View Full Version : Virtumonde and probably more - Please Help
asterix1999
2008-06-21, 15:27
Hi. I'm trying to fix a friends computer after it ended up with more or less every virus available - at least that's how it feels. After having lost nearly all control of the computer these are the steps I have done so far. Using Ad-Aware free edition, Spybot - Search and Destroy, and XoftspySE, I have so far removed between 800-900 malware entries from the computer. Eventually, I had to perform a repair installation from my XP Home Windows CD. I finally got enough control over the computer so I have everything updated with respect to all the windows software installed on the computer. It still runs a little bit sluggish and performing a scan with Spybot I still have 2 registry entries relating to the Virtumonde Virus. Deleting/quarateing them does nothing they are back after rebooting the computer. Please hlp me with this problem. I have attached a log fom Hijackthis 2.0.2
Thanks for your time, Asterix.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:14 AM, on 6/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Process Explore 11.11\procexp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Hijackthis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: {918ebe50-9cf1-39c9-c514-de4606193e22} - {22e39160-64ed-415c-9c93-1fc905ebe819} - C:\WINDOWS\system32\ikovrpdp.dll
O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\rqRIyXRK.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {C0EAE728-132C-46A5-B20F-A5589E1FA250} - C:\WINDOWS\system32\opNhfFXQ.dll (file missing)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [IEUpdate] C:\WINDOWS\system32\12520437w.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IEUpdate] C:\WINDOWS\system32\12520437w.exe (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {0B15684D-1E8C-4F49-94AE-17CB3A3B91FD} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {0F3638A2-D494-46A1-9A78-0EF2B6C9DBB1} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {9381EA5F-6AB2-45E8-9435-8C428A39FF16} - http://www.comcast.net (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213927506352
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214013349031
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O18 - Protocol: bw+0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: efcdccd - efcdccd.dll (file missing)
O20 - Winlogon Notify: rqRIyXRK - rqRIyXRK.dll (file missing)
O20 - Winlogon Notify: __c008439 - C:\WINDOWS\system32\__c008439.dat (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://homepage.mac.com/clarita2/.cv/clarita2/Sites/.Pictures/Photo%20Album%20Pictures/2005-05-27%2020.49.50%20-0700/Image-4BEA6592CF2211D9.jpg-thumb_269_202.jpg
--
End of file - 19318 bytes
Hello asterix1999
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
You still have some nasty stuff installed, lets do this.
Do this first...Important
Disable the TeaTimer, you can re enable it when were done if you wish
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
This tool needs to be run from Safemode to be effective so download it to your desktop then boot to Safemode to run it
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
You have Malwarebytes installed, check for updates and run a scan this way . You can bypass the download and setup instructions.
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.
Post the SDfix log, the Malwarebytes log and a new HJT log, they most likely will not fit all in one reply so take as many replies as you need using the Submit Reply button
asterix1999
2008-06-25, 05:15
Hi. Thank you so much for taking a look at my computer's problems. I have followed the steps you gave me in you last post and everything came along without problems. I have posted the 3 logs you mentioned.
Log 1
SDFix: Version 1.196
Run by Denise Alsum on Tue 06/24/2008 at 04:53 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\SYSTEM32\HPODST~1.DLL - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 17:07:09
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\\WINDOWS\\SYSTEM32\\mmc.exe"="C:\\WINDOWS\\SYSTEM32\\mmc.exe:*:Enabled:Microsoft Management Console"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 24 May 2008 241,028 A.SH. --- "C:\WINDOWS\SYSTEM32\kjllm.bak1"
Sat 24 May 2008 243,261 A.SH. --- "C:\WINDOWS\SYSTEM32\kjllm.bak2"
Thu 23 Dec 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 23 Dec 2004 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak"
Sat 10 Sep 2005 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Sat 10 Sep 2005 48 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Sat 10 Sep 2005 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v3ks.bla.bak"
Fri 20 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Finished!
Log 2
Malwarebytes' Anti-Malware 1.18
Database version: 888
9:58:57 PM 6/24/2008
mbam-log-6-24-2008 (21-58-57).txt
Scan type: Quick Scan
Objects scanned: 45384
Time elapsed: 10 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Denise Alsum\Local Settings\Temporary Internet Files\Content.IE5\KZT2EM9T\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
Log 3
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:40 PM, on 6/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Process Explore 11.11\procexp.exe
C:\Program Files\Hijackthis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {C0EAE728-132C-46A5-B20F-A5589E1FA250} - C:\WINDOWS\system32\opNhfFXQ.dll (file missing)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [IEUpdate] C:\WINDOWS\system32\12520437w.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IEUpdate] C:\WINDOWS\system32\12520437w.exe (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {0B15684D-1E8C-4F49-94AE-17CB3A3B91FD} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {0F3638A2-D494-46A1-9A78-0EF2B6C9DBB1} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {9381EA5F-6AB2-45E8-9435-8C428A39FF16} - http://www.comcast.net (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213927506352
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214013349031
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O18 - Protocol: bw+0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: efcdccd - efcdccd.dll (file missing)
O20 - Winlogon Notify: rqRIyXRK - rqRIyXRK.dll (file missing)
O20 - Winlogon Notify: __c008439 - C:\WINDOWS\system32\__c008439.dat (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://homepage.mac.com/clarita2/.cv/clarita2/Sites/.Pictures/Photo%20Album%20Pictures/2005-05-27%2020.49.50%20-0700/Image-4BEA6592CF2211D9.jpg-thumb_269_202.jpg
--
End of file - 19082 bytes
Hello,
You need to Disable AdWatch in Ad-Aware Se Personal as it can stop our fix.
To Disable AdWatch
Open Ad-Aware SE Personal
Go to the AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically
Uncheck both options.
You should enable these after resolving your problem.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {C0EAE728-132C-46A5-B20F-A5589E1FA250} - C:\WINDOWS\system32\opNhfFXQ.dll (file missing)
O4 - HKUS\S-1-5-18\..\Run: C:\WINDOWS\system32\12520437w.exe (User 'SYSTEM') G
O4 - HKUS\.DEFAULT\..\Run: [IEUpdate] C:\WINDOWS\system32\12520437w.exe (User 'Default user')
O20 - Winlogon Notify: efcdccd - efcdccd.dll (file missing) G
O20 - Winlogon Notify: rqRIyXRK - rqRIyXRK.dll (file missing) G
O20 - Winlogon Notify: __c008439 - C:\WINDOWS\system32\__c008439.dat (file missing)
Not sure if you want this
O24 - Desktop Component 0: (no name) - http://homepage.mac.com/clarita2/.cv...mb_269_202.jpg
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) by [i]OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\12520437w.exe
C:\WINDOWS\system32\__c008439.dat
C:\WINDOWS\system32\efcdccd.dll
C:\WINDOWS\system32\rqRIyXRK.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the OTMoveIt log, the Combofix log and a New HJT log please
asterix1999
2008-06-25, 19:15
Hi. Thanks for the next set of steps you have provided me with to help in the recovery of my computer.
The only step I'm not sure whether it worked correctly is the step using the OTMoveIt2. It seemes that it couldn't, as per log file, find the file to move. It didn't ask to reboot in order to complete the task either. I did, however, perform a restart of the computer and ran the OTMoveIt2 again with the same result - no files found. That, of course, be the correct answer to this step. I just wanted to give you a heads up on that step.
The entry from the HijackThis log marked O24, you were asking if it was something I wanted to keep. I haven't gotten a hold of my friend to ask her, but checking the file and the link, I it is something she definitely involved with. So, unless you think it would be better to remove it from the computer I think I'll leave it untill I talk to her.
LOG 1
File/Folder C:\WINDOWS\system32\12520437w.exe not found.
File/Folder C:\WINDOWS\system32\__c008439.dat not found.
File/Folder C:\WINDOWS\system32\efcdccd.dll not found.
File/Folder C:\WINDOWS\system32\rqRIyXRK.dll not found.
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06252008_112634
LOG 2
ComboFix 08-06-20.4 - Denise Alsum 2008-06-25 11:34:24.1 - NTFSx86
Running from: C:\Documents and Settings\Denise Alsum\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Redemption.ECF
C:\WINDOWS\BMdf6de267.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bedjmqns.ini
C:\WINDOWS\system32\bflypcar.ini
C:\WINDOWS\system32\bqybnfub.ini
C:\WINDOWS\system32\bwapmctp.ini
C:\WINDOWS\system32\dhnmqslo.ini
C:\WINDOWS\system32\eidkbxvi.ini
C:\WINDOWS\system32\eouyrnig.ini
C:\WINDOWS\system32\eyoanauq.ini
C:\WINDOWS\system32\fcoqwewy.ini
C:\WINDOWS\system32\ggstvjui.ini
C:\WINDOWS\system32\gnuouauc.ini
C:\WINDOWS\system32\gtrogcbj.ini
C:\WINDOWS\system32\hrldryej.ini
C:\WINDOWS\system32\igiubpwf.ini
C:\WINDOWS\system32\ikhekkxd.ini
C:\WINDOWS\system32\iltwloka.ini
C:\WINDOWS\system32\ipncrasf.ini
C:\WINDOWS\system32\irqwqwoo.ini
C:\WINDOWS\system32\iyubadvv.ini
C:\WINDOWS\system32\jhbdcgpp.ini
C:\WINDOWS\SYSTEM32\kjllm.bak1
C:\WINDOWS\SYSTEM32\kjllm.bak2
C:\WINDOWS\SYSTEM32\kjllm.ini
C:\WINDOWS\system32\krcnbwlt.ini
C:\WINDOWS\system32\leewxpbe.ini
C:\WINDOWS\system32\lihuaxjp.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfmohrti.ini
C:\WINDOWS\system32\nvanobki.ini
C:\WINDOWS\system32\oglcgdpi.ini
C:\WINDOWS\system32\ogwbmfrl.ini
C:\WINDOWS\system32\ongqpkqv.ini
C:\WINDOWS\system32\pdaltmhw.ini
C:\WINDOWS\system32\pnvjkwej.ini
C:\WINDOWS\system32\qpcrqemw.ini
C:\WINDOWS\system32\qwwqvkus.ini
C:\WINDOWS\SYSTEM32\QXFfhNpo.ini
C:\WINDOWS\SYSTEM32\QXFfhNpo.ini2
C:\WINDOWS\system32\rvmlqvcm.ini
C:\WINDOWS\system32\sxlsbbod.ini
C:\WINDOWS\system32\tcvcwqqk.ini
C:\WINDOWS\system32\tovxyvoj.ini
C:\WINDOWS\system32\ufigbcsm.ini
C:\WINDOWS\system32\vaylosdb.ini
C:\WINDOWS\system32\veaikykv.ini
C:\WINDOWS\system32\vpildiht.ini
C:\WINDOWS\system32\vtttvlgq.ini
C:\WINDOWS\system32\xbuevqgy.ini
C:\WINDOWS\system32\xtpmspoh.ini
C:\WINDOWS\system32\ybdvlaco.ini
C:\WINDOWS\system32\ywiiecbd.ini
C:\xcrashdump.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CLBDRIVER
-------\Service_clbdriver
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.
2008-06-25 11:15 . 2008-06-25 11:15 <DIR> d-------- C:\_OTMoveIt
2008-06-24 16:47 . 2008-06-24 16:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-24 15:41 . 2008-06-24 17:15 <DIR> d-------- C:\SDFix
2008-06-22 08:58 . 2008-06-22 10:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-21 08:20 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-06-21 08:20 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-06-20 22:37 . 2008-06-20 22:37 <DIR> d-------- C:\Documents and Settings\Denise Alsum\Application Data\Malwarebytes
2008-06-20 22:35 . 2008-06-20 22:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-20 22:35 . 2008-06-20 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-20 22:35 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-20 22:35 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-20 21:19 . 2008-06-20 21:19 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-20 21:16 . 2008-06-20 21:16 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-20 15:01 . 2005-10-19 08:59 163,840 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2008-06-20 14:55 . 2008-04-22 23:16 6,066,176 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-06-20 14:55 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-06-20 14:55 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-06-20 14:55 . 2008-04-22 23:16 459,264 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-06-20 14:55 . 2008-04-22 23:16 383,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-06-20 14:55 . 2008-04-22 23:16 267,776 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-06-20 14:55 . 2008-04-22 23:16 63,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-06-20 14:55 . 2008-04-22 23:16 52,224 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-06-20 14:55 . 2008-04-22 02:39 13,824 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-20 14:42 . 2008-06-20 14:42 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-20 14:39 . 2008-06-20 14:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-06-20 14:39 . 2008-06-20 14:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-06-20 14:22 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-20 11:04 . 2008-06-20 11:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-20 11:04 . 2008-06-20 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 10:56 . 2008-06-20 10:58 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-20 09:29 . 2008-06-20 09:29 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-19 21:06 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2008-06-19 20:23 . 2008-04-14 05:41 426,041 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\voicepad.dll
2008-06-19 20:23 . 2008-04-14 05:41 86,073 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\voicesub.dll
2008-06-19 20:23 . 2004-08-04 00:00 48,256 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\w32.dll
2008-06-19 20:23 . 2004-08-04 00:00 41,600 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\weitekp9.dll
2008-06-19 20:23 . 2004-08-04 00:00 31,232 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\weitekp9.sys
2008-06-19 20:21 . 2004-08-04 00:00 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2008-06-19 20:20 . 2008-04-14 05:39 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2008-06-19 20:19 . 2004-08-04 00:00 1,677,824 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll
2008-06-19 20:18 . 2008-04-14 05:41 331,264 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\aqueue.dll
2008-06-19 20:17 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2008-06-19 20:08 . 2008-06-19 20:08 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2008-06-19 20:07 . 2008-06-19 20:07 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-06-19 20:07 . 2008-06-19 20:07 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2008-06-19 20:07 . 2008-06-19 20:07 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2008-06-19 20:07 . 2008-06-19 20:07 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2008-06-19 20:06 . 2004-08-04 00:00 16,384 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\isignup.exe
2008-06-19 20:05 . 2008-04-14 05:41 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx4.dll
2008-06-19 20:05 . 2008-04-14 05:41 7,168 --a------ C:\WINDOWS\SYSTEM32\bitsprx4.dll
2008-06-19 20:01 . 2008-04-14 05:42 290,304 --a------ C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-06-19 20:01 . 2008-04-14 05:42 290,304 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\rhttpaa.dll
2008-06-19 20:01 . 2008-04-14 05:41 136,192 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\aaclient.dll
2008-06-19 20:01 . 2008-04-14 05:41 136,192 --a------ C:\WINDOWS\SYSTEM32\aaclient.dll
2008-06-19 20:01 . 2008-04-14 05:42 53,248 --a------ C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-06-19 20:01 . 2008-04-14 05:42 53,248 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\tsgqec.dll
2008-06-19 19:35 . 2008-06-19 19:35 5,208 --a------ C:\WINDOWS\SYSTEM32\pid.PNF
2008-06-19 19:35 . 2008-06-20 20:32 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-19 19:33 . 2008-04-14 07:40 1,296,669 -ra------ C:\WINDOWS\SET106.tmp
2008-06-19 14:19 . 2008-06-19 14:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-06-19 14:19 . 2008-06-19 14:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-06-19 14:19 . 2008-06-19 14:27 <DIR> d-------- C:\WINDOWS\L2Schemas
2008-06-11 18:58 . 2008-06-11 18:58 <DIR> d-------- C:\1
2008-06-10 19:16 . 2008-06-19 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-10 00:22 . 2008-06-10 00:22 <DIR> d-------- C:\Program Files\CCleaner
2008-06-10 00:15 . 2008-06-10 00:15 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-09 23:56 . 2008-06-20 11:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-09 23:54 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\SYSTEM32\MSINET.OCX
2008-06-09 21:25 . 2008-06-09 21:25 <DIR> d-------- C:\Documents and Settings\Denise Alsum\Application Data\VSRevoGroup
2008-06-09 20:31 . 2008-06-09 20:31 <DIR> d--hs---- C:\Documents and Settings\LocalService.NT AUTHORITY
2008-06-09 13:06 . 2008-06-09 13:06 <DIR> d-------- C:\Documents and Settings\Denise Alsum\Application Data\Tenebril
2008-06-09 13:05 . 2008-06-09 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2008-06-09 13:04 . 2008-06-09 13:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\tenarchlib
2008-06-09 13:04 . 2005-10-12 23:10 180,224 --a-s---- C:\WINDOWS\SYSTEM32\archlib.dll
2008-06-09 11:30 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-06-09 11:28 . 2008-06-09 11:30 <DIR> d-------- C:\Program Files\Java
2008-06-09 11:27 . 2008-06-09 11:27 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-08 23:03 . 2008-06-08 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-08 21:15 . 2008-06-20 10:47 <DIR> d-------- C:\Program Files\XoftSpySE
2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-07 20:18 . 2008-06-09 22:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 19:39 . 2008-06-07 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-07 19:27 . 2008-06-07 19:27 <DIR> d-------- C:\Program Files\VS Revo Group
2008-06-01 16:47 . 2008-06-01 16:48 <DIR> d-------- C:\Program Files\Process Explore 11.11
2008-06-01 16:42 . 2008-06-19 16:57 <DIR> d-------- C:\Documents and Settings\Denise Alsum\Application Data\AVGTOOLBAR
2008-06-01 16:30 . 2008-06-09 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-01 15:40 . 2008-06-01 15:40 <DIR> d-------- C:\Program Files\NetFilter
2008-06-01 15:13 . 2008-06-09 23:51 <DIR> d-------- C:\Documents and Settings\Denise Alsum\Application Data\U3
2008-05-27 10:00 . 2002-08-29 06:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 14:49 --------- d-----w C:\Program Files\ComcastToolbar
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 04:39 --------- d-----w C:\Documents and Settings\Denise Alsum\Application Data\MSN6
2008-06-09 03:26 --------- d-----w C:\Documents and Settings\Denise Alsum\Application Data\Lycos
2008-06-07 23:26 --------- d-----w C:\Program Files\MUSICMATCH
2008-05-24 19:31 --------- d-----w C:\Program Files\Support.com
2008-05-24 19:30 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-29 16:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 16:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 16:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-14 12:34 16,535 ----a-r C:\WINDOWS\SET113.tmp
2008-04-14 12:34 1,088,840 ----a-r C:\WINDOWS\SET107.tmp
2008-04-14 10:42 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 10:42 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 10:42 32,866 ----a-w C:\WINDOWS\slrundll.exe
2008-04-14 10:42 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 10:42 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 10:42 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 10:42 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 10:41 451,072 ----a-w C:\WINDOWS\AppPatch\AcLayers.dll
2008-04-14 10:41 39,424 ----a-w C:\WINDOWS\AppPatch\AcAdProc.dll
2008-04-14 10:41 245,248 ----a-w C:\WINDOWS\AppPatch\AcSpecfc.dll
2008-04-14 10:41 141,312 ----a-w C:\WINDOWS\AppPatch\AcLua.dll
2008-04-14 10:41 116,224 ----a-w C:\WINDOWS\AppPatch\AcXtrnal.dll
2008-04-14 10:41 1,852,928 ----a-w C:\WINDOWS\AppPatch\AcGenral.dll
2003-03-11 05:21 207,759 -c--a-w C:\Program Files\INSTALL.LOG
2004-08-04 07:56 4,096 --sha-w C:\WINDOWS\SYSTEM32\1112.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Denise Alsum^Start Menu^Programs^Startup^RegistryDefender.lnk]
backup=C:\WINDOWS\pss\RegistryDefender.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-04-10 17:44 679936 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\befhpkio]
C:\WINDOWS\system32\xstvqngy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc5ed1fb]
C:\WINDOWS\system32\ivxbkdie.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTransferAgent]
--a------ 2007-11-13 16:46 135168 C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
-ra------ 2002-08-14 19:22 28672 C:\WINDOWS\System32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 08:59 126976 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 14:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 08:59 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2006-01-26 22:24 36864 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
--a------ 2002-12-10 18:32 155648 C:\Program Files\Logitech\ImageStudio\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
--a------ 2002-12-10 18:31 61440 C:\Program Files\Logitech\ImageStudio\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
--a------ 2002-12-10 17:54 127022 C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAClient]
--a------ 2002-12-20 15:43 184320 C:\Program Files\Comcast\BBClient\Programs\RegCon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAUpdate]
--a------ 2002-12-20 14:38 36864 C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spam Blocker for Outlook Express]
C:\PROGRA~1\SPAMBL~1\Bin\484~1.0\SBInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker]
C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-19 19:34 3084288 C:\Program Files\Yahoo!\Messenger\ypager.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\WINDOWS\\SYSTEM32\\mmc.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd63b43c-d835-11dc-8de5-000bdb0d8830}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-25 16:45:21 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-20 03:06:30 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-11 03:32:25 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-06-22 02:07:03 C:\WINDOWS\Tasks\WebReg 20050216210715.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe^/TaskName 20050216210715 /N
"2008-06-25 16:41:52 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-06-20 01:28:45 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 11:42:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-25 11:50:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 16:50:23
Pre-Run: 13,761,609,728 bytes free
Post-Run: 13,625,548,800 bytes free
314 --- E O F --- 2008-06-24 20:51:23
LOG 3
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:24 AM, on 6/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {0B15684D-1E8C-4F49-94AE-17CB3A3B91FD} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {0F3638A2-D494-46A1-9A78-0EF2B6C9DBB1} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {9381EA5F-6AB2-45E8-9435-8C428A39FF16} - http://www.comcast.net (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213927506352
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214013349031
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O18 - Protocol: bw+0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://homepage.mac.com/clarita2/.cv/clarita2/Sites/.Pictures/Photo%20Album%20Pictures/2005-05-27%2020.49.50%20-0700/Image-4BEA6592CF2211D9.jpg-thumb_269_202.jpg
--
End of file - 18043 bytes
Hello,
Not to worry about OTMoveIt, if it could not find those files than there gone. As far as the 024, ask her and if she does not need it you can remove it.
Open Notepad ( this will only work in Notepad ), go to Start> All Programs> Assessories> Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\WINDOWS\system32\xstvqngy.exe
C:\WINDOWS\system32\ivxbkdie.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\befhpkio]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc5ed1fb]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
How are things running now??
asterix1999
2008-06-27, 16:53
Hi. Sorry it took a little longer to get back with the results of the last steps you gave me.
The computer seems to be a lot more responsive now than it has been in a long time, so that is very good.
LOG1
ComboFix 08-06-20.4 - Denise Alsum 2008-06-25 14:26:38.2 - NTFSx86
Running from: C:\Documents and Settings\Denise Alsum\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Denise Alsum\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\ivxbkdie.dll
C:\WINDOWS\system32\xstvqngy.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.
2008-06-25 11:15 . 2008-06-25 11:15 <DIR> d-------- C:\_OTMoveIt
2008-06-24 16:47 . 2008-06-24 16:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-24 15:41 . 2008-06-24 17:15 <DIR> d-------- C:\SDFix
2008-06-22 08:58 . 2008-06-22 10:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-21 08:20 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-06-21 08:20 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-06-20 22:37 . 2008-06-20 22:37 <DIR> d-------- C:\Documents and Settings\Denise Alsum\Application Data\Malwarebytes
2008-06-20 22:35 . 2008-06-20 22:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-20 22:35 . 2008-06-20 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-20 22:35 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-20 22:35 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-20 21:19 . 2008-06-20 21:19 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-20 21:16 . 2008-06-20 21:16 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-20 15:01 . 2005-10-19 08:59 163,840 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2008-06-20 14:55 . 2008-04-22 23:16 6,066,176 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-06-20 14:55 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-06-20 14:55 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-06-20 14:55 . 2008-04-22 23:16 459,264 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-06-20 14:55 . 2008-04-22 23:16 383,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-06-20 14:55 . 2008-04-22 23:16 267,776 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-06-20 14:55 . 2008-04-22 23:16 63,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-06-20 14:55 . 2008-04-22 23:16 52,224 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-06-20 14:55 . 2008-04-22 02:39 13,824 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-20 14:42 . 2008-06-20 14:42 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-20 14:39 . 2008-06-20 14:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-06-20 14:39 . 2008-06-20 14:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-06-20 14:22 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-20 11:04 . 2008-06-20 11:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-20 11:04 . 2008-06-20 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 10:56 . 2008-06-20 10:58 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-20 09:29 . 2008-06-20 09:29 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-19 21:06 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2008-06-19 20:23 . 2008-04-14 05:41 426,041 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\voicepad.dll
2008-06-19 20:23 . 2008-04-14 05:41 86,073 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\voicesub.dll
2008-06-19 20:23 . 2004-08-04 00:00 48,256 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\w32.dll
2008-06-19 20:23 . 2004-08-04 00:00 41,600 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\weitekp9.dll
2008-06-19 20:23 . 2004-08-04 00:00 31,232 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\weitekp9.sys
2008-06-19 20:21 . 2004-08-04 00:00 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2008-06-19 20:20 . 2008-04-14 05:39 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2008-06-19 20:19 . 2004-08-04 00:00 1,677,824 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll
2008-06-19 20:18 . 2008-04-14 05:41 331,264 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\aqueue.dll
2008-06-19 20:17 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2008-06-19 20:08 . 2008-06-19 20:08 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2008-06-19 20:07 . 2008-06-19 20:07 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-06-19 20:07 . 2008-06-19 20:07 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2008-06-19 20:07 . 2008-06-19 20:07 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2008-06-19 20:07 . 2008-06-19 20:07 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2008-06-19 20:06 . 2004-08-04 00:00 16,384 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\isignup.exe
2008-06-19 20:05 . 2008-04-14 05:41 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx4.dll
2008-06-19 20:05 . 2008-04-14 05:41 7,168 --a------ C:\WINDOWS\SYSTEM32\bitsprx4.dll
2008-06-19 20:01 . 2008-04-14 05:42 290,304 --a------ C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-06-19 20:01 . 2008-04-14 05:42 290,304 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\rhttpaa.dll
2008-06-19 20:01 . 2008-04-14 05:41 136,192 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\aaclient.dll
2008-06-19 20:01 . 2008-04-14 05:41 136,192 --a------ C:\WINDOWS\SYSTEM32\aaclient.dll
2008-06-19 20:01 . 2008-04-14 05:42 53,248 --a------ C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-06-19 20:01 . 2008-04-14 05:42 53,248 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\tsgqec.dll
2008-06-19 19:35 . 2008-06-19 19:35 5,208 --a------ C:\WINDOWS\SYSTEM32\pid.PNF
2008-06-19 19:35 . 2008-06-20 20:32 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-19 19:33 . 2008-04-14 07:40 1,296,669 -ra------ C:\WINDOWS\SET106.tmp
2008-06-19 14:19 . 2008-06-19 14:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-06-19 14:19 . 2008-06-19 14:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-06-19 14:19 . 2008-06-19 14:27 <DIR> d-------- C:\WINDOWS\L2Schemas
2008-06-11 18:58 . 2008-06-11 18:58 <DIR> d-------- C:\1
2008-06-10 19:16 . 2008-06-19 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-10 00:22 . 2008-06-10 00:22 <DIR> d-------- C:\Program Files\CCleaner
2008-06-10 00:15 . 2008-06-10 00:15 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-09 23:56 . 2008-06-20 11:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-09 23:54 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\SYSTEM32\MSINET.OCX
2008-06-09 21:25 . 2008-06-09 21:25 <DIR> d-------- C:\Documents and Settings\Denise Alsum\Application Data\VSRevoGroup
2008-06-09 20:31 . 2008-06-09 20:31 <DIR> d--hs---- C:\Documents and Settings\LocalService.NT AUTHORITY
2008-06-09 13:06 . 2008-06-09 13:06 <DIR> d-------- C:\Documents and Settings\Denise Alsum\Application Data\Tenebril
2008-06-09 13:05 . 2008-06-09 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2008-06-09 13:04 . 2008-06-09 13:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\tenarchlib
2008-06-09 13:04 . 2005-10-12 23:10 180,224 --a-s---- C:\WINDOWS\SYSTEM32\archlib.dll
2008-06-09 11:30 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-06-09 11:28 . 2008-06-09 11:30 <DIR> d-------- C:\Program Files\Java
2008-06-09 11:27 . 2008-06-09 11:27 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-08 23:03 . 2008-06-08 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-08 21:15 . 2008-06-20 10:47 <DIR> d-------- C:\Program Files\XoftSpySE
2008-06-07 20:30 . 2008-06-07 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-07 20:18 . 2008-06-09 22:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 19:39 . 2008-06-07 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-07 19:27 . 2008-06-07 19:27 <DIR> d-------- C:\Program Files\VS Revo Group
2008-06-01 16:47 . 2008-06-01 16:48 <DIR> d-------- C:\Program Files\Process Explore 11.11
2008-06-01 16:42 . 2008-06-19 16:57 <DIR> d-------- C:\Documents and Settings\Denise Alsum\Application Data\AVGTOOLBAR
2008-06-01 16:30 . 2008-06-09 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-01 15:40 . 2008-06-01 15:40 <DIR> d-------- C:\Program Files\NetFilter
2008-06-01 15:13 . 2008-06-09 23:51 <DIR> d-------- C:\Documents and Settings\Denise Alsum\Application Data\U3
2008-05-27 10:00 . 2002-08-29 06:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 14:49 --------- d-----w C:\Program Files\ComcastToolbar
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 04:39 --------- d-----w C:\Documents and Settings\Denise Alsum\Application Data\MSN6
2008-06-09 03:26 --------- d-----w C:\Documents and Settings\Denise Alsum\Application Data\Lycos
2008-06-07 23:26 --------- d-----w C:\Program Files\MUSICMATCH
2008-05-24 19:31 --------- d-----w C:\Program Files\Support.com
2008-05-24 19:30 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-04-29 16:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 16:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 16:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-04-14 12:34 16,535 ----a-r C:\WINDOWS\SET113.tmp
2008-04-14 12:34 1,088,840 ----a-r C:\WINDOWS\SET107.tmp
2008-04-14 10:55 1,804 ----a-w C:\WINDOWS\SYSTEM32\Dcache.bin
2008-04-14 10:46 329,728 ----a-w C:\WINDOWS\SYSTEM32\netsetup.exe
2008-04-14 10:43 92,424 ----a-w C:\WINDOWS\SYSTEM32\rdpdd.dll
2008-04-14 10:43 87,176 ----a-w C:\WINDOWS\SYSTEM32\rdpwsx.dll
2008-04-14 10:43 299,520 ----a-w C:\WINDOWS\SYSTEM32\drmclien.dll
2008-04-14 10:43 12,168 ----a-w C:\WINDOWS\SYSTEM32\tsddd.dll
2008-04-14 10:41 98,304 ----a-w C:\WINDOWS\SYSTEM32\actxprxy.dll
2008-04-14 10:40 53,279 ----a-w C:\WINDOWS\SYSTEM32\odbcji32.dll
2008-04-14 10:40 4,126 ----a-w C:\WINDOWS\SYSTEM32\msdxmlc.dll
2008-04-14 10:40 3,584 ----a-w C:\WINDOWS\SYSTEM32\msafd.dll
2008-04-14 07:30 103,424 ----a-w C:\WINDOWS\SYSTEM32\dpcdll.dll
2008-04-14 06:00 1,845,632 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-04-14 05:57 2,188,928 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-04-14 05:15 17,664 ----a-w C:\WINDOWS\SYSTEM32\watchdog.sys
2008-04-14 05:05 24,064 ----a-w C:\WINDOWS\SYSTEM32\pidgen.dll
2008-04-14 05:01 7,424 ----a-w C:\WINDOWS\SYSTEM32\kd1394.dll
2008-04-14 05:00 61,440 ----a-w C:\WINDOWS\SYSTEM32\msvcrt40.dll
2008-04-14 04:45 76,800 ----a-w C:\WINDOWS\SYSTEM32\msshavmsg.dll
2008-04-14 04:09 438,784 ----a-w C:\WINDOWS\SYSTEM32\xpob2res.dll
2008-04-14 04:09 2,897,920 ----a-w C:\WINDOWS\SYSTEM32\xpsp2res.dll
2008-04-14 04:09 187,392 ----a-w C:\WINDOWS\SYSTEM32\xpsp1res.dll
2008-04-14 04:08 306,176 ----a-w C:\WINDOWS\SYSTEM32\slbcsp.dll
2008-04-14 04:08 169,984 ----a-w C:\WINDOWS\SYSTEM32\sccbase.dll
2008-04-14 04:08 101,888 ----a-w C:\WINDOWS\SYSTEM32\gpkcsp.dll
2008-04-14 04:07 208,384 ----a-w C:\WINDOWS\SYSTEM32\rsaenh.dll
2008-04-14 04:07 138,752 ----a-w C:\WINDOWS\SYSTEM32\dssenh.dll
2008-04-14 03:57 79,872 ----a-w C:\WINDOWS\SYSTEM32\msxml6r.dll
2008-04-14 03:56 94,208 ----a-w C:\WINDOWS\SYSTEM32\odbcint.dll
2008-04-14 03:56 12,288 ----a-w C:\WINDOWS\SYSTEM32\odbcp32r.dll
2008-04-14 03:56 12,288 ----a-w C:\WINDOWS\SYSTEM32\mscpx32r.dLL
2008-04-14 03:54 20,480 ----a-w C:\WINDOWS\SYSTEM32\msorc32r.dll
2008-04-14 03:51 733,696 ----a-w C:\WINDOWS\SYSTEM32\qedwipes.dll
2008-04-14 03:39 4,096 ----a-w C:\WINDOWS\SYSTEM32\dsprpres.dll
2008-04-14 03:33 63,488 ----a-w C:\WINDOWS\SYSTEM32\browselc.dll
2008-04-14 03:33 549,376 ----a-w C:\WINDOWS\SYSTEM32\shdoclc.dll
2008-04-14 03:24 68,768 ----a-w C:\WINDOWS\SYSTEM32\mmsystem.dll
2008-04-14 03:24 53,840 ----a-w C:\WINDOWS\SYSTEM32\dosx.exe
2008-04-14 03:24 5,120 ----a-w C:\WINDOWS\SYSTEM32\winnls.dll
2008-04-14 03:23 92,224 ----a-w C:\WINDOWS\SYSTEM32\krnl386.exe
2008-04-14 03:22 3,338 ----a-w C:\WINDOWS\SYSTEM32\redir.exe
2008-04-14 03:20 42,537 ----a-w C:\WINDOWS\SYSTEM32\keyboard.sys
2008-04-14 03:19 35,648 ----a-w C:\WINDOWS\SYSTEM32\ntio411.sys
2008-04-14 03:19 35,424 ----a-w C:\WINDOWS\SYSTEM32\ntio412.sys
2008-04-14 03:19 34,560 ----a-w C:\WINDOWS\SYSTEM32\ntio804.sys
2008-04-14 03:19 34,560 ----a-w C:\WINDOWS\SYSTEM32\ntio404.sys
2008-04-14 03:19 33,840 ----a-w C:\WINDOWS\SYSTEM32\ntio.sys
2008-04-14 03:18 1,647,616 ----a-w C:\WINDOWS\SYSTEM32\winbrand.dll
2008-04-14 03:15 216,064 ----a-w C:\WINDOWS\SYSTEM32\moricons.dll
2008-04-14 02:53 48,128 ----a-w C:\WINDOWS\SYSTEM32\msprivs.dll
2008-04-14 02:52 48,128 ----a-w C:\WINDOWS\SYSTEM32\inetres.dll
2008-04-14 02:09 884,736 ----a-w C:\WINDOWS\SYSTEM32\msimsg.dll
2003-03-11 05:21 207,759 -c--a-w C:\Program Files\INSTALL.LOG
2004-08-04 07:56 4,096 --sha-w C:\WINDOWS\SYSTEM32\1112.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Denise Alsum^Start Menu^Programs^Startup^RegistryDefender.lnk]
backup=C:\WINDOWS\pss\RegistryDefender.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-04-10 17:44 679936 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTransferAgent]
--a------ 2007-11-13 16:46 135168 C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
-ra------ 2002-08-14 19:22 28672 C:\WINDOWS\System32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 08:59 126976 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 14:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 08:59 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2006-01-26 22:24 36864 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
--a------ 2002-12-10 18:32 155648 C:\Program Files\Logitech\ImageStudio\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
--a------ 2002-12-10 18:31 61440 C:\Program Files\Logitech\ImageStudio\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
--a------ 2002-12-10 17:54 127022 C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAClient]
--a------ 2002-12-20 15:43 184320 C:\Program Files\Comcast\BBClient\Programs\RegCon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAUpdate]
--a------ 2002-12-20 14:38 36864 C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spam Blocker for Outlook Express]
C:\PROGRA~1\SPAMBL~1\Bin\484~1.0\SBInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker]
C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-19 19:34 3084288 C:\Program Files\Yahoo!\Messenger\ypager.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\WINDOWS\\SYSTEM32\\mmc.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd63b43c-d835-11dc-8de5-000bdb0d8830}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-25 16:45:21 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-20 03:06:30 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-11 03:32:25 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-06-22 02:07:03 C:\WINDOWS\Tasks\WebReg 20050216210715.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe^/TaskName 20050216210715 /N
"2008-06-25 16:41:52 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-06-20 01:28:45 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 14:30:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-25 14:35:45
ComboFix-quarantined-files.txt 2008-06-25 19:35:26
ComboFix2.txt 2008-06-25 16:50:33
Pre-Run: 13,606,780,928 bytes free
Post-Run: 13,596,917,760 bytes free
286 --- E O F --- 2008-06-24 20:51:23
LOG 2
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:44 PM, on 6/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {0B15684D-1E8C-4F49-94AE-17CB3A3B91FD} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {0F3638A2-D494-46A1-9A78-0EF2B6C9DBB1} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {9381EA5F-6AB2-45E8-9435-8C428A39FF16} - http://www.comcast.net (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213927506352
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214013349031
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O18 - Protocol: bw+0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {92C84BD1-4EDF-44CB-AD38-2A9D05ED2ABB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://homepage.mac.com/clarita2/.cv/clarita2/Sites/.Pictures/Photo%20Album%20Pictures/2005-05-27%2020.49.50%20-0700/Image-4BEA6592CF2211D9.jpg-thumb_269_202.jpg
--
End of file - 18009 bytes
Hi,
Lets get rid of this entry.
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net]
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
If you saved the file correctly it should look like this http://i24.photobucket.com/albums/c30/ken545/reg.jpg
Looks like your good to go :bigthumb:
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken
asterix1999
2008-06-27, 18:14
Hi Ken545,
Applied the Reg file and have booted the computer. Everything seems to work just fine again. It starts a lot quicker and all the anoying little things that were running in the background are gone. I can't begin to express how greatful I am for people like you who takes the time to combat all these viruses and malware that keeps popping up all the time - you are the best.
I also appreciate the links you provided - I will make sure my friend (and myself too) take a look at this info so we can protect ourselves better in the future.
Again, thanks so very much for your help.
Your very welcome,
Take care,
Ken :)