View Full Version : Popups, Trojan Dropper, Downloader etc.
Hello,
Recently I have been getting alot of popups on my computer when using both the Internet Explorer and Mozilla Firefox browsers. This is even occurring while using a "popup stopper" and AOL spyware protection. A friend of mine said the people on this forum were very helpful so I decided to give it a try.
I tried to troubleshoot on my own and so far I have run a Symantec Antivirus Scan and I deleted all the viruses identified from my computer as well as deleting the temporary internet files folder. In addition, per the Symantec website I deleted the associated viruses from the registry in the following subkeys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Also, I have cleaned up all spyware identified by Spybot Search & Destroy 1.4.
Here is my hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 5:14:51 PM, on 7/30/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Gpjrfd\Akddzpz.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\{C82456C7-0353-1033-0131-010304170001}\Update.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\regscan.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Adaptec\USBControl\Ausbctrl.exe
C:\WINDOWS\system32\NT_USDM.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1136245027\ee\AOLHostManager.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\AOL\1136245027\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\program files\common files\aol\1136245027\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1136245027\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.usatoday.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\yqjrt.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,kmqvetp.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [mCEYb0+¿ÔÇè]Iú"� ‹üžC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\embyppws.exe
O4 - HKLM\..\Run: [Nwmpwawp] C:\Program Files\Gpjrfd\Akddzpz.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136245027\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [bO²�ùð.×y-¯Œ] C:\WINDOWS\embyppws.exe
O4 - HKLM\..\Run: [bO²�ùõö/‚E%)�ßfÏNb½¾C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\embyppws.exe
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\System32\redistributor.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\rwinlpez.exe CORN003
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - Startup: NT_USDM.LNK = ?
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinlpez.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: USBControl.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O18 - Protocol: bw+0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\iietppui.dll (file missing)
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\q668lgju16o8.dll (file missing)
O20 - Winlogon Notify: logons - C:\WINDOWS\System32\redist.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\pcwma.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Also, these are the viruses I had according to Symantec:
Date,Filename,Virus Name
7/30/2006 15:20,numbsoftnew.exe,Trojan.Dropper
7/30/2006 15:20,numbsoft[1].exe,Trojan.Dropper
7/30/2006 15:20,webnexmknew.exe,Trojan.Dropper
7/30/2006 15:20,webnexmk[1].exe,Trojan.Dropper
7/30/2006 15:20,ac3_0003[1].exe,Downloader
7/30/2006 14:40,numbsoftnew.exe,Trojan.Dropper
7/30/2006 14:40,numbsoft[1].exe,Trojan.Dropper
7/30/2006 14:40,webnexmknew.exe,Trojan.Dropper
7/30/2006 14:40,webnexmk[1].exe,Trojan.Dropper
7/30/2006 14:40,ac3_0003[1].exe,Downloader
7/30/2006 13:59,numbsoftnew.exe,Trojan.Dropper
7/30/2006 13:58,numbsoft[1].exe,Trojan.Dropper
7/30/2006 13:58,webnexmknew.exe,Trojan.Dropper
7/30/2006 13:58,webnexmk[1].exe,Trojan.Dropper
7/30/2006 13:58,ac3_0003[1].exe,Downloader
7/30/2006 13:41,numbsoftnew.exe,Trojan.Dropper
7/30/2006 13:41,numbsoft[1].exe,Trojan.Dropper
7/30/2006 13:41,webnexmknew.exe,Trojan.Dropper
7/30/2006 13:41,webnexmk[1].exe,Trojan.Dropper
7/30/2006 13:41,ac3_0003[1].exe,Downloader
7/29/2006 22:23,numbsoftnew.exe,Trojan.Dropper
7/29/2006 22:23,numbsoft[1].exe,Trojan.Dropper
7/29/2006 22:23,webnexmknew.exe,Trojan.Dropper
7/29/2006 22:23,webnexmk[1].exe,Trojan.Dropper
7/29/2006 22:23,ac3_0003[1].exe,Downloader
7/29/2006 22:06,numbsoftnew.exe,Trojan.Dropper
7/29/2006 22:06,numbsoft[2].exe,Trojan.Dropper
7/29/2006 22:06,webnexmknew.exe,Trojan.Dropper
7/29/2006 22:06,webnexmk[2].exe,Trojan.Dropper
7/29/2006 22:06,ac3_0003[1].exe,Downloader
7/29/2006 22:06,numbsoftnew.exe,Trojan.Dropper
7/29/2006 22:06,numbsoft[1].exe,Trojan.Dropper
7/29/2006 22:06,webnexmknew.exe,Trojan.Dropper
7/29/2006 22:06,webnexmk[1].exe,Trojan.Dropper
7/29/2006 22:06,ac3_0003[1].exe,Downloader
7/26/2006 7:41,numbsoftnew.exe,Trojan.Dropper
7/26/2006 7:41,numbsoft[2].exe,Trojan.Dropper
7/26/2006 7:41,webnexmknew.exe,Trojan.Dropper
7/26/2006 7:41,webnexmk[2].exe,Trojan.Dropper
7/26/2006 7:41,ac3_0003[1].exe,Downloader
7/26/2006 7:41,visfx500[2].exe,Trojan Horse
7/26/2006 7:33,numbsoftnew.exe,Trojan.Dropper
7/26/2006 7:33,numbsoft[1].exe,Trojan.Dropper
7/26/2006 7:33,webnexmknew.exe,Trojan.Dropper
7/26/2006 7:33,webnexmk[1].exe,Trojan.Dropper
7/26/2006 7:33,ac3_0003[1].exe,Downloader
7/26/2006 7:33,626_101[1].exe,Trojan.Dropper
7/26/2006 7:32,visfx500new.exe,Trojan.Dropper
7/26/2006 7:32,visfx500[1].exe,Trojan Horse
7/26/2006 5:31,xload.exe,Downloader
7/26/2006 5:30,w005de65.dll,Downloader
7/26/2006 5:27,nodeipproc.dll,Trojan.Popper
7/26/2006 5:26,kfmfe167.dll,Downloader
7/26/2006 4:48,webnexmknew.exe,Trojan.Dropper
7/26/2006 4:48,visfx500new.exe,Trojan Horse
7/26/2006 3:39,numbsoftnew.exe,Trojan.Dropper
7/26/2006 3:07,webnexmk[1].exe,Trojan.Dropper
7/26/2006 3:06,numbsoft[1].exe,Trojan.Dropper
7/26/2006 3:04,al3[1].txt,Downloader
7/26/2006 3:04,ac3_0003[1].exe,Downloader
7/26/2006 3:04,ac3[1].txt,Downloader
7/26/2006 2:33,rcverlib[1].exe,Bloodhound.Morphine
7/26/2006 2:32,magnet[1].exe,Trojan Horse
7/26/2006 2:31,iifr[1].exe,Downloader.Trojan
7/26/2006 2:11,visfx500[1].exe,Trojan Horse
7/26/2006 2:11,v1201[1].exe,Trojan.Adclicker
7/26/2006 1:01,xload.exe,Downloader
7/26/2006 1:01,winfix.chm,Trojan.Dropper
7/26/2006 1:01,tp7543.exe,Bloodhound.Morphine
7/26/2006 0:01,ac3_0003.exe,Downloader
7/26/2006 0:01,626_101newer.exe,Trojan.Dropper
7/25/2006 23:56,v1201.exe,Trojan.Adclicker
7/25/2006 23:56,v1201.exe,Trojan.Adclicker
7/25/2006 23:56,v1201.exe,Trojan.Adclicker
7/25/2006 23:56,v1201.exe,Trojan.Adclicker
7/25/2006 23:56,ac3_0003.exe,Downloader
7/25/2006 23:56,xload.exe,Downloader
7/25/2006 23:56,v1201.exe,Trojan.Adclicker
7/25/2006 23:53,ac3_0003.exe,Downloader
7/25/2006 23:53,xload.exe,Downloader
7/25/2006 23:53,v1201.exe,Trojan.Adclicker
7/25/2006 23:49,kfmfe167.dll,Downloader
7/25/2006 23:48,xload.exe,Downloader
7/25/2006 23:46,offun.exe,Downloader
7/25/2006 23:46,cjqomfg.exe,Trojan.Popper
7/25/2006 23:46,offun.exe,Downloader
7/25/2006 23:46,cjqomfg.exe,Trojan.Popper
7/25/2006 23:46,pre.exe,Trojan.Dropper
7/25/2006 23:43,pre.exe,W32.Licum
7/25/2006 22:28,offun.exe,Download.Trojan
7/25/2006 22:28,cjqomfg.exe,Trojan.Popper
7/25/2006 22:25,offun.exe,Download.Trojan
7/25/2006 22:25,cjqomfg.exe,Trojan.Popper
Sorry about the multiple posts ran out of text space. Any help that could be provided would be greatly appreciated.
LonnyRJones
2006-08-05, 08:37
Welcome to the forum
Please download Look2Me-Destroyer.exe to your to the root drive, eg: Local Disk C: or partition where your operating system is installed.
http://www.atribune.org/content/view/28/
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 to five minute's. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Wait about Four minutes, Turn your computer back on.
Please post the contents of Look2Me-Destroyer.txt
Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/qoofix.php
Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.
Finally post a new Hijack This log and the contents of the Qoofix logfile.
Thanks for your help thus far. Here is my look2me-destroyer log:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 8/5/2006 2:28:07 PM
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
(Apologies I think the look2me log file may have been overwritten)
Here is my Qoofix Log:
Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [8/5/2006] at [2:40:23 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [8/5/2006] at [2:42:07 PM]
Note: Some registry keys may have been removed.
Here is my new hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 2:47:13 PM, on 8/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Logi_MwX.Exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Gpjrfd\Akddzpz.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\{C82456C7-0353-1033-0131-010304170001}\Update.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\regscan.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Adaptec\USBControl\Ausbctrl.exe
C:\WINDOWS\system32\NT_USDM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\AOL\1136245027\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1136245027\ee\AOLServiceHost.exe
c:\program files\common files\aol\1136245027\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1136245027\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.usatoday.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [mCEYb0+¿ÔÇè]Iú"� ‹üžC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\embyppws.exe
O4 - HKLM\..\Run: [Nwmpwawp] C:\Program Files\Gpjrfd\Akddzpz.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136245027\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [bO²�ùð.×y-¯Œ] C:\WINDOWS\embyppws.exe
O4 - HKLM\..\Run: [bO²�ùõö/‚E%)�ßfÏNb½¾C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\embyppws.exe
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\System32\redistributor.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\rwinlpez.exe CORN003
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [LDM] \Program\
O4 - Startup: NT_USDM.LNK = ?
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinlpez.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: USBControl.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O18 - Protocol: bw+0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: logons - C:\WINDOWS\System32\redist.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
It looks like the popups are still appearing. Please advise to next steps. Thanks.
LonnyRJones
2006-08-06, 02:16
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bO²�ùõö/‚E%)�ßfÏNb½¾C:\Program Files\ISTsvc\istsvc.exe"=-
"mCEYb0+¿ÔÇè]Iú"� ‹üžC:\Program Files\ISTsvc\istsvc.exe"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]
[-HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]
;
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Start Hijackthis and place a check next to these items If there.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Nwmpwawp] C:\Program Files\Gpjrfd\Akddzpz.exe
O4 - HKLM\..\Run: C:\WINDOWS\embyppws.exe
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\System32\redistributor.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\rwinlpez.exe CORN003
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinlpez.exe
all the O15 - Trusted Zone:'s
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: logons - C:\WINDOWS\System32\redist.dll
====================================
Hit fix checked and close Hijackthis, dont worry about the Hijackthis error.
[B]Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Delete these files and folders
C:\WINDOWS\System32\redist.dll
C:\WINDOWS\System32\regscan.exe
C:\WINDOWS\System32\redistributor.exe
C:\Program Files\Gpjrfd
C:\Program Files\Common Files\{C82456C7-0353-1033-0131-010304170001}
Do a full system scan with your antivirus program
Check for and fix any problems found with SpyBot
Use the pc for about half a day
Post a fresh hijackthis log please, be sure to mention any current problems.
Ok I followed all the steps and fixed all items mentioned above. When I rebooted, I deleted:
C:\WINDOWS\System32\redist.dll
C:\Program Files\Gpjrfd
C:\Program Files\Common Files\{C82456C7-0353-1033-0131-010304170001}
C:\WINDOWS\System32\regscan.exe (application Microsoft Registry Scaner)
I did not see this file (I assume hijack this deleted it?):
C:\WINDOWS\System32\redistributor.exe
Then I used the computer for awhile, but I am still getting adware and popups. In addition, I did a virus full symantec scan (found 0 viruses) and ran spybot and cleaned up all malware. Later on while using my computer I got a new virus trojan galapoper a [win32.exe], which I deleted.
Here is my new hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 12:34:38 AM, on 8/7/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Adaptec\USBControl\Ausbctrl.exe
C:\WINDOWS\system32\NT_USDM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\AOL\1136245027\ee\AOLHostManager.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\AOL\1136245027\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\program files\common files\aol\1136245027\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1136245027\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.usatoday.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [mCEYb0+¿ÔÇè]Iú"� ‹üžC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\embyppws.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136245027\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [bO²�ùõö/‚E%)�ßfÏNb½¾C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\embyppws.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\winapi32.exe3072.exe
O4 - Startup: NT_USDM.LNK = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: USBControl.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O18 - Protocol: bw+0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Thanks again for all your help.
LonnyRJones
2006-08-07, 09:54
Hi
Turn off Aols antispyware from the programs options for now.
Download the attached file to c:\ rightclick on it choose rename and rename to fixme.reg (if you dont see the extensions let me know) then restart your pc into safe mode
Click here if needed (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx) For instructions.
once there double click fixme.reg answer yes to the prompt.
Restart back to a normal windows session . let us know of any problems.
Hi Lonny, I am not seeing the attachment. Could you please reattach or direct me to it. Thanks.
LonnyRJones
2006-08-09, 06:17
Sorry about that, lets do it with SpyBots tools instead.
Run SpyBot > mode > advanced > tools > system startup
Hilight one of those item's than choose delete (doesnt matter which has check marks, dont change those) now do the other then close SpyBot
These are what to have SpyBot delete
1: mCEYb0+¿ÔÇè]Iú" ‹üžC:\Program Files\ISTsvc\istsvc.exe
2: bO²ùõö/‚E%)ßfÏNb½¾C:\Program Files\ISTsvc\istsvc.exe
3: WinMedia
Post another hijackthis log please
Hi I ran spybot in safe mode and deleted the three files. Here is my new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:05:22 AM, on 8/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1136245027\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Adaptec\USBControl\Ausbctrl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\NT_USDM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\program files\common files\aol\1136245027\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1136245027\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.usatoday.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136245027\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [LDM] \Program\
O4 - Startup: NT_USDM.LNK = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: USBControl.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O18 - Protocol: bw+0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {70FD6369-0A9A-48C2-8C6E-3EFD2F34C0DE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
LonnyRJones
2006-08-09, 19:57
Looks good, any current problems ?
Would you like to go over optional fix's ? for example quicktime, no reason for it to start with windows.
Thanks Lonny I will let my computer run for awhile when I get home tonight to see if there are any other lagging issues. Also, I definitely wouldn't mind making the optional fixes. Could you please post the suggestions when you have a chance.
LonnyRJones
2006-08-11, 01:14
Most people i have seen uninstall Logitech's Desktop Messenger
These items are considered to be resource hogs that are not needed and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them.
Start Hijackthis and place a check next to these items If there.
Optional fix's
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [LDM] \Program\
O4 - Startup: NT_USDM.LNK = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
====================================
Hit fix checked and close Hijackthis.
Open real player basic, on its toolbar>View>preferances>in the start center area > settings
Uncheck enable start center.
If you fixed Quicktime (where the option is may be slightly differant depending on the version)
Open Quicktime and select, Edit,Preferences, Quicktime Preferences,select Browser Plug-in and uncheck all boxes.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi I made the changes you mentioned and ran spybot in safe mode one more time. So far my computer is running much better, and I only get a few popups now (that make it through my popup blocker) usually when I boot up my computer (adannerconnect.net, adfirstsolution). I also have another file which looks similar to one you told me to delete C:\WINDOWS\system32\redist (RSP File). Should I be deleting this?
I'll let it run for a full day this weekend and see if I get anything further, but if you have any further suggestions I would appreciate it. Also, the computer definitely loads up much quicker without the real time and all that other junk. Thanks!!!
Cheers,
Rich
LonnyRJones
2006-08-12, 00:08
Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Start Time= Sun 08/13/2006 14:27:50.54
Running from: C:\Documents and Settings\Richard\Desktop
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-08-08 23:16:32 ( .D... ) "C:\Program Files\America Online 9.0a"
2006-08-08 23:14:58 10920 ( A.... ) "C:\aolconnfix.exe"
2006-08-08 23:13:46 ( .D... ) "C:\Program Files\Viewpoint"
2006-08-07 00:41:14 3072 ( ..SHR ) "C:\WINDOWS\winapi32.exe3072.exe"
2006-08-07 00:19:48 3072 ( A.... ) "C:\WINDOWS\winapi32.exe"
2006-08-06 23:57:04 ( .D... ) "C:\Program Files\xerox"
2006-08-05 14:12:02 40960 ( A.... ) "C:\Look2Me-Destroyer.exe"
2006-08-05 01:03:08 ( .D... ) "C:\Program Files\Common Files\Vbox"
2006-07-30 14:50:00 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-29 22:28:30 32768 ( A.... ) "C:\WINDOWS\unstall.exe"
2006-07-29 22:17:50 78336 ( A.... ) "C:\WINDOWS\wnu_0.exe"
2006-07-26 07:32:16 45087 ( A.... ) "C:\WINDOWS\system32\okdsregs.exe"
2006-07-25 23:44:24 38412 ( A.... ) "C:\WINDOWS\ssqbn.exe"
2006-07-25 23:43:46 159878 ( A.... ) "C:\WINDOWS\system32\rwinlpez.exe"
2006-07-25 23:43:42 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-07-25 23:43:40 45068 ( A.... ) "C:\WINDOWS\system32\ZICORN003.exe"
2006-07-25 23:43:34 1064 ( A.... ) "C:\WINDOWS\system32\kfmfe167.sys"
2006-07-25 23:43:34 1064 ( A.... ) "C:\WINDOWS\system32\kfmfe167.sys"
2006-07-25 23:10:04 78336 ( A.... ) "C:\WINDOWS\wnu_179.exe"
2006-07-25 22:27:50 ( .D... ) "C:\Program Files\System Icons"
2006-07-25 22:27:50 ( .D... ) "C:\Program Files\System Files"
2006-07-25 22:25:24 49369 ( A.... ) "C:\WINDOWS\mirar.exe"
2006-07-25 22:24:26 359634 ( A.... ) "C:\WINDOWS\media_motor_bundle.exe"
2006-07-25 22:24:16 36864 ( A.... ) "C:\WINDOWS\System32n9nyb.exe"
2006-07-25 22:24:14 45056 ( A.... ) "C:\WINDOWS\System32ghynf.exe"
2006-07-25 22:24:14 28672 ( A.... ) "C:\WINDOWS\System32bez6n4r21.exe"
2006-07-25 22:24:14 28672 ( A.... ) "C:\WINDOWS\system32\iqqr.exe"
2006-07-25 22:24:12 36864 ( A.... ) "C:\WINDOWS\system32\n9nyb.exe"
2006-07-25 22:24:12 28672 ( A.... ) "C:\WINDOWS\system32\bez6n4r21.exe"
2006-07-25 22:23:54 226536 ( A.... ) "C:\WINDOWS\whCC-GIANT.exe"
2006-07-21 18:55:38 127578 ( A.... ) "C:\WINDOWS\system32\tsuninst.exe"
2006-07-04 17:57:44 11690 ( A.SH. ) "C:\WINDOWS\system32\KGyGaAvL.sys"
2006-07-04 17:57:44 11690 ( A.SH. ) "C:\WINDOWS\system32\KGyGaAvL.sys"
2006-07-04 17:50:12 ( .D... ) "C:\Program Files\Vidomi"
2006-07-04 17:35:30 ( .D... ) "C:\Documents and Settings\Richard\Application Data\Snapfish"
2006-07-04 11:23:40 ( .D... ) "C:\Documents and Settings\Richard\Application Data\BitTorrent"
2006-06-23 11:22:08 9216 ( A.... ) "C:\WINDOWS\orca.dll"
2006-06-21 18:38:40 235228 ( A.... ) "C:\WINDOWS\system32\icon_mediamotor.exe"
2006-06-21 18:38:16 115239 ( A.... ) "C:\WINDOWS\system32\ts_mediamotor.exe"
2006-05-31 19:53:34 104008 ( A.... ) "C:\WINDOWS\system32\AOLDial.dll"
(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))
2006-08-08 23:14 10,920 C:\aolconnfix.exe
2006-08-07 00:19 3,072 C:\WINDOWS\winapi32.exe3072.exe
2006-08-07 00:19 3,072 C:\WINDOWS\winapi32.exe
2006-08-05 14:12 40,960 C:\Look2Me-Destroyer.exe
2006-07-29 22:17 78,336 C:\WINDOWS\wnu_0.exe
2006-07-26 07:32 45,087 C:\WINDOWS\system32\okdsregs.exe
2006-07-25 23:44 38,412 C:\WINDOWS\ssqbn.exe
2006-07-25 23:43 48,167 C:\WINDOWS\system32\VSL05.exe
2006-07-25 23:43 45,068 C:\WINDOWS\system32\ZICORN003.exe
2006-07-25 23:43 159,878 C:\WINDOWS\system32\rwinlpez.exe
2006-07-25 23:43 1,064 C:\WINDOWS\system32\kfmfe167.sys
2006-07-25 23:10 78,336 C:\WINDOWS\wnu_179.exe
2006-07-25 22:26 127,578 C:\WINDOWS\system32\tsuninst.exe
2006-07-25 22:25 940,000 C:\WINDOWS\cjqomfg.exe
2006-07-25 22:25 49,369 C:\WINDOWS\mirar.exe
2006-07-25 22:25 32,768 C:\WINDOWS\unstall.exe
2006-07-25 22:24 45,056 C:\WINDOWS\System32ghynf.exe
2006-07-25 22:24 36,864 C:\WINDOWS\System32n9nyb.exe
2006-07-25 22:24 36,864 C:\WINDOWS\system32\n9nyb.exe
2006-07-25 22:24 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-25 22:24 28,672 C:\WINDOWS\System32bez6n4r21.exe
2006-07-25 22:24 28,672 C:\WINDOWS\system32\iqqr.exe
2006-07-25 22:24 28,672 C:\WINDOWS\system32\bez6n4r21.exe
2006-07-25 22:23 226,536 C:\WINDOWS\whCC-GIANT.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Logitech Utility"="Logi_MwX.Exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1136245027\\ee\\AOLSoftware.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Windows NT\\kykeco.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Internet Explorer\\hohyzewo.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,50,01,00,00,00,00,00,00,40,05,00,00,fc,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
Contents of the 'Scheduled Tasks' folder
Completion time: Sun 08/13/2006 14:28:14.19
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt
Also, I have been using my computer for awhile this weekend and it looks like I still have popups that get through my popup blocker (pop-up stopper) and adware trying to install programs on my computer.
LonnyRJones
2006-08-14, 02:25
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
;
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
;
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Restart your PC.
Set windows to show hidden extensions file's and folder's.
click for> instructions. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
And delete each of these files at only these specific locations
C:\Program Files\Internet Explorer\hohyzewo.html
C:\Program Files\Windows NT\kykeco.html
C:\WINDOWS\system32\okdsregs.exe
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\system32\ZICORN003.exe
C:\WINDOWS\system32\rwinlpez.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\iqqr.exe
C:\WINDOWS\system32\bez6n4r21.exe
C:\WINDOWS\system32\n9nyb.exe
C:\WINDOWS\winapi32.exe3072.exe
C:\WINDOWS\winapi32.exe
C:\WINDOWS\wnu_179.exe
C:\WINDOWS\ssqbn.exe
C:\WINDOWS\cjqomfg.exe
C:\WINDOWS\mirar.exe
C:\WINDOWS\unstall.exe
C:\WINDOWS\System32ghynf.exe
C:\WINDOWS\System32n9nyb.exe
C:\WINDOWS\media_motor_bundle.exe
C:\WINDOWS\System32bez6n4r21.exe
C:\WINDOWS\whCC-GIANT.exe
C:\WINDOWS\wnu_0.exe
submit this file here and let me know what was found ?
C:\WINDOWS\system32\kfmfe167.sys
C:\Look2Me-Destroyer.exe <<Delete as it wont be needed again
Ok I found each and every one of the files above and deleted them.
I also found the c:\windows\system32\kfmfe167.sys file. What do you mean by submit this file here (I can not upload it and I get some jibberish in notepad)? Should I delete this file as well too?
LonnyRJones
2006-08-15, 05:56
Opps I forgot the url
submit this file here and let me know what was found ?
C:\WINDOWS\system32\kfmfe167.sys
http://www.virustotal.com/flash/index_en.html
Here are my results:
Complete scanning result of "kfmfe167.sys", received in VirusTotal at 08.15.2006, 06:10:11 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 08.14.2006 no virus found
Authentium 4.93.8 08.14.2006 no virus found
Avast 4.7.844.0 08.14.2006 no virus found
AVG 386 08.14.2006 no virus found
BitDefender 7.2 08.14.2006 no virus found
CAT-QuickHeal 8.00 08.14.2006 no virus found
ClamAV devel-20060426 08.14.2006 no virus found
DrWeb 4.33 08.14.2006 no virus found
eTrust-InoculateIT 23.72.97 08.15.2006 no virus found
eTrust-Vet 30.3.3019 08.14.2006 no virus found
Ewido 4.0 08.14.2006 no virus found
Fortinet 2.77.0.0 08.15.2006 no virus found
F-Prot 3.16f 08.14.2006 no virus found
F-Prot4 4.2.1.29 08.14.2006 no virus found
Ikarus 0.2.65.0 08.14.2006 no virus found
Kaspersky 4.0.2.24 08.15.2006 no virus found
McAfee 4829 08.14.2006 no virus found
Microsoft 1.1560 08.14.2006 no virus found
NOD32v2 1.1706 08.14.2006 no virus found
Norman 5.90.23 08.14.2006 no virus found
Panda 9.0.0.4 08.14.2006 no virus found
Sophos 4.08.0 08.15.2006 no virus found
Symantec 8.0 08.15.2006 no virus found
TheHacker 5.9.8.192 08.14.2006 no virus found
UNA 1.83 08.14.2006 no virus found
VBA32 3.11.0 08.14.2006 no virus found
VirusBuster 4.3.7:9 08.14.2006 no virus found
Aditional Information
File size: 1064 bytes
MD5: 28eac01ca321c8c946de3e33864fc754
SHA1: 390a53b2154fb43d636670f11e2360056b85ac24
LonnyRJones
2006-08-15, 07:57
Good . leave it be.
Are there any current problems ?
If not now is the time to go update your windows.
Excellent. So far so good. I have yet to get a popup or adware yet!! I will post again here in a couple of days to let you know if there are any problems, but it looks very promising so far. Thanks so much for your help and time Lonny.
Hi Lonny,
I have been using the computer for a couple of days and it looks like everything is running normal and no popups. Thanks again, I appreciate your assistance buddy.
LonnyRJones
2006-08-21, 01:35
Hopefully you updated windows, otherwise it will definatly get infected again.
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
Lonny I put in the hosts and will be updating windows shortly. Thanks you have been an immense help.
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter. Cheers. :)