View Full Version : Downloader virus/AtHoc Toolbar/IE pop-ups
Fruitbat
2006-08-15, 01:15
I've been having various problems for some time now that I haven't been able to fix.
(1) Primary issue is that Norton keeps warning me of a downloader virus in Windows\system32. Sometimes its "WMDmon.dll" sometimes its "pmkhhgg.dll". In both instances it states that it cannot be removed. Ewido also finds this and callis it "Downloader.ConHook.aa"
(2) Another issue that I've had for a while is a purple colorded "@" icon in my taskbar that doesn't seem to do anything, but the name of it is "AtHoc toolbar"
(3) Thirdly, IE tends to popup windows to antivirus sites promoting me to buy their antivirus software. Cant recall where exactly its beeing redirected, since I've been using firefox instead for a while.
I followed the directions in the pinned forum topic. Spybot found a few things (including something called AtHoc), all of which I fixed (note I have done this before however). Panda dind't find anything much (log below), and HJT log is below (had to split into 2 posts). All help appreciated! I hope to clean this PC as the next resort would be to re-install XP and start over (ugggh).
PANDA:
Incident Status Location
Adware:adware/brands Not disinfected Windows Registry
HJT LOG (PART 1):
Logfile of HijackThis v1.99.1
Scan saved at 4:56:56 PM, on 8/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\WINDOWS\Downloaded Program Files\AtHoc.exe
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\Pat's Stuff\Misc\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.med.umn.edu/peds/neonat/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.peds.umn.edu
O2 - BHO: Athoc BrowserHelper (Version 1.0) - {001B3456-4ADE-44D0-8C23-D69D32658D84} - C:\WINDOWS\Downloaded Program Files\AtHocTBr.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4d874d98-6c3c-4d19-b576-bf784a21d76f} - C:\WINDOWS\system32\WMDmon.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\Downloaded Program Files\IDXIEController.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Medscape Toolbar.LNK = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Fruitbat
2006-08-15, 01:16
Continuation of HJT Log:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} (ISiteNonVisual Control 3.3) - http://162.96.4.16/iSite3_3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127333494338
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {734F0ACB-CB01-4426-A8AB-A496C2583A40} (DesktopSync Class) - http://idxweb.fairview.org/idxrad/integration/ICAPI/ImagecastInterface.CAB
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.linders.com/AxisCamControl.bin
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://usa1chat.tupperware.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://162.96.13.51/dana-cached/setup/JuniperSetup.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://63.228.250.70/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://63.228.250.70/ahsweb/IDXWF/Context/IDXBrowser.cab
O18 - Protocol: bw+0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WMDmon - WMDmon.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
LonnyRJones
2006-08-18, 03:15
Welcome Fruitbat
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Fruitbat
2006-08-24, 03:52
Fruitbat, still with us?
Sorry, been pretty busy last few days....should work on this within the next hour or so....
Fruitbat
2006-08-24, 04:04
VundoFix found no infections when I ran it.
Updated HiJack Log, Part 1:
Logfile of HijackThis v1.99.1
Scan saved at 8:02:31 PM, on 8/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\WINDOWS\Downloaded Program Files\AtHoc.exe
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\Pat's Stuff\Misc\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.med.umn.edu/peds/neonat/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.peds.umn.edu
O2 - BHO: Athoc BrowserHelper (Version 1.0) - {001B3456-4ADE-44D0-8C23-D69D32658D84} - C:\WINDOWS\Downloaded Program Files\AtHocTBr.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4d874d98-6c3c-4d19-b576-bf784a21d76f} - C:\WINDOWS\system32\WMDmon.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\Downloaded Program Files\IDXIEController.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Medscape Toolbar.LNK = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Fruitbat
2006-08-24, 04:05
HiJack Log, part 2:
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} (ISiteNonVisual Control 3.3) - http://162.96.4.16/iSite3_3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127333494338
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {734F0ACB-CB01-4426-A8AB-A496C2583A40} (DesktopSync Class) - http://idxweb.fairview.org/idxrad/integration/ICAPI/ImagecastInterface.CAB
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.linders.com/AxisCamControl.bin
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://usa1chat.tupperware.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://162.96.13.51/dana-cached/setup/JuniperSetup.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://63.228.250.70/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://63.228.250.70/ahsweb/IDXWF/Context/IDXBrowser.cab
O18 - Protocol: bw+0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {AD28FE58-9899-44F2-8614-8BE190E44604} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WMDmon - WMDmon.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
LonnyRJones
2006-08-24, 09:45
Are you still experiancing the problems you mentioned in your first post ?
if so give details again
Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {4d874d98-6c3c-4d19-b576-bf784a21d76f} - C:\WINDOWS\system32\WMDmon.dll (file missing)
O20 - Winlogon Notify: WMDmon - WMDmon.dll (file missing)
Optional fix's > Legitamat BHO AtHocTBr.DLL AtHoc
O2 - BHO: Athoc BrowserHelper (Version 1.0) - {001B3456-4ADE-44D0-8C23-D69D32658D84} - C:\WINDOWS\Downloaded Program Files\AtHocTBr.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
====================================
Most folks uninstall Logitech Desktop Messenger, do so unless you need it.
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Update suns java manualy
Sun Java "Java Runtime Environment (JRE) 5.0 Update 8" is Available:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Afterwards it's important to uninstall the old version's via addremove programs.
Post a fresh hijackthis log
Fruitbat
2006-08-24, 17:07
Yes I am still experiencing the same problems as described in the first post. Certainly (1) and (2) still happen....like I said, I haven't noticed # (3) since I've switched to firefox.
I'll have time this afternoon/evening to do the steps you described...thanks!
Fruitbat
2006-08-25, 05:30
OK, completed all the steps, including doing the 2 optional fixes.
The AtHoc icon is no longer in my toolbar.
Norton still warned me of a downloader virus that it could not delete: pmkhhgg.dll
Here's an updated Log, part 1:
Logfile of HijackThis v1.99.1
Scan saved at 9:27:20 PM, on 8/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\WINDOWS\Downloaded Program Files\AtHoc.exe
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Pat's Stuff\Misc\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.med.umn.edu/peds/neonat/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.peds.umn.edu
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\Downloaded Program Files\IDXIEController.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Medscape Toolbar.LNK = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Fruitbat
2006-08-25, 05:31
Log, part 2:
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} (ISiteNonVisual Control 3.3) - http://162.96.4.16/iSite3_3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127333494338
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {734F0ACB-CB01-4426-A8AB-A496C2583A40} (DesktopSync Class) - http://idxweb.fairview.org/idxrad/integration/ICAPI/ImagecastInterface.CAB
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.linders.com/AxisCamControl.bin
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://usa1chat.tupperware.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://162.96.13.51/dana-cached/setup/JuniperSetup.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://63.228.250.70/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://63.228.250.70/ahsweb/IDXWF/Context/IDXBrowser.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
LonnyRJones
2006-08-25, 06:53
Hi Re-download vundofix there is a new version
scan and have it remove any files found, if nothing is found Right click the list box then select add files and add
C:\WINDOWS\SYSTEM32\pmkhhgg.dll
do the same for this file
c:\windows\system32\WMDmon.dll
Click the Remove Vundo button and fallow the prompts from there.
after the pc has restarted post the vundofix log.
http://www.atribune.org/content/view/24/2/
Fruitbat
2006-08-26, 04:58
I followed the steps, and here is the current status:
- The AtHoc icon in my taskbar has returned
- Vundo found nothing. I right clicked the list box, added the file paths....but when I click "add files" it just sits there and does nothing.
LonnyRJones
2006-08-26, 05:13
AtHoc is a legit program, if you want to get rid of it try addremove programs.
I think norton is interfearing, while it is of and the pc has no internet access give the infection time to reload itself >
Disconnect from the internet, unplug your modem, turn off norton using the programs options, use the c a few hours then reboot your pc a few times then restart into safe mode and repeat the vundofix instructions, scan if nothing is found use the add files options.
How to Reboot into safe mode (not safe mode with networking) Click here if needed (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx) For instructions.
Dont forget to turn the antivirus program back on before getting on the net.
Fruitbat
2006-08-26, 05:16
Actually, let me be a bit more descriptive, because maybe it IS doing something.....
I right click on the list box, and type in the file paths. I click "add files" and it just sits there (I guess I expected it to do something after I clicked, but maybe not). so then I clicked "Close window" which brings me back to the main window. I then click "scan for Vundo" and I still get no results.
*** Edit...I noticed you just posted....I havent read your reply yet...
Fruitbat
2006-08-26, 05:24
OK, I have read your post....I dont have time right now to follow your suggestions, but thanks, and I will probably get around to it tomorrow.
I tried to remove AtHoc via add/remove programs, but it tells me "an error has occured...It may have already been uninstalled."
The fact that you say that it is a legitamate program makes me feel better....for the life of me, however, I cant remember installing it and I dont know what it does, so I was a little be leery of it.
anyway, when I have more time I will follow your steps and report back. Thanks again!!!!!
Fruitbat
2006-08-27, 00:07
OK, big update....
I followed your steps to no apparent success (Vundo still didn't find anything, even when I manually listed the files).
So, then ,for the heck of it, I turned on Norton and did a full system scan. It didn't find anything. I was surprised. But then it occured to me to check the quaranteened files....lo and behold there was 2 files: pmkhhgg.dll and jkhhh.exe.
Now, I;m not familiar with what exactly happens to quaranteened files, but I told Norton to restore them.
I then re-did the Vundo steps, added those two files to the list, and Vundo was able to delete them.
Below is the Vundo log....
===================================================
VundoFix V6.1.2
Checking Java version...
Java version is 1.4.2.4
Java version is 1.4.2.5
Java version is 1.5.0.2
Scan started at 7:58:08 PM 8/23/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.1.2
Checking Java version...
Java version is 1.5.0.2
Java version is 1.5.0.8
Scan started at 8:31:41 PM 8/25/2006
Listing files found while scanning....
No infected files were found.
VundoFix V6.1.2
Checking Java version...
Java version is 1.5.0.2
Java version is 1.5.0.8
Scan started at 8:48:40 PM 8/25/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
Beginning removal...
Beginning removal...
VundoFix V6.1.2
Checking Java version...
Java version is 1.5.0.2
Java version is 1.5.0.8
Scan started at 8:59:00 PM 8/25/2006
Listing files found while scanning....
VundoFix V6.1.2
Checking Java version...
Java version is 1.5.0.2
Java version is 1.5.0.8
Scan started at 9:03:05 PM 8/25/2006
Listing files found while scanning....
No infected files were found.
VundoFix V6.1.2
Checking Java version...
Java version is 1.5.0.2
Java version is 1.5.0.8
Scan started at 2:14:19 PM 8/26/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.1.2
Checking Java version...
Java version is 1.5.0.2
Java version is 1.5.0.8
Scan started at 3:45:55 PM 8/26/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
Beginning removal...
Attempting to delete c:\windows\system32\pmkhhgg.dll
c:\windows\system32\pmkhhgg.dll Has been deleted!
Attempting to delete c:\windows\system32\jkhhh.exe
c:\windows\system32\jkhhh.exe Has been deleted!
Performing Repairs to the registry.
Done!
Fruitbat
2006-08-27, 00:52
After I did the above as I described, I started Norton again to do a full scan....just to see if it would find anything.
Unfotunately, it found the two infected files again: jkhhh.exe and pmkhhgg.dll. Norton's repair failed, and it asked if I wanted to quaranteen the files. I chose to not do that. It prompted me if I wanted to delete the files, which I did. I ran a Norton scan again (just on the C:\WINDOWS folder)....and it found no infections.
I'm not quite sure what to believe anymore.
Fruitbat
2006-08-27, 01:36
After I did the above as I described, I started Norton again to do a full scan....just to see if it would find anything.
Unfotunately, it found the two infected files again: jkhhh.exe and pmkhhgg.dll. Norton's repair failed, and it asked if I wanted to quaranteen the files. I chose to not do that. It prompted me if I wanted to delete the files, which I did. I ran a Norton scan again (just on the C:\WINDOWS folder)....and it found no infections.
I'm not quite sure what to believe anymore.
Quick edit to add that I also did a full system Norton scan, which found no probelms.
LonnyRJones
2006-08-27, 14:58
After a few days post back and let us know how that pc is, in the meantime
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Glad we could help, thank you Lonny. :)