Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Av-gold + Misc


  • Please log in to reply
3 replies to this topic

#1 prongo

prongo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 26 September 2006 - 05:12 PM

Hello,

I have a friend's computer reporting AV-Gold and various other spyware. Its running Windows XP, service pack 2 with updates, McAfee antivirus suite w/firewall, Adaware SE, Spybot and Ewido antispyware.

I searched these forums and followed the instructions to remove AVGold using the smitfraud fix tool, as well as following the stickied procedure prior to posting a hijackthis log. The infection still wont go away and I would be grateful for any help I can get.

Spybot keeps reporting AVGold and telling me to reboot and rerun the scan. I have done this in safe mode and normal booting, and it always says it cannot remove it from memory. McAfee and Ewido report no infections. Ad-Aware always reports one bad registry entry as: malware.topspyware, no matter how many times I run the scan and reboot the system.

I have updated Ad-aware SE, Ewido Antispyware, McAfee, Spybot and Windows XP with all the latest patches.

Logfile of HijackThis v1.99.1
Scan saved at 2:36:03 PM, on 09/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Install\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: bw+0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {8315861D-4D64-4E90-A4FA-7CCBC9CDA885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Here's the online Panda Activescan log:

Spyware:Cookie/66.246.209 Not disinfected C:\Documents and Settings\amber krings\Cookies\amber krings@66.246.209[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\amber krings\Cookies\amber krings@adultfriendfinder[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\amber krings\Cookies\amber krings@belnk[1].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\amber krings\Cookies\amber krings@c.fsx[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\amber krings\Cookies\amber krings@ccbill[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\amber krings\Cookies\amber krings@cgi-bin[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\amber krings\Cookies\amber krings@dist.belnk[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\amber krings\Cookies\amber krings@go[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\amber krings\Cookies\amber krings@kinghost[1].txt
Spyware:Cookie/TeensForCash Not disinfected C:\Documents and Settings\amber krings\Cookies\amber krings@teensforcash[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\amber krings\Cookies\amber krings@webpower[2].txt
Spyware:Cookie/SpySheriff Not disinfected C:\Documents and Settings\amber krings\Cookies\amber krings@www.spysheriff[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\amber krings\Cookies\amber krings@xiti[1].txt
Spyware:Spyware/Smitfraud Not disinfected C:\Documents and Settings\amber krings\Local Settings\Temp\AGLanguage.ini
Potentially unwanted tool:Application/PsGuard Not disinfected C:\Documents and Settings\amber krings\Local Settings\Temp\PSGuardInstall.exe[PSGuard.exe]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\devon krings\Cookies\devon krings@adopt.hbmediapro[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\devon krings\Cookies\devon krings@ath.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\devon krings\Cookies\devon krings@atwola[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\devon krings\Cookies\devon krings@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\devon krings\Cookies\devon krings@belnk[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\devon krings\Cookies\devon krings@c2.gostats[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\devon krings\Cookies\devon krings@cgi-bin[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\devon krings\Cookies\devon krings@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\devon krings\Cookies\devon krings@dist.belnk[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\devon krings\Cookies\devon krings@i.screensavers[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\devon krings\Cookies\devon krings@searchportal.information[1].txt
Spyware:Spyware/Smitfraud Not disinfected C:\Documents and Settings\devon krings\Local Settings\Temp\AGLanguage.ini
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\mary leggett\Cookies\mary leggett@adultfriendfinder[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\mary leggett\Cookies\mary leggett@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\mary leggett\Cookies\mary leggett@dist.belnk[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\tom leggett\Cookies\tom leggett@cgi-bin[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\tom leggett\Cookies\tom leggett@i.screensavers[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\tom leggett\Cookies\tom leggett@searchportal.information[1].txt
Spyware:Spyware/Smitfraud Not disinfected C:\Documents and Settings\tom leggett\Local Settings\Temp\AGLanguage.ini
Adware:Adware/Comet Not disinfected C:\Documents and Settings\tom leggett\Local Settings\Temporary Internet Files\Content.IE5\R6N771J4\sinstaller2[1].exe
Adware:adware/oemji Not disinfected C:\Documents and Settings\tracy krings\Application Data\defaultgood.wl
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\tracy krings\Application Data\Mozilla\Firefox\Profiles\zg7w2ah8.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\tracy krings\Application Data\Mozilla\Firefox\Profiles\zg7w2ah8.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\tracy krings\Application Data\Mozilla\Firefox\Profiles\zg7w2ah8.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\tracy krings\Application Data\Mozilla\Firefox\Profiles\zg7w2ah8.default\cookies.txt[.hc2.humanclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\tracy krings\Application Data\Mozilla\Firefox\Profiles\zg7w2ah8.default\cookies.txt[.hc2.humanclick.com/hc/61277454]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\tracy krings\Application Data\Mozilla\Firefox\Profiles\zg7w2ah8.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\tracy krings\Application Data\Mozilla\Firefox\Profiles\zg7w2ah8.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\tracy krings\Application Data\Mozilla\Firefox\Profiles\zg7w2ah8.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\tracy krings\Application Data\Mozilla\Firefox\Profiles\zg7w2ah8.default\cookies.txt[.tickle.com/]
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\tracy krings\Application Data\Mozilla\Firefox\Profiles\zg7w2ah8.default\cookies.txt[.webpower.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\tracy krings\Desktop\SmitfraudFix\Process.exe
Dialer:dialer.bny Not disinfected C:\WINDOWS\pcconfig.dat

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:58 AM

Posted 04 October 2006 - 05:08 PM

Hello prongo and welcome to the BC HijackThis forum. I see no signs of viruses or malware in the log. It is clean.

The Panda report is only showing items in the temp folders and cookies. Let's use a cleaner to clean these items out.

Download CCleaner and install it Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

If Spybot is showing an alert for a memory process, post that specific information back here and I will have a look at it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 prongo

prongo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 06 October 2006 - 09:33 AM

Thank you for the advice! I used the CCleaner like you said. Spybot is still showing AV-Gold in a registry key. I made a backup of the registry and tried to delete the key but it gives me a generic "error while deleting key" message and cannot be deleted, even when I am in safe mode.

AV-Gold
Class ID
- HKEY_CLASSES_ROOT\CLSID\{9CB478A2-CA39-0CFD-EFAC-DB80710601D3}
Name (Default) Type REG_SZ Data PointerMoniker
- InprocServer32

When I try to open that key it gives me an error "Cannot open InprocServer32. Error while opening key"

If the infection has been cleaned, could this be just some leftover crap from the virus? Is it that important to get rid of?

Thank you again.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:58 AM

Posted 07 October 2006 - 07:45 AM

Hi prongo. It could be that the infection was removed but the registry key is left over. Let's try something else.

If there are more than 1 user accounts on this machine try logging in with each of the other accounts and removing the key from there. Depending on which account had the original infection, the registry might belong to that logon and will need to be removed from that logon also.

Let me know what happens.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users