rid of New.Net, remove the HaxDoor infection , and then run a general removal tool first. Once that is completed, we will finish cleaning up the rest of the log. If you have any questions/queries along the way, don't hesitate to ask.

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

=========================

Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

=========================
  • Please download HDFix from here
  • After it is downloaded, create a new folder on your desktop called "HDFix" and extract all the files into the newly created folder.
  • Next, download CleanUp! Install it, but do not run it yet.
  • Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
  • Locate the HSFix folder on your desktop, open it, and double-click "hdfix.bat"
  • A log will be produced which you can close out of.
  • Then run HijackThis again, close any open windows and browsers and fix these:
    O20 - Winlogon Notify: avpe32 - C:\WINXP\SYSTEM32\avpe32.dll
  • Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.
Restart your computer into normal mode.

=========================

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
  • Install background guard
  • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
    ewido manual updates
=========================

Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

=========================

If it does not work on the first try, reboot and try again, as you have to be quick when you press it.

Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • DO NOT Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post the contents of the logfile c:\hslog.txt along with a new hijackthislog and the ewido log :flowers: From the logs you post i'll be able to give a more detailed fix.

David

#4 Fourclub

Fourclub
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 01 February 2006 - 09:39 PM

Im trying to get that HDfix. I clicked the link but cannot find it, its just the homepage. I went to downloads and everything and still did not find it.

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:59 AM

Posted 03 February 2006 - 03:46 AM

Hi Fourclub

We didn't know but that tool has been removed from the site. There is another tool which will be able to remove the infection. I was about to post just the updated HDfix part, but i have included the whole fix so that you won't get confused :thumbsup:

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :flowers:

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

=========================

Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

=========================

Download haxfix.exe.


Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
A red "dos window" (dos box) will open.
This message will appear:

Insert the haxdoor notify subkey without the numbers,
and then press enter:


At this point please type the following: avpe
Press Enter to continue with the fix.

If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new hijackthislog.

=========================

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
  • Install background guard
  • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
    ewido manual updates
=========================

Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

=========================

If it does not work on the first try, reboot and try again, as you have to be quick when you press it.

Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • DO NOT Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post the contents of the logfile c:\haxfix.txt along with a new hijackthislog and the ewido log :huh: From the logs you post i'll be able to give a more detailed fix.

David

#6 Fourclub

Fourclub
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 04 February 2006 - 08:39 PM

I did all the following including edwido scan. I had 65,830 infected objects and it started to remove them as soon as the scan ended, Without giving me the option of saving a report. It then started asking me if I wanted to remove whole archives for embedded files for every single object in uploads. Doing this would of taken days so I cant get an edwido log, I did however cleared all the items on the quarentine list. The Multiple IExpolre.exe and the double restarting lssas's are gone however. Here the other logs, sorry.



Logfile of HijackThis v1.99.1
Scan saved at 7:32:54 PM, on 2/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\WINXP\inet20010\services.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINXP\System32\RUNDLL32.EXE
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINXP\System32\r?gedit.exe
C:\Utopia\Angel\Angel.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\oebr\mcct.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\System32\wdfmgr.exe
C:\WINXP\inet20010\mm4.exe
C:\WINXP\System32\wuauclt.exe
C:\Documents and Settings\Matthew\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - {C5467636-98A0-BE52-D17D-CA3EB62174B1} - C:\WINXP\System32\hdqqfmam.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=C:\WINXP\inet20010\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {17F63E3C-8BFF-A851-80C8-810A0658A5B9} - C:\WINXP\System32\sqtjoo.dll
O2 - BHO: (no name) - {39E50162-E8FB-CB04-8288-B56940FB8EEC} - C:\WINXP\System32\rbctuuxd.dll (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: Seekmo Search Assistant Helper - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet

Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINXP\system32\j0i9v.dll (file missing)
O2 - BHO: (no name) - {C1132664-CCA7-B800-D17D-CA3EB6217ABD} - C:\WINXP\System32\yhtigque.dll
O2 - BHO: (no name) - {C5467636-98A0-BE52-D17D-CA3EB62174B1} - C:\WINXP\System32\hdqqfmam.dll
O2 - BHO: (no name) - {CB913616-848B-F87B-FC4F-89EA6BBC2CE5} - C:\WINXP\System32\fiz.dll
O2 - BHO: (no name) - {E87D7D9F-CC5D-BEF8-7B97-C49E8F6752B7} - C:\WINXP\System32\lhqla.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Zolero Translator] C:\Program Files\Zolero Translator\ZoleroTranslator.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [xp_system] C:\WINXP\inet20010\services.exe
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Coast to Coast AM] C:\Program Files\Coast to Coast AM Media Center\Coast to Coast AM Media Center.exe
O4 - HKCU\..\Run: [Fxaucbo] C:\WINXP\System32\r?gedit.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [xp_system] C:\WINXP\inet20010\services.exe
O4 - HKCU\..\Run: [Assr] "C:\Program Files\oebr\mcct.exe" -vt tzt
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Matthew\Local

Settings\Temp\{1B521C4E-C8C4-4E64-81C9-C6009B73289F}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Startup: abcMover1.3.lnk = C:\Program Files\abcMover\abcMov13.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Matthew\Local

Settings\Temp\{AA9048CD-D99E-4775-9190-3D6A73DC4845}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Startup: MacroMaker.lnk = ?
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Matthew\Local

Settings\Temp\{1AFD215A-6E87-4A5E-9E99-B27FE794DFCC}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.hotbar.com/installs/hbtool...ams/hbtools.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/180solutio...bridge-c266.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) -

http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O18 - Protocol: bw+0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINXP\System32\jjgpdoio.dll
O21 - SSODL: NlWkjVZwn - {23291C06-8983-B6AC-4B75-08EC5B2A90D5} - C:\WINXP\System32\ykuah.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINXP\TWF0dA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINXP\System32\perfont.exe

-----------------------------------------------------------------------------------------------------------------------------

HAXFIX logfile
--------------
by Marckie


haxdoor key: avpe


searching for services....
services found


deleting services.....
[SWSC] StopService FAIL
[SWSC] DeleteService SUCCESS
[SWSC] StopService FAIL
[SWSC] DeleteService SUCCESS


rebooting the computer.....


haxdoor notify subkey: avpe


searching for services....
services not found


checking if files are found.....
avpe32.dll exist
avpe64.sys exist
klgcptini.dat exist
qz.dll exist
qz.sys exist
stt82.ini exist
ps.a3d exist
avpe32.sys not found
qm.dll not found
qm.sys not found
qy.dll not found
qy.sys not found
klogini.dll not found
p3.ini not found


deleting files.....


checking if files are deleted.....
avpe32.dll not found
avpe32.sys not found
avpe64.sys not found
klgcptini.dat not found
qm.dll not found
qm.sys not found
qy.dll not found
qy.sys not found
qz.dll not found
qz.sys not found
stt82.ini not found
klogini.dll not found
p3.ini not found
ps.a3d not found

Finished

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:59 AM

Posted 05 February 2006 - 12:22 PM

Hello there,

Doing this would of taken days so I cant get an ewido log

Ok, i agree. Later on in safe mode we will run Ewido again; i have edited the instructions so that infections will be cleaned automatically :thumbsup:

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :flowers:

We need to make your system show hidden files. We need to do this as some malware files hide, which means you cannot see them if you do not have hidden files enabled.

Make sure that you can see hidden files (Windows XP).
-Click "Start".
-Click "My Computer".
-Select the "Tools" menu and click "Folder Options".
-Select the "View" tab.
-Under the "Hidden files and folders" heading, select "Show hidden files and folders".
-Uncheck the "Hide protected operating system files (recommended)" option.
-Click "Yes" to confirm.
-Uncheck the "Hide file extensions for known file types".
-Click "OK".

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

180 Solutions
Media Gateway


======================================

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

======================================

Open notepad and copy and paste next in it:

dir C:\WINXP\System32\r?gedit.exe /x /a h > files.txt
notepad files.txt

Save this as findfile.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please save this text file to a place where you can easily find it, such as the desktop.

======================================

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - {C5467636-98A0-BE52-D17D-CA3EB62174B1} - C:\WINXP\System32\hdqqfmam.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=C:\WINXP\inet20010\services.exe
O2 - BHO: (no name) - {17F63E3C-8BFF-A851-80C8-810A0658A5B9} - C:\WINXP\System32\sqtjoo.dll
O2 - BHO: (no name) - {39E50162-E8FB-CB04-8288-B56940FB8EEC} - C:\WINXP\System32\rbctuuxd.dll (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: Seekmo Search Assistant Helper - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINXP\system32\j0i9v.dll (file missing)
O2 - BHO: (no name) - {C1132664-CCA7-B800-D17D-CA3EB6217ABD} - C:\WINXP\System32\yhtigque.dll
O2 - BHO: (no name) - {C5467636-98A0-BE52-D17D-CA3EB62174B1} - C:\WINXP\System32\hdqqfmam.dll
O2 - BHO: (no name) - {CB913616-848B-F87B-FC4F-89EA6BBC2CE5} - C:\WINXP\System32\fiz.dll
O2 - BHO: (no name) - {E87D7D9F-CC5D-BEF8-7B97-C49E8F6752B7} - C:\WINXP\System32\lhqla.dll (file missing)
O4 - HKLM\..\Run: [xp_system] C:\WINXP\inet20010\services.exe
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKCU\..\Run: [Fxaucbo] C:\WINXP\System32\r?gedit.exe
O4 - HKCU\..\Run: [xp_system] C:\WINXP\inet20010\services.exe
O4 - HKCU\..\Run: [Assr] "C:\Program Files\oebr\mcct.exe" -vt tzt
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.hotbar.com/installs/hbtool...ams/hbtools.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/180solutio...bridge-c266.cab
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINXP\System32\jjgpdoio.dll
O21 - SSODL: NlWkjVZwn - {23291C06-8983-B6AC-4B75-08EC5B2A90D5} - C:\WINXP\System32\ykuah.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINXP\TWF0dA\command.exe (file missing)
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINXP\System32\perfont.exe


Optional Fixes:

WeatherBug is a system tray icon that offers weather information and includes built-in ads. WeatherBug is controlled by AWS Convergence Technologies (weatherbugmedia.com).
There is some controversy over whether WeatherBug should be targeted by anti-parasite software. AWS strongly deny their software is ‘spyware’, and by the definition used here, it is not, as it does not leak information back to its controlling servers.
However, WeatherBug has in the past been silently installed by the FavoriteMan parasite and Freeze.com screensavers, and more recently has been bundled by software such as AIM and Blubster. This makes it ‘unsolicited’, and since it is installed to raise money for its creators through the built-in ads it is certainly ‘commercial’. So it does meet the definition for ‘parasite’: unsolicited commercial software. It is nonetheless listed as a borderline case because it is not overtly harmful and many people do install it deliberately.
WeatherBug bundles the MySearch parasite in its standalone distribution and has in the past, installed Gator and SVAPlayer.


Entries to include:

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)


You have PowerReg Scheduler in your log. This is a registration reminder that is used by a number of different companies. It is not needed and some people think that it reports back to the company about your computer, so I suggest fixing it.


Entries to include:

O4 - Startup: PowerReg Scheduler.exe

The MySearch and MyWay variants have been bundled with Grokster, Morpheus, WeatherBug, and software from mgshareware.com. MySearch has also been installed by the FavoriteMan parasite.
The MyWeb variant is bundled with software (Popswatter, SmileyCentral, My Mail Stamp) from “Fun Web Products” (also the same people as MyWay).[/b]


Entries to include:

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

Do you use Ultimate Bet? The reason i ask is because these sorts of betting programs are know to be installed with/by malware. If you do not use these programs i recommend you delete them:

Entries to include:

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

======================================

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

c:\secure32.html <--file
C:\WINXP\System32\hdqqfmam.dll <--file
C:\WINXP\inet20010 <--folder
C:\WINXP\System32\sqtjoo.dll <--file
C:\Program Files\seekmo <--folder
C:\WINXP\system32\j0i9v.dll <--file
C:\WINXP\System32\yhtigque.dll <--file
C:\WINXP\System32\hdqqfmam.dll <--file
C:\WINXP\System32\fiz.dll <--file
C:\Program Files\MediaGateway <--folder
C:\WINXP\System32\r?gedit.exe <--file
C:\Program Files\oebr <--folder
C:\WINXP\System32\jjgpdoio.dll <--file
C:\WINXP\System32\ykuah.dll <--file
C:\WINXP\TWF0dA <--folder
C:\WINXP\System32\perfont.exe <--file

Optionals: (only fix if you delete the corresponding entries earlier).

C:\Program Files\AWS <--folder
C:\Program Files\MyWebSearch <--folder

Please run ewido again, but we are going to edit a setting:

Once the you are in safe mode do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

======================================

Reboot to normal mode

======================================

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.]

======================================

Generate an Uninstall List
  • Open HijackThis
  • Click on Open Misc Tools Section
  • Click on Open Uninstall Manager
  • Click on Save list
  • Save it to your Desktop
======================================

Please post:
  • A new HJT log
  • The Uninstall List you just created
  • The Ewido log (the scan should be much quicker this time! :huh:)
  • The text file results from the findfile.bat you ran earlier.
David

#8 Fourclub

Fourclub
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 05 February 2006 - 11:30 PM

Problems with Edwido again. I did what said and clicked the Perform actions on all at the first prompt and had it on 'Remove'. After the scan, It started to perform the cleaning as usual. However, As soon it got to the C:\Uploads Directory it kept asking me If I want to remove the whole archive for each file as they were embedded into it. I clicked yes over and over again, ultimately putting a weight on my enter key and letting it sit. Two hours later and only a few letters through the C:\Uploads secion alphabetically, It was still asking the same thing. I didnt get the option to save a report as that cleaning wouldnt of finished for a long time. Im sorry if its an insult but clicking 68,000 yes's just isnt doable for me right now. I did do every other part of your instructions and here are 3 of the 4 logs:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:08 PM, on 2/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINXP\System32\nvsvc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINXP\System32\RUNDLL32.EXE
C:\Utopia\Angel\Angel.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\abcMover\abcMov13.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINXP\System32\wuauclt.exe
C:\WINXP\System32\wuauclt.exe
C:\Documents and Settings\Matthew\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {55EC799A-925A-B6FD-2C22-CFCE19BBBBBA} - C:\WINXP\System32\rtufmtmu.dll
O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O2 - BHO: (no name) - {C9437235-9AA2-B401-D17D-CA3EB62122BD} - C:\WINXP\System32\buompmlt.dll
O2 - BHO: (no name) - {E87D7D9F-CC5D-BEF8-7B97-C49E8F6752B7} - C:\WINXP\System32\lhqla.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Zolero Translator] C:\Program Files\Zolero Translator\ZoleroTranslator.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Coast to Coast AM] C:\Program Files\Coast to Coast AM Media Center\Coast to Coast AM Media Center.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [xp_system] C:\WINXP\inet20010\services.exe
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Matthew\Local Settings\Temp\{1B521C4E-C8C4-4E64-81C9-C6009B73289F}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Startup: abcMover1.3.lnk = C:\Program Files\abcMover\abcMov13.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Matthew\Local Settings\Temp\{AA9048CD-D99E-4775-9190-3D6A73DC4845}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Startup: MacroMaker.lnk = ?
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Matthew\Local Settings\Temp\{1AFD215A-6E87-4A5E-9E99-B27FE794DFCC}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O18 - Protocol: bw+0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINXP\TWF0dA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINXP\System32\perfont.exe (file missing)

----------------------------------------------------------------------------------------------------------------------------

UNINSTALL LIST:

abcMover 1.3
Act of War - Direct Action
Ad-Aware SE Personal
Adobe Acrobat 5.0
Advanced Batch Converter
AIM Toolbar
AN Name Editor
AOL Instant Messenger
AVS Video Converter 4.1.1.300
Backyard Football 2002
Ballistik
BHDBMS2MIS
BHDJoiner
Birthday EZ Cards
BitComet 0.60
BitComet Toolbar
Buildcity
Calc98
Call of Duty® 2
Coast to Coast AM Media Center
Crimsonland
DefilerPak 1.19 (Remove Only)
Dell ResourceCD
Delta Force - Black Hawk Down
Delta Force Black Hawk Down Team Sabre
DFBHDPinger v5.0
Diner Dash
DriveImage XML
EA SPORTS online 2005
Easy Image Convertor for Windows 95/98/00/ME/NT/XP
ewido anti-malware
FMS
Global Defense Network
Google Video Uploader
HaxFix 1.12
HijackThis 1.99.1
ICQ Toolbar
Intel® PRO Ethernet Adapter and Software
iPod for Windows 2005-09-23
iTunes
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Kick Shot Pool
LimeWire 4.10.5
Logitech Desktop Messenger
MacroMaker
Macromedia Shockwave Player
Masque Games on aim
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Age of Empires II
Microsoft Office 2000 SR-1 Premium
Microsoft Office XP Professional with FrontPage
mIRC
Mozilla (1.7.11)
Mozilla Firefox (1.5.0.1)
MSN Messenger 6.2
MSN Music Assistant
MVP Baseball 2005
MyMouse 4.3
Netscape (7.2)
Network Monitor
NVIDIA Drivers
Pool Buddy {Y} 4.1
Puzzle Pirates
QuickTime
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Seekmo Search Assistant
Sony Media Manager 2.0
Spy Sheriff
TeamSpeak 2 RC2
TeamSpeak 2 Server RC2
TikiTorch
TopText
UltimateBet
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Ventrilo Client
Ventrilo Server
Viewpoint Media Player
WeatherBug
WildTangent Web Driver
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB905915
WinRAR archiver
XAimer
Xfire (remove only)
XoftSpy
Yahoo! Messenger
Yahoo! Toolbar
Zolero Translator
ZoneAlarm

-----------------------------------------------------------------------------------------------

Findfile.bat txt,

Volume in drive C has no label.
Volume Serial Number is 2329-1C05

Directory of C:\WINXP\System32

01/30/2006 08:18 AM 405,504 RGEDIT~1.EXE r?gedit.exe
1 File(s) 405,504 bytes

Directory of C:\Documents and Settings\Matthew\Desktop

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:59 AM

Posted 06 February 2006 - 02:34 PM

Edit out

Edited by D-Trojanator, 06 February 2006 - 02:35 PM.


#10 Fourclub

Fourclub
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 06 February 2006 - 03:28 PM

?

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:59 AM

Posted 06 February 2006 - 05:59 PM

I just have to get my fix checked by a teacher, but i posted it here before doing so :thumbsup: Check back tomorrow.

David

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:59 AM

Posted 09 February 2006 - 09:02 AM

Hi again Fourclub .

I researched for a while and i think i have found a solution to he recurring problem with ewido. You said that it was finding hundreds and thousands of files in C:\Uploads. I took a look around and found a few users posts such as:

I also noticed a hidden folder called C:\Uploads with 16000 zip files in it...I deleted and heard this is related to limewire...how do rid that?

I think that this is exactly the same problem that you have. I also found a number of scan logs that contained a few example of C:\Uploads with empty zip files in side with names of software/files etc.. An example of this could be:

C:\Uploads\Meet The Fockers.zip - Setup.exe WORM_VB.AQDeletion successful
C:\Uploads\Midnight Club 3 DUB Edition W-ALL.zip setup.exe WORM_VB.AQDeletion successful
C:\Uploads\Mindhunters DVDRip.zip - Setup.exe WORM_VB.AQDeletion successful


I see a bit of malware left over from the log that needs to be dealt with in a minute, but to start with i would just like you to browse to this folder:

C:\Uploads (this is a hidden file but should be visible under the settings we changed)

This folder contains a variety of illegal cracks, so i want you to delete the entire folder. This infection appears to have come from Limewire; i took a while on google and found some more examples of where Limewire has dropped this folder. For the time being I highly recommend that you uninstall the program for the time being. When the system is clean, we can come back to installing it:

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

LimeWire 4.10.5

=========================

I have noticed that you do not have any anti-viral protection on your computer at the moment
  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Click here for more information on -> Computer Safety On line - Anti-Virus
I would recommend AVASTŠ, as it is secure and free! :thumbsup: Please update the anti-virus program you chose, but do not run it yet, we will do so in safe mode. There is a guide to install/update Avast, and can be found here.

=========================

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :flowers:

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

Logitech Desktop Messenger
Seekmo Search Assistant
Viewpoint Media Player
WeatherBug


=========================

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

=========================

Open notepad and copy and paste next in it:

sc stop cmdService
sc delete cmdService
sc stop "Network Monitor"
sc delete "Network Monitor"
sc stop PerfFont
sc delete PerfFont


Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat.

=========================

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

=========================

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O2 - BHO: (no name) - {55EC799A-925A-B6FD-2C22-CFCE19BBBBBA} - C:\WINXP\System32\rtufmtmu.dll
O2 - BHO: (no name) - {C9437235-9AA2-B401-D17D-CA3EB62122BD} - C:\WINXP\System32\buompmlt.dll
O2 - BHO: (no name) - {E87D7D9F-CC5D-BEF8-7B97-C49E8F6752B7} - C:\WINXP\System32\lhqla.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)
O4 - HKCU\..\Run: [xp_system] C:\WINXP\inet20010\services.exe
O18 - Protocol: offline-8876480 - {B22A8A2C-7B42-4044-AF1B-7682ADB3F388} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
<---all the 018 entries that look similar to this.
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINXP\TWF0dA\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINXP\System32\perfont.exe (file missing)


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

=========================

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINXP\System32\rtufmtmu.dll <--file
C:\WINXP\System32\buompmlt.dll <--file
C:\WINXP\inet20010 <--folder
C:\WINXP\TWF0dA <--folder
C:\Program Files\Network Monitor <--folder
C:\WINXP\System32\perfont.exe <--file
C:\WINXP\System32\RGEDIT~1.EXE <---please be careful not to delete regedit.exe
=========================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

=========================

Please now run the Anti-virus program you installed earlier, i recommended Avast. Please scan the whole computer and remove all infected files.

=========================

Please reboot to normal mode and post a new HJT log.
David

#13 Fourclub

Fourclub
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 10 February 2006 - 03:58 PM

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINXP\System32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Utopia\Angel\Angel.exe
C:\Program Files\abcMover\abcMov13.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINXP\System32\wuauclt.exe
C:\Documents and Settings\Matthew\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Coast to Coast AM] C:\Program Files\Coast to Coast AM Media Center\Coast to Coast AM Media Center.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Matthew\Local Settings\Temp\{1B521C4E-C8C4-4E64-81C9-C6009B73289F}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Startup: abcMover1.3.lnk = C:\Program Files\abcMover\abcMov13.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Matthew\Local Settings\Temp\{AA9048CD-D99E-4775-9190-3D6A73DC4845}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Startup: MacroMaker.lnk = ?
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Matthew\Local Settings\Temp\{1AFD215A-6E87-4A5E-9E99-B27FE794DFCC}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:59 AM

Posted 11 February 2006 - 03:55 AM

Hi there FourClub

That log is looking much better. The important question is how is the computer running? I would just like to complete a small check to make sure the system is good to go.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Thanks very much, also let me know how the system is running...
David

#15 Fourclub

Fourclub
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 11 February 2006 - 02:35 PM

I need Internet Explore 5.0 or better which I do not have and cant buy right now. My computer is running fine except that once in a while it's almost like my firefox resets. The homepage is reset, the websites cleared out, bookmarks cleared etc. And then when I try to click buttons like those on google, It does nothing. I click the button and thats it, nothing loads. Its very wierd and at the moment Im stuck to using mozzila.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users