TechSpot

Infected with viruses/malware

By HelpPlease2009
Mar 15, 2009
Topic Status:
Not open for further replies.
  1. (I am running a Windows XP operating system)

    Hello, I recently downloaded a file off a network that has given me a virus. It was detected in the temp folder and began to multiply. It keeps opening browsers trying to run a "malware scan" (the fake ad kind). I've been told by windows that "windows has detected that some of your MS and windows files are corrupted".

    I also got a message saying that "harmful programs" may have been installed on my system.

    As I type this, things are trying to open and I don't know how much longer this comp is going to live.

    Some scripts were activating and I caught an exe filof one of them, it reads "o7amvmqwxxo.exe".

    My background has changed to a black screen tha reads "Dangerous Spyware Many viruses were found on your computer such as : Trojan Horse, PassCapture, etc. Your personal information can fall into "third hands". Please check up the computer with a special software. Thank"....that is what it reads verbatim, grammar/spelling errors intact.

    Here is my hijackthis log (I had to ommit out the lines with links in them as the forum said I needed a post count of "5" to post them, the links were to the macafee website and my sound cards website, I don't think related to the virus):
  2. HelpPlease2009

    HelpPlease2009 TS Rookie Topic Starter

    Whole log won't fit in one post

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:26:34 PM, on 3/15/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireTray.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    C:\Program Files\dvd43\dvd43_tray.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\DOCUME~1\Fred\LOCALS~1\Temp\winlogqn.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Spybot - Search & Destroy6.2\TeaTimer.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Electronic Arts\EADM\Core.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\UPHClean\uphclean.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
    C:\DOCUME~1\Fred\LOCALS~1\Temp\zfieijxjijt3.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wuauclt.exe,
    O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - C:\WINDOWS\system32\nnnmlKAr.dll
    O2 - BHO: C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll - {c5bf40a2-94f3-42bd-f434-1604812c8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [McAfeeFireTray] C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy6.2\TeaTimer.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
    O4 - HKCU\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\Fred\LOCALS~1\Temp\winlogqn.exe
    O4 - HKCU\..\Run: [txoht1bgjpmhyf5kaqkgof0pioe5clkwt5sd20keu4] C:\DOCUME~1\Fred\LOCALS~1\Temp\xywppn90isv.exe
    O4 - Startup: wuauclt.exe.lnk = C:\WINDOWS\system32\wuauclt.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1.2\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1.2\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O10 - Unknown file in Winsock LSP: c:\docume~1\fred\locals~1\temp\ntdll64.dll
    O10 - Unknown file in Winsock LSP: c:\docume~1\fred\locals~1\temp\ntdll64.dll
  3. HelpPlease2009

    HelpPlease2009 TS Rookie Topic Starter

    O18 - Protocol: bw+0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
  4. HelpPlease2009

    HelpPlease2009 TS Rookie Topic Starter

    O18 - Protocol: bwp0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {E047FE26-8AD7-4961-BED7-9DAD939A88D3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - AppInit_DLLs: C:\WINDOWS\system32\fpfstb.dll
    O20 - Winlogon Notify: nnnmlkar - C:\WINDOWS\SYSTEM32\nnnmlKAr.dll
    O20 - Winlogon Notify: __c0060209 - C:\WINDOWS\system32\__c0060209.dat
    O22 - SharedTaskScheduler: klj3r93iorkemnfaja93riemef - {C5BF40A2-94F3-42BD-F434-1604812C8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: McAfee Desktop Firewall Service (FireSvc) - McAfee, Inc. - C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
    O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

    --
    End of file - 25096 bytes


    Any help would be greatly appreciated, thanks.
  5. HelpPlease2009

    HelpPlease2009 TS Rookie Topic Starter

    Here is my malwarebytes log file:

    Malwarebytes' Anti-Malware 1.34
    Database version: 1848
    Windows 5.1.2600 Service Pack 3

    3/15/2009 6:39:37 PM
    mbam-log-2009-03-15 (18-39-34).txt

    Scan type: Quick Scan
    Objects scanned: 71112
    Time elapsed: 5 minute(s), 8 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 4
    Registry Keys Infected: 13
    Registry Values Infected: 3
    Registry Data Items Infected: 8
    Folders Infected: 1
    Files Infected: 23

    Memory Processes Infected:
    C:\Documents and Settings\Fred\Local Settings\Temp\winlogqn.exe (Trojan.Agent) -> No action taken.

    Memory Modules Infected:
    C:\WINDOWS\system32\nnnmlKAr.dll (Trojan.Vundo.H) -> No action taken.
    c:\WINDOWS\cisjyomj.dll (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll (Trojan.Downloader) -> No action taken.
    C:\WINDOWS\system32\__c0060209.dat (Trojan.Agent) -> No action taken.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnmlkar (Trojan.Vundo.H) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{c5bf40a2-94f3-42bd-f434-1604812c8955} (Trojan.Zlob.H) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zqyaxurbw (Trojan.Agent) -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\zqyaxurbw (Trojan.Agent) -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zqyaxurbw (Trojan.Agent) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf40a2-94f3-42bd-f434-1604812c8955} (Trojan.Downloader) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf40a2-94f3-42bd-f434-1604812c8955} (Trojan.Downloader) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0060209 (Trojan.Vundo) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf40a2-94f3-42bd-f434-1604812c8955} (Trojan.Zlob.H) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjahrfoi37rljanfaw3il7fhjd3f (Trojan.Agent) -> No action taken.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

    Folders Infected:
    C:\Documents and Settings\Fred\Application Data\nidle (Trojan.Agent) -> No action taken.

    Files Infected:
    C:\WINDOWS\system32\nnnmlKAr.dll (Trojan.Vundo.H) -> No action taken.
    C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll (Trojan.Zlob.H) -> No action taken.
    c:\WINDOWS\cisjyomj.dll (Trojan.Agent) -> No action taken.
    C:\Documents and Settings\Fred\Local Settings\Temp\winlogqn.exe (Trojan.Agent) -> No action taken.
    C:\WINDOWS\Fxucohuxew.dll (Trojan.FakeAlert) -> No action taken.
    C:\qqqtuvqb.exe (Trojan.Hiloti) -> No action taken.
    C:\uslns.exe (Spyware.Passwords) -> No action taken.
    C:\xrrcprxx.exe (Trojan.Dropper) -> No action taken.
    C:\Documents and Settings\Fred\Local Settings\Temp\E70B.tmp (Backdoor.KeyStart) -> No action taken.
    C:\Documents and Settings\Fred\Application Data\nidle\nidle.exe (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\QoS.dll (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\__c0060209.dat (Trojan.Vundo) -> No action taken.
    C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\Fred\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\Fred\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\senekadhhnwoey.dll (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\senekalneppnpf.dat (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\senekasacjmekq.dat (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\senekavuumnadw.dll (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\senekaxfialnit.dll (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\drivers\senekaojntornh.sys (Trojan.Agent) -> No action taken.
  6. mflynn

    mflynn TS Rookie Posts: 2,793

    OK no more pasting into the thread. Use the Paperclip Icon and attach the logs.

    I will address your HJT log after the below.

    As evidenced by the "No action taken" in the MBAM log you only exited without cleaning. So run MBAM again and this time remove the Malware! Attach not paste the log.

    Then run SAS and attach not paste the log.

    Only after all the above attach a new HJT log.

    Mike
  7. HelpPlease2009

    HelpPlease2009 TS Rookie Topic Starter

    View attachment 45324

    View attachment 45325


    Here are the logs
  8. mflynn

    mflynn TS Rookie Posts: 2,793

    Run HJT Scan only and select and Fix all lines listed below

    Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end and these..

    O4 - HKCU\..\Run: [txoht1bgjpmhyf5kaqkgof0pioe5clkwt5sd20keu4] C:\DOCUME~1\Fred\LOCALS~1\Temp\xywppn90isv.exe
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - AppInit_DLLs: C:\WINDOWS\system32\fpfstb.dll
    O20 - Winlogon Notify: nnnmlkar - C:\WINDOWS\

    Before we deal with the many LSP entries do the below,

    Download Netrepair and run: http://www.xp-smoker.com/downloads/xptcprep.exe

    Click Reset TCP/IP first let it finish, Then Click Repair Winsock let it finish the it will offer to restart. So restart!

    Now the 8 Steps advised SuperAntiSpyware (SAS) also do do that and attach the log. Then UPDATE and run MBAM again to confirm it found no more. We need a clean log.

    Mike
  9. kritius

    kritius TS Guru Posts: 2,087


    Mike,

    In regards to this line, just managed to get an infection like it removed on another log, HJT won't do it, Use ComboFix and change the name when downloading it.
  10. mflynn

    mflynn TS Rookie Posts: 2,793

    OK HelpPlease2009

    Do as Krititus says above.

    Download ComboFix

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Before running rename Combofix.exe to 12cbf34.exe and run that!

    Double click 12cbf34.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Thanks Kritius!

    Mike
  11. HelpPlease2009

    HelpPlease2009 TS Rookie Topic Starter


    1 more object was detected

    Av-test.txt.Vir C:\quarantine "EICAR test file'

    Attached Files:

     
  12. mflynn

    mflynn TS Rookie Posts: 2,793

    OK so let me see "What" was found by ComboFix run as 12cbfFix.

    And did you do the NetRepair from post # 8 ???

    You still have issues in HJT and I would like to know if you did run NetRepair!

    So post combofix log and answer my question on Netrepair then proceed below.
    --------------------------------------------------------------------------------------------------------

    Go to Control panel Add/Remove Programs and uninstall Logitech\Desktop Messenger!

    Now go here: TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    And do the CClean first followed by SuperAntiSpyWare (SAS).

    Get me the SAS log!

    Mike
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.