Chronus: Weird HJT log, so here's the logs

[Chronus]

Playing some wow, noticed that performance wasn't up to scratch. Open HJT, and noticed 71 counts for logitech under 18 and new that that's not right.

I cleared using CC cleaner when I started getting things done, but got delayed, and forgot to run it before logs. ran it afterwords.

And yes I know I have I-Win, but my mom loves playing the games and I can't get rid of it without making it so she can still play. so I can't get rid of it.

 

[Bobbye]

I'll help you with the malware.

You have gotten an outdated verstion of Hi9jackThis> v1.9.9. and will need to get the current one. (instructions at end of removal) But there's no sense in dragging the Logitech Messeger around- so first:

Turn off Logitech Desktop Messenger.
This program is not required to start automatically as you can run it when you need to.
It is advised that you disable it so that it does not take up necessary system resources.
Go to Start>All Programs>Logitech> click on Desktop Messenger.
There are two check boxes which are self descriptive.
You can choose to disable either or both check boxes.

Then do the following:

Please reopen HijackThis to 'do system scan only'. Check each of the following as instructed:

Begin with this entry: Check all entries in between up to the last entry: Do not click on Fix Checked until they are all checked

O18 - Protocol: bw+0 - {E9662EBF-EB33-4502-819F-B768990A3097} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>there is a total of 78 entries>>>>>>>>

End with this entry
O18 - Protocol: bwz0s - {E9662EBF-EB33-4502-819F-B768990A3097} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

Close all Windows except HijackThis and click on "Fix Checked"

Once this has been done, pleaase download and run the current HJT v2.0.2 HEREand give me a new log in next reply.

 

[Tmagic650]

That Logitech desktop stuff:
"O18 - Protocol: bw+0 - {E9662EBF-EB33-4502-819F-B768990A3097} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {E9662EBF-EB33-4502-819F-B768990A3097} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {E9662EBF-EB33-4502-819F-B768990A3097} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {E9662EBF-EB33-4502-819F-B768990A3097} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {E9662EBF-EB33-4502-819F-B768990A3097} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {E9662EBF-EB33-4502-819F-B768990A3097} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

...and so on


Is not normal!

The iWin stuff is bad too. So what are we to do. You cleaned up a lot of nasties. Is the computer running any better?

 

[Chronus]

ok, here is the fresh HJT log.

Is there a way to get rid of the I win, and still be able to use the games?

 

[Bobbye]

Tmagic- did you not read my post? I gave instructions for removing the Logitech entries!

Please reopen the HijackThis log to 'do system scan only[. Check the following if foumd:

O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL

(This is identified as a Trojan Backdoor: IWINGAMESHOOKIE.DLL
Deetails: {8CA5ED52-F3FB-4414-A105-2E3491156990} IEHlprObj Class iWinGamesHookIE.dll, IWINGA~1.DLL, IEHelper.dll Downloader, a FUNWEB aka FunWebProducts adware component )

Close all Windows except HijackThis and click on "Fix Checked."

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Check Add/Remove Programs in the Control Panel> highlight and uninstall iWinGames

Right click on Start> Explore> Click on Tools> Folder Options> View tab> Check 'show hidden files and folders' and Uncheck 'hide system and protected files' (Recommended)> Apply> OK.

Click on My Computer> Local Drive (C)> Programs> find iWinGames and do a right click? Delete on the folder. Close Windows Explorer.

Rehide the Files.

Empty the Recycle Bin

Reboot the computer.

You should run the following for any other potentially bad entries:
Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Then rescan with HijackThis. Attach logs for SDFix and HJT in next reply.

 

[Tmagic650]

Bobbye, I was posting right when you posted... sorry. Thanks for the info

 

[Chronus]

As i said before, my mom plays games from i win, and they require i win installed to be able to play, and so i can not get rid of i win.

After running the program, the computer restarted back into safe mode because i forgot to uncheck the /safemode in msconfig. and so redid the scan.

 

[Bobbye]

Chronus, you can keep the program itself- iWin-but you should remove the browser helper object below:
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL

It is this files that has the infection: IWINGAMESHOOKIE.DLL

The BHO might reinstall- I'm sure, so keep a lookout for it. Explain to your mother that the toolbar is an infection and she doesn't need it to run iWin.

This is a valid program, but it is up to you whether or not you want it to run on startup.
Whether or not you need to run this program on startup must be decided by you.

Name: iWinTrusted
Filename: iWinTrusted.exe
Command: c:\program files\iWin Games\iWinTrusted.exe

I would recommend though that you take it off the Startup menu. The program can then be launched when needed.

It also has a Service which should be set to Manual Startup and not Automatic:
Start> Run> type in services.msc> double click on iWinTrusted> Set the Strtup type to Manual> Apply> OK> Close Services.

Do you have any idea what this entry is?
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" //mailurl:mailto:?body=http%3A%2F%2Ficanhascheezburger.files.wordpress.com%2F2007%2F05%2Fjesus_christ_its_a_lion.jpg&subject=

It my be okay- I just can't identify it.

Now that we put Logitech out to pasture, are you experiencing any other malware related problems?

These processes can be checked- they don't need to be loading evertime anyone signs on. Just check in HJT as you did above.

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?

 

[Chronus]

Thank you for explain it to me. i've done as you asked with everything, but when i went to disable it from start up i was not able to find it on the list.

As for:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" //mailurl:mailto:?body=http%3A%2F%2Ficanhascheezburger.files.wordpress.com%2F 2007%2F05%2Fjesus_christ_its_a_lion.jpg&subject=
I opened outlook, and it told me that there was a subscription that had been set up before this latest version of outlook had been installed, and asked me if i wanted to merge it with the new one. i told it no, and had hijack get rid of it, as it was referencing the site that i had gotten a picture from.

Fresh HJT log.

 

[Chronus]

Bump sense its been a few days.

 

[Bobbye]

2 days isn't bad in the grand scheme of things! Patience is something we ask of all here- it's a very busy forum.

We handle the Logitech problem. We handled the iWin problem. You handled the mail entry I asked you about.

Does 'it' mean iWon on startup? If you did the following, it shouldn't start until someone opens it:

It also has a Service which should be set to Manual Startup and not Automatic:
Start> Run> type in services.msc> double click on iWinTrusted> Set the Strtup type to Manual> Apply> OK> Close Services.

What problems are you still having?

Please run an online scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave log in next reply. If it's clean, I'll have you remove the cleaning tools.

 

[Tmagic650]

Looks like this could have been left by an infected email. Do you use Outlook Express?
"R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" //mailurl:mailto:?body=http%3A%2F%2Ficanhascheezburger.files.wordpress.com%2F 2007%2F05%2Fjesus_christ_its_a_lion.jpg&subject=

There are some things in the hijackthis log that need your attention. They may be good or bad...

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O1 - Hosts: 216.14.208.12 cp.6sys.net
O3 - Toolbar: XRefresh Toolbar - {551012C5-352D-48D9-9E29-E90F293D19F0} - "C:\Program Files\XRefresh\XRefreshAddon.dll" (file missing)
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: XRefresh - {8774C0B1-6697-43B8-8D0E-6179F48838B0} - "C:\Program Files\XRefresh\XRefreshAddon.dll" (file missing)
O9 - Extra 'Tools' menuitem: XRefresh - {8774C0B1-6697-43B8-8D0E-6179F48838B0} - "C:\Program Files\XRefresh\XRefreshAddon.dll" (file missing)

 

[Bobbye]

tmagic, the email entry has been handled.

As for the HJT directions, whose log are you looking at? It's not his in Post #9.

 

[Chronus]

Sorry, in my mind it had been about a week when i bumped, and then saw that it was only 2 days and couldn't get rid of the bump so changed what it said.

No other problems I've run into, only thing I'm semi worried about is i wonder if my computer might be a zombie as when i open task manager, i see that the processor is being used a lot, and then it goes back down to 20-30% used. may just be because i open manager, and I'm probably just paranoid about it.

As for the I win, i was thinking you were saying it was in my msconfig: startup area, and that was where my confusion was.

K log from the site, and HJT. Thanks for all of your help.

 

[Bobbye]

Okay, the system is clean of malware. But I think I have found the CPU users. You don't need any of the following to start on boot. I have given a short description where applicable. These are all considered optional removals- they aren't malware, foistware or adware. But some are high resource users and most will be accessing the internet multiple times a day:

If you would like to take the\e off of Startup or remove nt of the programs follow below:

Please reopen HijackThis to 'do system scan only. Check each of the following if present:
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
yahooauservice.exe uses excessive system and memory resources with no corresponding benefit.
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
HP software updates.
The following processes are all for the Logitech web cam and are loading at startup. None need to start on boot. Web cam is user invoked- you can access it through All Programs when wanted/needed.
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
(Found on Acer laptops with webcams and Logitech webcams. Reports indicate that this process can use up a great deal of memory)
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode
(Video effects for web cam)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe> high resource user
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
-------------------------------------------
The following are Google related. None need to start on boot:
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe> auto update
O4 - HKUS\S-1-5-21-2025429265-963894560-682003330-1004\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Mom')
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
(If you never asked for the "Google Quick Search Box", and neither need nor want it: Then uninstall it
O23 - Service: Google Update Service (gupdate1c9bf1be359a036) (gupdate1c9bf1be359a036) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe> [on my laptop,this Service contacted the internet twice yesterday- I disabled it)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe>> t(on my laptop this Services contacted the internet 13 times yesterday- I have disabled it.

Close all Windows except HijackThis and click on "Fix Checked".

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Go to Add/ remove Programs in the Control Panel> if you decided to uninstall the Logitech web cam> uninstall all related entries.

If you want to keep the web cam, but take it off of Startup> do this:

Start> Run> type in msconfig> enter> Selective Startup> Startup tab> Uncheck all processes related to the web cam:
QuickCam10.exe
COCIManager.exe
LComMgr or Communications_Helper.exe
LVComSX.exe
Logitech Vid or vid.exe
LVPrcSrv.exe
SrvLnch\SrvLnch.exe
Click on Apply> OK

Start> Run> type in services.msc> find the following 2 Services> if uninstalling the program, change Startup Type to Disabled. If keeping but removing from Startup> change Startup Type to Manual.
LVPrcSrv
LVSrvLauncher

The extra Google entries do not appear in Add/Remove Programs. To disable the Service, find the 2 entries below and change Startup type to Disabled:
gupdate
gusvc

Close the Services. Reboot into Normal Mode. NOTE: the first time you reboot after making changes using msconfig, you will get a nag message. It can be ignored and closed after checking 'do not show this message again.'

Empty the Recycle Bin

Let me know if you notice and improvement. Then I'll have you remove the clenaing tools and old restore points.

 

[Chronus]

K here is the freshest log, and ty, start up went a LOT smoother then it used to. there was one difficulty though, there was a svchost.exe that is really active when the computer first starts up, or when i have logged in. I'm not sure what it does, or is doing, but it will take up once entire processor capacity, bringing the computer to a constant 50% CPU Usage. So i end task it, and computer runs normally. its been like that for a while, and no problems have every arised as far as i know of, but it is a nuisance.

 

[Bobbye]

You should not end svchost.ese without identifying it.

You have 41 running processes. Of those, 5 are svchost.ese and they are in the System 32 location, which is normal. (By the way, I have 7-9 svchost.exe running) Use the msconfig utility and uncheck everything on Startup except the Avast processes. You can also leave Windows Defender if you want.

What I don't see is where you have the HijackThis log. If saved according to the instructions, there would be an entry like this:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

[Chronus]

i just hit scan and save, and then close the notepad it opens, and that is where it is saved to.

 

[Bobbye]

Much better! Now you can remove the cleaning tools:

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

If you continue to notice a problem with svchost.exe, please move to the Windows OS forum. Let me know if you need help in the future.

Wishing you a Happy Holiday Season!