Sign in to follow this  
silvercat

infostealer.gampass virus need help

Recommended Posts

Norton alerted me this morning that I am infected with infostealer.gampass

I downloaded Ad-aware, updated it, and ran a scan. It removed "63 critical" and left "1049 privacy objects"

I downloaded HijackThis and here is my log:

I will very much appreciate help to remove this virus!

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:09:20 PM, on 4/12/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\WINDOWS\SoundMan.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\ATTRIB.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\ATTRIB.EXE

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\ATTRIB.EXE

C:\WINDOWS\system32\com\man11.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {6167F471-EF2B-41DD-A5E5-C26ACDB5C096} - C:\Program Files\Internet Explorer\PLUGINS\WinSys8v.Sys

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DbgHlp32] C:\WINDOWS\DbgHlp32.exe

O4 - HKLM\..\Run: [MsIMMs32] C:\WINDOWS\MsIMMs32.exE

O4 - HKLM\..\Run: [WINSvr32] C:\WINDOWS\WINSvr32.exE

O4 - HKLM\..\Run: [mfchlp32] C:\WINDOWS\mfchlp32.exe

O4 - HKLM\..\Run: [soundMan] SoundMan.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Global Startup: APC UPS Status.lnk = ?

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Logitech SetPoint.lnk = ?

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab

O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/free-tri...mesLauncher.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab

O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://merillat.view22.com/release_3_9_177/View22RTEv4.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab

O18 - Protocol: bw+0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw+0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: bwg0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwg0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: offline-8876480 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O20 - AppInit_DLLs: msosmhfp01.dll,msoscqit00.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Help and Support (helpsvc) - 1 - C:\WINDOWS\system32\interne.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Messenger - Unknown owner - C:\WINDOWS\system32\Mess.exe (file missing)

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

--

End of file - 25308 bytes

Share this post


Link to post
Share on other sites

Hello silvercat. ;)

 

Please rerun a scan with HijackThis (scan only) and check the following objects for removal:

 

O2 - BHO: (no name) - {6167F471-EF2B-41DD-A5E5-C26ACDB5C096} - C:\Program Files\Internet Explorer\PLUGINS\WinSys8v.Sys

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [DbgHlp32] C:\WINDOWS\DbgHlp32.exe

O4 - HKLM\..\Run: [MsIMMs32] C:\WINDOWS\MsIMMs32.exE

O4 - HKLM\..\Run: [WINSvr32] C:\WINDOWS\WINSvr32.exE

O4 - HKLM\..\Run: [mfchlp32] C:\WINDOWS\mfchlp32.exe

 

Now close ALL other open windows but HijackThis and hit FIX CHECKED. Exit HijackThis.

 

Click Start -> Run -> paste in:

 

sc stop helpsvc

 

Click on OK.

 

Then click Start -> Run again and this time paste in:

 

sc delete helpsvc

 

Again, click on OK.

 

-------

 

Go to Start » Run » type in: regedit » OK.

  • On the leftside, click to highlight My Computer at the top.
  • Go up to File » Export
    Make sure in that window there is a tick next to "All" under Export Branch.
    Leave the "Save As Type" as "Registration Files".
    Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click Save and then go to File » Exit.

This is so the registry can be restored to this point if we need it. It may take a minute.

 

Next, please copy the following text in the quotebox below to a blank notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg on your desktop.

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=""

Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.

 

Please reboot at this point.

 

-------

 

Then.. Please copy the following text in the quotebox below to a blank notepad file. Make sure the filetype is set to "All Files" and save it as delete.bat on your desktop.

 

@echo off

attrib -r -h C:\WINDOWS\DbgHlp32.exe

del /a /f /q C:\WINDOWS\DbgHlp32.exe

attrib -r -h C:\WINDOWS\MsIMMs32.exE

del /a /f /q C:\WINDOWS\MsIMMs32.exE

attrib -r -h C:\WINDOWS\WINSvr32.exE

del /a /f /q C:\WINDOWS\WINSvr32.exE

attrib -r -h C:\WINDOWS\mfchlp32.exe

del /a /f /q C:\WINDOWS\mfchlp32.exe

attrib -r -h C:\WINDOWS\system32\interne.exe

del /a /f /q C:\WINDOWS\system32\interne.exe

del delete.bat

exit

Now double-click on the delete.bat on your desktop -- a window will popup and close, this is normal.

 

----

 

Once finished..

 

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. :)

Share this post


Link to post
Share on other sites

Hello Rawe and thank you for coming to my rescue...I followed your instructions and have come to a problem.

 

I am on this step: "Go to Start » Run » type in: regedit » OK"

When I do that, nothing opens.

 

eek

Share this post


Link to post
Share on other sites

Let's skip that step for now. ;)

 

Before running Deckard's System Scanner (DSS) though, let's run this scanner after you run the .bat file.

 

Please download Malwarebytes' Anti-Malware and save it to your desktop.

alternate download link 1

alternate download link 2

  • Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • If you have trouble with the update process, please download the latest updates here.
  • Double-click the mbam-rules.exe file on your desktop and let it update the application.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (see extra note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please copy and paste the entire report in your next reply along with the DSS log.

Extra note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Share this post


Link to post
Share on other sites

Rawe,

I am following your instructions and I have a question. I am running the Decker Scanner and am not sure if it is running or stalled.

The little window for Decker Scan is open, but it is blank...when I put my mouse over it, the hourglass shows up. I watched it start

working, it was 'cleaning up temp files' when I left the room. When I came back, the little window was blank. No notepads have shown up

yet. Is this the standard way for it to work? or what should I do?

Thank you.

Share this post


Link to post
Share on other sites

If it still hasn't done anything, reboot your machine and see if it produces a log of any kind after that. :)

 

How long did/has it run?

Share this post


Link to post
Share on other sites

Nope, post back with a fresh HijackThis log & the Malwarebytes' scanlog. :)

Share this post


Link to post
Share on other sites

Okay here we go.

My new HijackThis log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:12:51 PM, on 4/12/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\SoundMan.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\FINDSTR.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [soundMan] SoundMan.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Global Startup: APC UPS Status.lnk = ?

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Logitech SetPoint.lnk = ?

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab

O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/free-tri...mesLauncher.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab

O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://merillat.view22.com/release_3_9_177/View22RTEv4.cab

O18 - Protocol: bw+0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw+0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: bwg0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwg0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0s - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: offline-8876480 - {E6E83959-A8AB-40B7-A441-420277885141} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O20 - AppInit_DLLs: msosmhfp01.dll,msoscqit00.dll,

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Help and Support (helpsvc) - 1 - C:\WINDOWS\system32\interne.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Messenger - Unknown owner - C:\WINDOWS\system32\Mess.exe (file missing)

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

--

End of file - 24516 bytes

 

 

The Malwarebyte's Log:

 

Malwarebytes' Anti-Malware 1.11

Database version: 619

 

Scan type: Full Scan (C:\|)

Objects scanned: 184097

Time elapsed: 45 minute(s), 49 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 24

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{8c41b7f7-3168-400d-a702-0e7efe0ba304} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Kav\Browser Helper Objects\{6167f471-ef2b-41dd-a5e5-c26acdb5c096} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6167f471-ef2b-41dd-a5e5-c26acdb5c096} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

C:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\WINSvr32.dll (Dialer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lindsey\Local Settings\Temp\svchost.bin (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Please copy the following text in the quotebox below to a blank notepad file. Make sure the filetype is set to "All Files" and save it as delete.bat on your desktop.

 

@echo off

 

sc stop Messenger

sc delete Messenger

sc stop helpsvc

sc delete helpsvc

attrib -r -h C:\WINDOWS\system32\interne.exe

del /a /f /q C:\WINDOWS\system32\interne.exe

del delete.bat

exit

Now double-click on the delete.bat on your desktop -- a window will popup and close, this is normal.

 

Then, please follow the instructions for running ComboFix here and post back with the log. :)

Share this post


Link to post
Share on other sites

I ran the Combofix and it was preparing the log report when my stupid norton av popped up and said it recommended I stop the script.

Even though I disabled the Norton before I began the Combofix. ARGH

I wanted to tell Norton to allow it, but it's little window froze, so now I can't click on the Norton warning window, it's stuck on my screen with the Combofix window behind it.

Murphy's Law again.

What should I do now?

Share this post


Link to post
Share on other sites

Norton always screws everything up .....

 

Does your task manager still work? CTRL - ALT - DEL?

 

If so, shut Norton's process down.

 

Then again, if ComboFix still seems to be running (just a wait a moment without clicking ANYTHING), let it run.

 

If nothing happens for a while, I'd say boot -> post the log off of ComboFix if it provides one, if not, rerun ComboFix and make sure Norton is completely shut off this time (disable all of it's protection, including the scripts / worms).

 

Then re-enable Norton and post back with the log. :)

Share this post


Link to post
Share on other sites

Task manager wouldn't open so I rebooted. Then I uninstalled Norton which gave me a thrill.

I found the ComboFix log right where it said it should be so at least it gave that, except my clock still showing the wrong time so I wonder if there's anything else it didn't finish.

Here's the log:

 

ComboFix 08-04-13.1 - Ann 2008-04-12 15:47:58.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.186 [GMT -4:00]Running from: C:\Documents and Settings\Ann\Desktop\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\_uninsep.bat

C:\Program Files\internet explorer\plugins\SysWin7s.Jmp

C:\Program Files\internet explorer\plugins\WinSys8v.Sys

C:\WINDOWS\mfchlp32.exe

C:\WINDOWS\msimms32.exe

C:\WINDOWS\system32\ayWLVWLV1002.dll

C:\WINDOWS\system32\ayWLVWLV1002.exe

C:\WINDOWS\system32\ayWTZWTZ1036.dll

C:\WINDOWS\system32\ayWTZWTZ1036.exe

C:\WINDOWS\system32\cyoegx.dll

C:\WINDOWS\system32\DbgHlp32.dll

C:\WINDOWS\system32\dnjhsh.dll

C:\WINDOWS\system32\drivers\msosmsfpfis64.sys

C:\WINDOWS\system32\drivers\secdrv.sys

C:\WINDOWS\system32\etgejw.dll

C:\WINDOWS\system32\jqoglu.dll

C:\WINDOWS\system32\mfchlp32.dll

C:\WINDOWS\system32\msimms32.dll

C:\WINDOWS\system32\msoscqit.dat

C:\WINDOWS\system32\msoscqit00.dll

C:\WINDOWS\system32\msosmhfp.dat

C:\WINDOWS\system32\msosmhfp00.dll

C:\WINDOWS\system32\msosmhfp01.dll

C:\WINDOWS\system32\pvnrzl.dll

C:\WINDOWS\system32\qtbknt.dll

C:\WINDOWS\system32\ttBAIBAI1056.dll

C:\WINDOWS\system32\ttBAIBAI1056.exe

C:\WINDOWS\system32\ttCBDCBD1047.dll

C:\WINDOWS\system32\ttCBDCBD1047.exe

C:\WINDOWS\system32\ttDABDAB1058.dll

C:\WINDOWS\system32\ttDABDAB1058.exe

C:\WINDOWS\system32\ttKAFKAF1059.dll

C:\WINDOWS\system32\ttKAFKAF1059.exe

C:\WINDOWS\system32\ttKAFKAF1060.dll

C:\WINDOWS\system32\ttKAFKAF1060.exe

C:\WINDOWS\system32\ttNNBNNB1047.dll

C:\WINDOWS\system32\ttNNBNNB1047.exe

C:\WINDOWS\system32\ttQACQAC1035.dll

C:\WINDOWS\system32\ttQACQAC1035.exe

C:\WINDOWS\system32\ttVUFVUF1011.dll

C:\WINDOWS\system32\ttVUFVUF1011.exe

C:\WINDOWS\system32\txSULSUL1033.dll

C:\WINDOWS\system32\txSULSUL1033.exe

C:\WINDOWS\system32\yikzzl.dll

C:\WINDOWS\WINSvr32.exE

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_MHFP

-------\Legacy_MSFPFIS64

-------\Service_cqit

-------\Service_mhfp

-------\Service_msfpfis64

-------\Legacy_Secdrv

-------\Secdrv

 

 

((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))

.

 

2008-04-13 15:53 . 2008-04-13 15:53 8,192 --a------ C:\WINDOWS\SYSTEM32\qoq.exe

2008-04-13 15:53 . 2008-04-13 15:53 0 --a------ C:\Por.aed

2008-04-12 15:08 . 2008-04-12 15:08 <DIR> d-------- C:\Program Files\Trend Micro

2008-04-12 14:48 . 2008-04-12 14:48 <DIR> d-------- C:\Program Files\Lavasoft

2008-04-12 14:48 . 2008-04-12 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-12 14:45 . 2008-04-12 14:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-04-12 14:15 . 2008-04-12 14:15 35,084 --a------ C:\WINDOWS\SYSTEM32\wpsrjy.dll

2008-04-12 14:14 . 2008-04-12 14:14 176 --a------ C:\d2b282ef026d152890.bat

2008-04-12 14:14 . 2008-04-12 14:14 176 --a------ C:\d2b282ef026d142656.bat

2008-04-12 14:13 . 2008-04-12 14:13 176 --a------ C:\b3b4f3ed7898127171.bat

2008-04-12 13:59 . 2008-04-12 13:59 35,084 --a------ C:\WINDOWS\SYSTEM32\qwehem.dll

2008-04-12 13:59 . 2008-04-12 13:59 176 --a------ C:\d2b282ef026d167156.bat

2008-04-12 13:59 . 2008-04-12 13:59 176 --a------ C:\d2b282ef026d156140.bat

2008-04-12 13:58 . 2008-04-12 13:58 176 --a------ C:\b3b4f3ed7898138843.bat

2008-04-12 12:12 . 2008-04-12 12:12 3 --a------ C:\WINDOWS\SYSTEM32\ttjj2.ini

2008-04-12 12:10 . 2008-04-12 14:14 15,360 --a------ C:\WINDOWS\SYSTEM32\comr3260.dll

2008-04-12 12:10 . 2008-04-12 12:10 179 --a------ C:\d2b282ef026d6514546.bat

2008-04-12 11:06 . 2008-04-12 11:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-04-12 11:06 . 2008-04-12 11:06 <DIR> d-------- C:\Documents and Settings\Ann\Application Data\Malwarebytes

2008-04-12 11:06 . 2008-04-12 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-04-12 01:34 . 2008-04-12 01:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec

2008-03-16 19:38 . 2008-03-16 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\View22

2008-03-16 19:38 . 2006-05-02 14:37 1,706,800 --a------ C:\WINDOWS\SYSTEM32\gdiplus.dll

2008-03-14 20:43 . 2008-03-14 20:57 <DIR> d-------- C:\Program Files\View22

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-12 18:12 --------- d-----w C:\Program Files\Google

2008-04-12 17:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-04-12 17:25 --------- d-----w C:\Program Files\Dell AIO Printer A920

2008-03-27 23:30 --------- d-----w C:\Documents and Settings\Ann\Application Data\WeatherBug

2008-03-25 22:32 --------- d-----w C:\Documents and Settings\Ann\Application Data\U3

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys

2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll

2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll

2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll

2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll

2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll

2008-02-15 09:07 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe

2005-01-06 06:55 172 ---ha-w C:\Documents and Settings\Ann\hpothb07.dat

2005-01-06 06:55 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat

2004-12-10 00:53 0 ---ha-w C:\Documents and Settings\Emily\hpothb07.dat

2004-12-08 22:50 67,160 ----a-w C:\Program Files\Aim.exe

2006-10-19 02:47 81,920 --sh--w C:\WINDOWS\SoundMan.exe

2006-03-06 01:01 16,384 --sh--w C:\WINDOWS\SYSTEM32\sysave.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-09-09 18:35 1597440]

"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-12-25 20:08 32768]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52 339968]

"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 11:47 71328]

"Advanced Tools Check"="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [2003-08-18 00:33 74920]

"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 04:32 270336]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 02:05 127035]

"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-08-20 00:05 100056]

"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2007-02-12 17:40 380928]

"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 18:38 221184]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-05-10 10:48 94208 C:\WINDOWS\KHALMNPR.Exe]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-02 09:58 185896]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-29 19:52 155648]

"SoundMan"="SoundMan.exe" [2006-10-18 22:47 81920 C:\WINDOWS\SoundMan.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

 

 

BTW, I also tried to go to msconfig to uncheck weatherbug from starting at boot but I still can't get in to that little window.

(start>run>msconfig) won't open. So maybe you can help me with that when we're done with this virus?

And I need a new antivirus, you like the free AV?

Share this post


Link to post
Share on other sites
Task manager wouldn't open so I rebooted. Then I uninstalled Norton which gave me a thrill.

I found the ComboFix log right where it said it should be so at least it gave that, except my clock still showing the wrong time so I wonder if there's anything else it didn't finish.

 

BTW, I also tried to go to msconfig to uncheck weatherbug from starting at boot but I still can't get in to that little window.

(start>run>msconfig) won't open. So maybe you can help me with that when we're done with this virus?

And I need a new antivirus, you like the free AV?

You need a new AV now .. Let's get one.

 

Avira is very good.

 

------

 

Please open notepad and copy/paste the text in the quotebox into it

 

File::

C:\WINDOWS\SYSTEM32\qoq.exe

C:\Por.aed

C:\WINDOWS\SYSTEM32\wpsrjy.dll

C:\d2b282ef026d152890.bat

C:\d2b282ef026d142656.bat

C:\b3b4f3ed7898127171.bat

C:\WINDOWS\SYSTEM32\qwehem.dll

C:\d2b282ef026d167156.bat

C:\d2b282ef026d156140.bat

C:\b3b4f3ed7898138843.bat

C:\WINDOWS\SYSTEM32\ttjj2.ini

C:\WINDOWS\SYSTEM32\comr3260.dll

C:\d2b282ef026d6514546.bat

 

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Weather"=-

 

Save it as CFScript.txt on your desktop.

 

CFScript.gif

 

Referring to the picture above, drag CFScript.txt into ComboFix.exe

 

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

 

-------------

 

Please download a free anti-virus software from one these excellent vendors NOW:

 

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.

2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.

3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

 

Setup / installation guide for Avast! 4 Home Edition.

Setup / installation guide for AVG Anti-Virus Free Edition.

 

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

 

------------

 

Finally....

 

Please print these instructions out, or write them down, as you can't read them during the fix.

 

Please download SDFix and save it to your desktop.

  • Double-click on SDFix.exe to extract the files to C:\SDFix
  • DO NOT use it just yet.

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer.

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear.

4) Select the first option, to run Windows in Safe Mode.

5) Login to your usual account.

  • Once in Safe Mode, open the SDFix folder & double-click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt in your next reply along with the ComboFix log. :)

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."

Please go to Start Menu > Run > and copy/paste the following line:

%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg

Press Ok and then run SDFix again.

 

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:

%systemdrive%\SDFix\apps\FixPath.exe /Q

Reboot and then run SDFix again.

 

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.

%SystemRoot%\system32\cmd.exe

Share this post


Link to post
Share on other sites

Thanks for hanging in there with me. I downloaded the Avira and it kept popping up detection notices, the same 3 warnings I think, but after I clicked ok they still kept popping up and I couldnt do anything else. I finally rebooted in safe mode and am running the Avira scan. Hopefully that will allow us to continue.

I am really getting worried that I won't be able to work tomorrow (can't work without my computer).

Anyway, I will post back here asap. Just letting you know I'm still here.

Share this post


Link to post
Share on other sites

I really am at my wits end. I can't get rid of the anti-virus popup warnings. I have had as many as 6 pop up at one time, and

when I click ok to get rid of it, it comes right back. I don't even think it's related to the original virus. These warnings are for

a Trojan Horse....

TR/Dropper.Gen

HEUR/malware

TR/Delphi.Downloader.Gen

There are three or options on the Avira warning box: Move to Quarantine, Access Deny, Ignore, Delete. No matter which one

I choose, the warning comes back. They seem to be renaming themselves by adding a number. This one says

C:/Windows?System32/Com/heii25.exe for example, with the heii changing to 26 and so on.

Share this post


Link to post
Share on other sites
I really am at my wits end. I can't get rid of the anti-virus popup warnings. I have had as many as 6 pop up at one time, and

when I click ok to get rid of it, it comes right back. I don't even think it's related to the original virus. These warnings are for

a Trojan Horse....

TR/Dropper.Gen

HEUR/malware

TR/Delphi.Downloader.Gen

There are three or options on the Avira warning box: Move to Quarantine, Access Deny, Ignore, Delete. No matter which one

I choose, the warning comes back. They seem to be renaming themselves by adding a number. This one says

C:/Windows?System32/Com/heii25.exe for example, with the heii changing to 26 and so on.

 

Sorry, as soon as I posted that, the warnings stopped. There are 107 items quarantined, no wonder I was going crazy with those pop up boxes.

I am proceeding with your instructions.

Edited by silvercat

Share this post


Link to post
Share on other sites

Hi Rawe,

 

I have an updated ComboFix log which I am pasting below. I downloaded the SDFix however when the script box came up

and I was to type in "Y" to start it, it wouldn't accept my Y.

Oh btw my clock got fixed on that last ComboFix run :)

Those pop ups have started again :)

ComboFix log:

ComboFix 08-04-13.1 - Ann 2008-04-13 22:30:04.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.146 [GMT -4:00]

Running from: C:\Documents and Settings\Ann\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Ann\Desktop\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\b3b4f3ed7898127171.bat

C:\b3b4f3ed7898138843.bat

C:\d2b282ef026d142656.bat

C:\d2b282ef026d152890.bat

C:\d2b282ef026d156140.bat

C:\d2b282ef026d167156.bat

C:\d2b282ef026d6514546.bat

C:\Por.aed

C:\WINDOWS\SYSTEM32\comr3260.dll

C:\WINDOWS\SYSTEM32\qoq.exe

C:\WINDOWS\SYSTEM32\qwehem.dll

C:\WINDOWS\SYSTEM32\ttjj2.ini

C:\WINDOWS\SYSTEM32\wpsrjy.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\_uninsep.bat

C:\b3b4f3ed7898127171.bat

C:\b3b4f3ed7898138843.bat

C:\d2b282ef026d142656.bat

C:\d2b282ef026d152890.bat

C:\d2b282ef026d156140.bat

C:\d2b282ef026d167156.bat

C:\d2b282ef026d6514546.bat

C:\Program Files\Internet Explorer\PLUGINS\SysWin7s.Jmp

C:\WINDOWS\Fonts\gjcscss.dll

C:\WINDOWS\Fonts\gjcuaxw.fon

C:\WINDOWS\system32\ayWLVWLV1002.dll

C:\WINDOWS\system32\ayWLVWLV1002.exe

C:\WINDOWS\system32\ayWTZWTZ1036.dll

C:\WINDOWS\system32\ayWTZWTZ1036.exe

C:\WINDOWS\system32\drivers\msosmsfpfis64.sys

C:\WINDOWS\system32\mseion.sys

C:\WINDOWS\system32\msepbe.dll

C:\WINDOWS\system32\msosmhfp.dat

C:\WINDOWS\system32\SHAProc.dat

C:\WINDOWS\system32\sperls.dll

C:\WINDOWS\system32\ttBAIBAI1056.dll

C:\WINDOWS\system32\ttBAIBAI1056.exe

C:\WINDOWS\system32\ttCBDCBD1047.dll

C:\WINDOWS\system32\ttCBDCBD1047.exe

C:\WINDOWS\system32\ttDABDAB1058.dll

C:\WINDOWS\system32\ttDABDAB1058.exe

C:\WINDOWS\SYSTEM32\ttjj2.ini

C:\WINDOWS\system32\ttKAFKAF1060.exe

C:\WINDOWS\system32\ttQACQAC1035.exe

C:\WINDOWS\system32\ttVUFVUF1011.dll

C:\WINDOWS\system32\ttVUFVUF1011.exe

C:\WINDOWS\system32\txSULSUL1033.exe

C:\WINDOWS\system32\ywg32.dll

C:\WINDOWS\system32\ywtlgfl.dll

.

---- Previous Run -------

.

C:\_uninsep.bat

C:\Program Files\internet explorer\plugins\SysWin7s.Jmp

C:\Program Files\internet explorer\plugins\WinSys8v.Sys

C:\WINDOWS\mfchlp32.exe

C:\WINDOWS\msimms32.exe

C:\WINDOWS\system32\ayWLVWLV1002.dll

C:\WINDOWS\system32\ayWLVWLV1002.exe

C:\WINDOWS\system32\ayWTZWTZ1036.dll

C:\WINDOWS\system32\ayWTZWTZ1036.exe

C:\WINDOWS\system32\cyoegx.dll

C:\WINDOWS\system32\DbgHlp32.dll

C:\WINDOWS\system32\dnjhsh.dll

C:\WINDOWS\system32\drivers\msosmsfpfis64.sys

C:\WINDOWS\system32\drivers\secdrv.sys

C:\WINDOWS\system32\etgejw.dll

C:\WINDOWS\system32\jqoglu.dll

C:\WINDOWS\system32\mfchlp32.dll

C:\WINDOWS\system32\msimms32.dll

C:\WINDOWS\system32\msoscqit.dat

C:\WINDOWS\system32\msoscqit00.dll

C:\WINDOWS\system32\msosmhfp.dat

C:\WINDOWS\system32\msosmhfp00.dll

C:\WINDOWS\system32\msosmhfp01.dll

C:\WINDOWS\system32\pvnrzl.dll

C:\WINDOWS\system32\qtbknt.dll

C:\WINDOWS\system32\ttBAIBAI1056.dll

C:\WINDOWS\system32\ttBAIBAI1056.exe

C:\WINDOWS\system32\ttCBDCBD1047.dll

C:\WINDOWS\system32\ttCBDCBD1047.exe

C:\WINDOWS\system32\ttDABDAB1058.dll

C:\WINDOWS\system32\ttDABDAB1058.exe

C:\WINDOWS\system32\ttKAFKAF1059.dll

C:\WINDOWS\system32\ttKAFKAF1059.exe

C:\WINDOWS\system32\ttKAFKAF1060.dll

C:\WINDOWS\system32\ttKAFKAF1060.exe

C:\WINDOWS\system32\ttNNBNNB1047.dll

C:\WINDOWS\system32\ttNNBNNB1047.exe

C:\WINDOWS\system32\ttQACQAC1035.dll

C:\WINDOWS\system32\ttQACQAC1035.exe

C:\WINDOWS\system32\ttVUFVUF1011.dll

C:\WINDOWS\system32\ttVUFVUF1011.exe

C:\WINDOWS\system32\txSULSUL1033.dll

C:\WINDOWS\system32\txSULSUL1033.exe

C:\WINDOWS\system32\yikzzl.dll

C:\WINDOWS\WINSvr32.exE

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_MHFP

-------\Legacy_MSFPFIS64

-------\Service_cqit

-------\Service_mhfp

-------\Service_msfpfis64

-------\Legacy_Secdrv

-------\Secdrv

-------\Legacy_MHFP

-------\Legacy_MSFPFIS64

-------\Service_mhfp

-------\Service_msfpfis64

 

 

((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))

.

 

2008-04-13 21:52 . 2008-04-13 21:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM

2008-04-13 17:53 . 2008-04-13 17:53 <DIR> d-------- C:\Program Files\Avira

2008-04-13 17:53 . 2008-04-13 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira

2008-04-13 16:45 . 2008-04-13 16:45 41,228 --a------ C:\WINDOWS\SYSTEM32\rgfjmq.dll

2008-04-13 16:44 . 2008-04-13 16:44 3,537 ---hs---- C:\WINDOWS\SYSTEM32\notepde.exe

2008-04-13 16:09 . 2008-04-13 16:09 3,721 ---hs---- C:\WINDOWS\SYSTEM32\ssave.exe

2008-04-13 16:06 . 2008-04-13 16:06 3 --a------ C:\WINDOWS\SYSTEM32\ttjj5.ini

2008-04-12 15:08 . 2008-04-12 15:08 <DIR> d-------- C:\Program Files\Trend Micro

2008-04-12 14:48 . 2008-04-12 14:48 <DIR> d-------- C:\Program Files\Lavasoft

2008-04-12 14:48 . 2008-04-12 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-12 14:45 . 2008-04-12 14:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-04-12 11:06 . 2008-04-12 11:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-04-12 11:06 . 2008-04-12 11:06 <DIR> d-------- C:\Documents and Settings\Ann\Application Data\Malwarebytes

2008-04-12 11:06 . 2008-04-12 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-04-12 01:34 . 2008-04-12 01:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec

2008-03-16 19:38 . 2008-03-16 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\View22

2008-03-16 19:38 . 2006-05-02 14:37 1,706,800 --a------ C:\WINDOWS\SYSTEM32\gdiplus.dll

2008-03-14 20:43 . 2008-03-14 20:57 <DIR> d-------- C:\Program Files\View22

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-13 20:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-04-13 20:58 --------- d-----w C:\Program Files\Symantec

2008-04-13 20:54 --------- d-----w C:\Program Files\Norton AntiVirus

2008-04-13 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2008-04-12 18:12 --------- d-----w C:\Program Files\Google

2008-04-12 17:25 --------- d-----w C:\Program Files\Dell AIO Printer A920

2008-03-27 23:30 --------- d-----w C:\Documents and Settings\Ann\Application Data\WeatherBug

2008-03-25 22:32 --------- d-----w C:\Documents and Settings\Ann\Application Data\U3

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys

2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll

2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll

2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll

2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll

2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll

2008-02-15 09:07 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe

2005-01-06 06:55 172 ---ha-w C:\Documents and Settings\Ann\hpothb07.dat

2005-01-06 06:55 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat

2004-12-10 00:53 0 ---ha-w C:\Documents and Settings\Emily\hpothb07.dat

2004-12-08 22:50 67,160 ----a-w C:\Program Files\Aim.exe

2006-10-19 02:47 81,920 --sh--w C:\WINDOWS\SoundMan.exe

2006-12-14 19:29 20,480 --sh--w C:\WINDOWS\SYSTEM32\interne.exe

2006-03-06 01:01 16,384 --sh--w C:\WINDOWS\SYSTEM32\sysave.exe

.

 

((((((((((((((((((((((((((((( [email protected]_16.00.30.64 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-13 19:55:24 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT

+ 2008-04-14 02:35:19 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT

- 2008-04-12 18:16:00 39,765 ----a-w C:\WINDOWS\SYSTEM32\Com\AtiSrvn.exe

+ 2008-04-13 20:37:24 39,765 ----a-w C:\WINDOWS\SYSTEM32\Com\AtiSrvn.exe

+ 2008-04-14 01:58:47 17,490 ----a-w C:\WINDOWS\SYSTEM32\Com\heii4.exe

- 2008-04-12 18:15:48 4,537 ----a-w C:\WINDOWS\SYSTEM32\Com\man24.exe

+ 2008-04-13 20:37:14 4,537 ----a-w C:\WINDOWS\SYSTEM32\Com\man24.exe

+ 2007-08-09 17:04:11 40,768 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgntdd.sys

+ 2007-07-18 18:22:19 21,312 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgntmgr.sys

+ 2007-09-07 16:05:19 62,016 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys

+ 2007-03-01 14:34:36 28,352 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys

+ 2008-04-14 02:35:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_480.dat

+ 2008-04-14 02:36:27 40,960 ----a-w C:\WINDOWS\Temp\rtdrvmon.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-12-25 20:08 32768]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52 339968]

"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]

"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 04:32 270336]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 02:05 127035]

"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]

"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2007-02-12 17:40 380928]

"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 18:38 221184]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-05-10 10:48 94208 C:\WINDOWS\KHALMNPR.Exe]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-02 09:58 185896]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-29 19:52 155648]

"SoundMan"="SoundMan.exe" [2006-10-18 22:47 81920 C:\WINDOWS\SoundMan.exe]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25 249896]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2007-06-19 22:14:17 221247]

Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-12-25 20:08:58 450560]

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-12-25 20:07:24 593920]

 

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{a11725a0-8be3-44ae-b51c-7c0aced01f6c}"= C:\WINDOWS\system32\ayWTZWTZ1036.dll [ ]

"{3171a1d3-76ea-4dd0-b4ed-fe6da4e445a4}"= C:\WINDOWS\system32\ttDABDAB1058.dll [ ]

"{c4bf46a2-1c05-427d-992f-4e24f7d57f68}"= C:\WINDOWS\system32\ttNNBNNB1047.dll [ ]

"{396f1715-e494-4aeb-8c0e-7c98486b3fd1}"= C:\WINDOWS\system32\ttCBDCBD1047.dll [ ]

"{29fab913-d0cd-477b-a3f0-3d7c3a90379b}"= C:\WINDOWS\system32\ttVUFVUF1011.dll [ ]

"{79dae25e-7bee-4484-bb1a-f30c45d535d9}"= C:\WINDOWS\system32\ttQACQAC1035.dll [ ]

"{432a9d34-f494-4382-9c6f-ae1ed5181f1c}"= C:\WINDOWS\system32\ayWLVWLV1002.dll [ ]

"{5136d0e5-bad9-4d8e-9b62-7492bf467388}"= C:\WINDOWS\system32\ttKAFKAF1060.dll [ ]

"{84143967-B645-4BFF-B873-DA1DC886E9A7}"= C:\WINDOWS\system32\cedafb.dll [ ]

"{3FA10261-B890-F432-A453-69F1023513F3}"= C:\WINDOWS\system32\gjcscyc.dll [ ]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Loader.exe]

Debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe]

Debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]

Debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccEvtMgr.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccSetApp.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccSetMgr.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ctfmon.exe]

Debugger=SoundMan.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FWMon.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword]

Debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.exe]

Debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavsvc.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.exe]

Debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\McAgent.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mctskshd.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcupdmgr.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSetup.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFWLveUpdate.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ras]

Debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsAqent.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rtvscan.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep]

Debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]

Debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UpLive.EXE.exe]

debugger=svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe]

debugger=svchost.exe

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk

backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

--a------ 2005-08-05 15:08 67160 C:\Program Files\AIM\aim.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]

--a------ 2007-11-15 10:23 202544 C:\Program Files\Dell Support Center\bin\sprtcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

--a------ 2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

--a------ 2005-08-02 15:33 159832 C:\Program Files\Common Files\AOL\1126815630\ee\AOLHostManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LyraHD2TrayApp]

--a------ 2005-03-31 20:10 290816 C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

--a------ 2006-01-19 11:06 11776 C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

--------- 2004-04-11 22:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2006-03-29 19:52 155648 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2007-07-09 07:44 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"C:\\Program Files\\America Online 9.0\\waol.exe"=

"C:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"=

"C:\\Program Files\\mirc\\mIRC\\backup\\mirc.exe"=

"\\\\KIDS\\C\\Program Files\\AIM95\\aim.exe"=

"C:\\Program Files\\aim.exe"=

"C:\\Program Files\\AIM\\aim.exe"=

"C:\\Program Files\\Messenger\\MSMSGS.EXE"=

"C:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

"C:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=

"C:\\WINDOWS\\SYSTEM32\\MMC.EXE"=

"C:\\Program Files\\Common Files\\AOL\\1126815630\\ee\\AOLServiceHost.exe"=

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"C:\\StubInstaller.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"C:\\WINDOWS\\system32"=\\Com\\heih.exe

 

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-30 01:53]

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

R3 s3legacy;s3legacy;C:\WINDOWS\system32\DRIVERS\s3legacy.sys [2001-08-17 14:57]

S2 Pandrv;Pandrv;C:\WINDOWS\TEMP\Pandrv.sys []

S2 secctrl;Security Control;c:\windows\system32\rundll32.exe comr3260.dll,scan []

S2 zghs1234;Provisioning Transaction Service;C:\WINDOWS\system32\Com\heih.exe [2008-04-13 22:38]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\LaunchU3.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ece9bdec-322e-11db-946c-00038a000015}]

\Shell\AutoRun\command - E:\LaunchU3.exe

 

.

Contents of the 'Scheduled Tasks' folder

"2008-04-14 02:38:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Program Files\Symantec\LiveUpdate\NDetect.exe

.

**************************************************************************

 

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-13 22:35:56

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\SYSTEM32\ati2evxx.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\SYSTEM32\LEXBCES.EXE

C:\WINDOWS\SYSTEM32\LEXPPS.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\SYSTEM32\wdfmgr.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\SYSTEM32\WSCNTFY.EXE

C:\WINDOWS\SYSTEM32\Com\SVCHOST.EXE

C:\WINDOWS\SYSTEM32\qoq.exe

C:\WINDOWS\SYSTEM32\qoq.exe

C:\WINDOWS\SYSTEM32\IMAPI.EXE

.

**************************************************************************

.

Completion time: 2008-04-13 22:40:10 - machine was rebooted [Ann]

ComboFix-quarantined-files.txt 2008-04-14 02:40:02

Pre-Run: 54,088,577,024 bytes free

Post-Run: 54,079,459,328 bytes free

.

2008-04-12 06:05:20 --- E O F ---

Share this post


Link to post
Share on other sites

Hello again.. Sorry for the lil delay, I was sleeping by then. :)

 

There's quite a few things to delete. Remember to disable AntiVir while running ComboFix. Do you have another PC/laptop to rely to, if you pull the internet plug out of this one? To transfer the fixes / read the instructions?

 

Recommended. You got a whole load of new stuff infecting your system after that first ComboFix run. Not a bad idea to change your passwords too.

 

Please open notepad and copy/paste the text in the quotebox into it

 

Driver::

Pandrv

secctrl

zghs1234

 

File::

C:\WINDOWS\SYSTEM32\rgfjmq.dll

C:\WINDOWS\SYSTEM32\notepde.exe

C:\WINDOWS\SYSTEM32\ssave.exe

C:\WINDOWS\SYSTEM32\ttjj5.ini

C:\WINDOWS\SYSTEM32\interne.exe

C:\WINDOWS\SYSTEM32\sysave.exe

C:\WINDOWS\SYSTEM32\Com\AtiSrvn.exe

C:\WINDOWS\SYSTEM32\Com\AtiSrvn.exe

C:\WINDOWS\SYSTEM32\Com\heii4.exe

C:\WINDOWS\SYSTEM32\Com\man24.exe

C:\WINDOWS\SYSTEM32\Com\man24.exe

C:\WINDOWS\Temp\rtdrvmon.exe

C:\WINDOWS\system32\Com\heih.exe

C:\WINDOWS\SYSTEM32\Com\SVCHOST.EXE

C:\WINDOWS\SYSTEM32\qoq.exe

C:\WINDOWS\TEMP\Pandrv.sys

 

Registry::

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{a11725a0-8be3-44ae-b51c-7c0aced01f6c}"=-

"{3171a1d3-76ea-4dd0-b4ed-fe6da4e445a4}"=-

"{c4bf46a2-1c05-427d-992f-4e24f7d57f68}"=-

"{396f1715-e494-4aeb-8c0e-7c98486b3fd1}"=-

"{29fab913-d0cd-477b-a3f0-3d7c3a90379b}"=-

"{79dae25e-7bee-4484-bb1a-f30c45d535d9}"=-

"{432a9d34-f494-4382-9c6f-ae1ed5181f1c}"=-

"{5136d0e5-bad9-4d8e-9b62-7492bf467388}"=-

"{84143967-B645-4BFF-B873-DA1DC886E9A7}"=-

"{3FA10261-B890-F432-A453-69F1023513F3}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Loader.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccEvtMgr.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccSetApp.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccSetMgr.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ctfmon.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FWMon.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavsvc.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\McAgent.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mctskshd.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcupdmgr.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSetup.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFWLveUpdate.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ras]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsAqent.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rtvscan.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UpLive.EXE.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\WINDOWS\\system32"=-

 

Save it as CFScript.txt on your desktop.

 

CFScript.gif

 

Referring to the picture above, drag CFScript.txt into ComboFix.exe

 

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Share this post


Link to post
Share on other sites

Hi, We all needed some zzz's :)

 

Okay I did what you said but my combofix seems to have stalled. Probably because the Avira turns itself back on when the Combofix reboots the computer and the Avira gave warning windows.

Currently the Combofix says "please wait" for the last 15 minutes.

I'm not sure what to do.

Yes, I have another computer on to get instructions, etc.

Edited by silvercat

Share this post


Link to post
Share on other sites

If you have pulled the internet plug out & are able to follow through the instructions and transfer the tools then I'd say you can disable Avira permanently; so it stays disabled even after boot. :)

 

Did ComboFix stall because of the warnings, or did you click on them? If your AV keeps popping up, just let it warn whatever it warns about and don't click on them IF ComboFix is still running (unless it asks you to permit ComboFix of course).

Share this post


Link to post
Share on other sites

I just now pulled the internet plug. How do I disable Avira 'permanently'? I only clicked on the icon on the task bar and turned it off.

It stalled because I clicked on the warnings.

The ComboFix window started again, now it says Preparing Log Report and Recovery in progress, but it has been that way for

about 15 minutes so I'm not sure if it's stalled again or if it takes that long.

Share this post


Link to post
Share on other sites
I just now pulled the internet plug. How do I disable Avira 'permanently'? I only clicked on the icon on the task bar and turned it off.

It stalled because I clicked on the warnings.

The ComboFix window started again, now it says Preparing Log Report and Recovery in progress, but it has been that way for

about 15 minutes so I'm not sure if it's stalled again or if it takes that long.

It shouldn't take that long. Wait for a moment to see if it comes up with the log, if not .... Boot the machine and search for the ComboFix log if it has provided one.

 

I do think ComboFix is going to finish anyway, as long as you don't click anything for a while.. See how it goes about.

 

As for AntiVir... I couldn't find an option to disable the Guard either. Since you have pulled the internet plug, the best bet is to just uninstall Avira for now. I've never encountered this much problems with the logs before when it comes to antivirus and combofix though.

 

Uninstall Avira, let's get rid of the crappies and then install Avira back (before connecting to the net again). :)

Share this post


Link to post
Share on other sites

I think it was like that for 45 minutes so I booted and there is no desktop, just screen wallpaper. Guess that means Combofix wasn't finished.

What should I do with no desktop??

(I'm starting to think about re-installing the os at this point - what do you think?)

Share this post


Link to post
Share on other sites

Reboot again. It should give your desktop back. If it doesn't, we can use Recovery Console though, you can burn it to disk on your other PC. :)

Share this post


Link to post
Share on other sites
Sign in to follow this