popups and windows error messages when starting computer

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

2 Pages

1 2 >

popups and windows error messages when starting computer, popups and error messages

Options

jessliv82 View Member Profile	Jul 11 2007, 06:01 PM Post #1
Member Posts: 21 OS: xp	Logfile of HijackThis v1.99.1 Scan saved at 7:46:05 PM, on 7/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) getting popups when IE is running and some when it is not running. ran norton, spyware scan, adaware and AVG. AVG got rid of alot however computer is still running slow and when starting the computer now getting error messages from logitech and from error loading C:\windows\system32\j7291038.dll module can't be found. i have already ran avg in safe mode and created a system restore point and now to top it off under display i can't click on any background pictures it will let me put my own picture on the background but none of the windows pictures will let me click on them i can only click on the color. please help Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Logitech\SetPoint\KEM.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {13BAA56A-9570-AC65-EA8E-EDE19CE7FD52} - (no file) O2 - BHO: Class - {143B9440-CA24-BED6-D9CD-08CC6A984764} - C:\WINDOWS\system32\ieys32.dll (file missing) O2 - BHO: Class - {15FEC491-F0D8-A206-B818-8D1D3FEDF979} - C:\WINDOWS\system32\sysjt32.dll (file missing) O2 - BHO: Class - {2AB80E5C-C6A3-016D-788D-E1F289A65E42} - C:\WINDOWS\winag32.dll (file missing) O2 - BHO: (no name) - {2AD27B78-A144-13BF-3CFD-8C2B118FCB77} - (no file) O2 - BHO: Class - {2C0087A1-5D6B-3765-B30B-8A302FBA4596} - C:\WINDOWS\addzb.dll (file missing) O2 - BHO: Class - {3AE414DC-B2A7-0DAD-989F-AC39ADF529E6} - C:\WINDOWS\system32\crie32.dll (file missing) O2 - BHO: Class - {3E7061C4-43FC-71F4-46DC-05A0D8524F6C} - C:\WINDOWS\system32\appms.dll (file missing) O2 - BHO: Class - {4B1C5C48-BA9D-4905-65D8-B9E278BF991D} - C:\WINDOWS\system32\mspc.dll (file missing) O2 - BHO: Class - {4CD05B77-C677-4D01-5562-25BA68012376} - C:\WINDOWS\apict.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Class - {563AC50A-6D00-C342-5EC7-D1C5C40E2122} - C:\WINDOWS\system32\msef32.dll (file missing) O2 - BHO: Class - {5DAA3B7C-6DEC-B6D5-9597-81AFF0B315AA} - C:\WINDOWS\system32\mfcme.dll (file missing) O2 - BHO: Class - {63AEC6B0-2656-D7C1-9D55-6B66F78A3D1A} - C:\WINDOWS\system32\iewo.dll (file missing) O2 - BHO: Class - {69B41F32-4AC6-1E89-433B-C41C1477D07C} - C:\WINDOWS\msiv32.dll (file missing) O2 - BHO: Class - {83241F15-A38D-4603-9874-0E32E3A2D544} - C:\WINDOWS\ntrl.dll (file missing) O2 - BHO: Class - {8A8EABA7-19AA-BB2B-F288-8E8741D4A2E0} - C:\WINDOWS\ntpn32.dll (file missing) O2 - BHO: Class - {8F69ADF9-A5DE-30DA-0B84-99655E5A16A4} - C:\WINDOWS\nettl.dll (file missing) O2 - BHO: Class - {96316EB2-0E4E-6A7E-7A88-DD575904EDB4} - C:\WINDOWS\ieqp32.dll (file missing) O2 - BHO: Class - {9FBCDEFF-A6FC-C42E-2DA5-84537095BAA5} - C:\WINDOWS\system32\appon32.dll (file missing) O2 - BHO: Class - {A1A0A8B0-1426-AEE6-1AF3-A0AEC3BAA6FA} - C:\WINDOWS\appvt.dll (file missing) O2 - BHO: Class - {A3D347B5-8D22-1E55-4D3E-C94C91F76762} - C:\WINDOWS\apikr32.dll (file missing) O2 - BHO: Class - {A5C17366-4766-30CF-5AD1-138CC5B3E64A} - C:\WINDOWS\crkv.dll (file missing) O2 - BHO: Class - {B8A40086-20B8-C1F2-809A-00534310B657} - C:\WINDOWS\system32\apprw.dll (file missing) O2 - BHO: Class - {C054F454-DB2C-0434-31BF-C3C717973C71} - C:\WINDOWS\system32\d3ve.dll (file missing) O2 - BHO: (no name) - {c29ffbe7-9286-40b8-8121-cf9475315eba} - C:\WINDOWS\system32\dsqops.dll (file missing) O2 - BHO: Class - {CC492B23-D765-1168-B1BB-2E0624A5E876} - C:\WINDOWS\appvz32.dll (file missing) O2 - BHO: Class - {DCB7AA47-29E8-5669-EB30-7BCD8254F742} - C:\WINDOWS\ipqy.dll (file missing) O2 - BHO: Class - {DECD8E91-E600-DF80-A5DB-061BB58F74D4} - C:\WINDOWS\ieyf.dll (file missing) O2 - BHO: Class - {EBA74261-7CAA-F270-26F4-4E2A669761D1} - C:\WINDOWS\ntne.dll (file missing) O2 - BHO: Class - {F05E944D-A6BE-48F3-A206-5BFEB880123F} - C:\WINDOWS\system32\sysew.dll (file missing) O4 - HKLM\..\Run: [winmu32.exe] C:\WINDOWS\winmu32.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf O4 - HKLM\..\Run: [LanManNTR] C:\Documents and Settings\Owner\Desktop\aff_test_morton.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [j7291038] rundll32 C:\WINDOWS\system32\j7291038.dll sook O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://financeworks.mathxl.com/wizmodules/...GenXInstall.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://financeworks.mathxl.com/applets/Pea...InstallAsst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab O16 - DPF: {F8B8AF16-CECF-4002-9CC0-1E18029D7770} (FWPlayer Control) - http://financeworks.mathxl.com/applets/FWPlayer.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - AppInit_DLLs: O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: mssms - {554A0D4D-FE36-4A33-8526-172CDC545691} - C:\WINDOWS\mssms.dll (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe (file missing) O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing) O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing) O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe This post has been edited by jessliv82: Jul 11 2007, 06:05 PM Attached File(s) hijackthis.txt ( 11.16K ) Number of downloads: 12

Angelfire777 View Member Profile	Jul 12 2007, 07:23 AM Post #2
Visiting Staff Posts: 313 From: BC, Canada OS: Xp	Hi, welcome to G2G! You have a brood of infections there.. Click start > control panel > add/remove programs.. The following is an optional removal.. Logitech� Desktop Messenger (LDM) is a free service designed to deliver software support, news and information you can use. LDM ensures that you have simple, speedy, and effortless access to product upgrades, technology tips, and technology news and offers that are relevant to you. LDM delivers information right to your desktop, allowing you to take advantage of all of the advanced features of the Logitech products you own, while staying abreast of new computer-related product and service developments (Logitech and otherwise) that are applicable to your life. Once a week, when connected to the internet, Logitech Desktop Messenger will automatically connect with Logitech servers to see if there are any new messages for you. It performs this check during idle time to avoid slowing down other applications that may be accessing the Internet. If there is a message on the server, then Logitech Desktop Messenger will download the message utilizing bandwidth that would otherwise be unused. After the message is downloaded, Logitech Desktop Messenger will wait for one minute of keyboard and mouse inactivity before displaying the message on your screen. I suggest doing all updates yourself and removing this application. _________ Download combofix.exe 1. Save it to your desktop. 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. _________ Please download FindAWF: http://noahdfear.net/downloads/FindAWF.exe Save the file to the Desktop Double-click the FindAWF icon. If a Security Alert shows, allow the program to run. As instructed, press any key to continue. Use the following option: Press 1 then Enter to scan for bak folders The scan may take a while, please be patient. When done, a text file, Find AWF report is produced. Please provide Find AWF report in your reply. If by any chance you lose the report produced, click Start>Run, type %temp%\findawf\awf.txt. It will open the report again.

jessliv82 View Member Profile	Jul 12 2007, 04:34 PM Post #4
Member Posts: 21 OS: xp	I also just removed Logitech� Desktop Messenger (LDM) as you instructed me to do

Angelfire777 View Member Profile	Jul 13 2007, 03:08 AM Post #5
Visiting Staff Posts: 313 From: BC, Canada OS: Xp	I'll get back to you tomorrow if it's ok.. I'm going out tonight

Angelfire777 View Member Profile	Jul 13 2007, 06:52 PM Post #6
Visiting Staff Posts: 313 From: BC, Canada OS: Xp	Hi, Are you using McAfee Antivirus? I see that you have a setup for limewire..So befoew you install it, I will warn you that p2p programs such as limewire can serve as vectors for malware to enter your system through the files downloaded there. Almost half of the available files for download are infected with malware so I recommend that you do not use it. Is this a desktop component that you use? C:\ZBWallpaper_5.bmp Click Start* > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found. SpyHunter The application above was before in the list of Rogue Antispyware programs. It was once part of the group where they trick users to buying their software. I recommend that you uninstall it. Spywareslayer This program is listed in the rogue antispyware application list and up until now, it uses dastardly ways to promote its product. Please uninstall it. __________ Double-click the FindAWF icon once again If a Security Alert shows, allow the program to run. As instructed, press any key to continue. Use the following option: Press 2 then Enter to restore files from bak folders A text file opens called: files.txt Click below the line and paste the following list of files to be restored: C:\Program Files\QuickTime\bak\qttask.exe C:\WINDOWS\system32\bak\hkcmd.exe C:\WINDOWS\system32\bak\igfxtray.exe C:\Program Files\Common Files\ISPCOMP\bak\InstallService.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe C:\Program Files\Java\jre1.5.0_01\bin\bak\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATI9FA.EXE Next, close and click Yes to save the changes. Once files.txt is saved, FindAWF does the following: -It attempts to terminate the process represented by each filename on the list, if running -Deletes the rogue file from the parent folder, if present -Copies the original file to the parent folder When done with the above, it automatically runs a new scan and opens a new log. Please provide the new FindAWF log in your reply. If by any chance you lose the report produced, click Start>Run, type %temp%\findawf\awf.txt. It will open the report again. ___________ Combofix Deletions Right click on your desktop, select "new" then choose "New text Document" Name it as "CFScript" Copy and paste the text inside the code box below to CFScript.txt QUOTE File:: C:\WINDOWS\system32\ccbeg.ini2 C:\WINDOWS\system32\ccbeg.bak2 C:\WINDOWS\system32\ccbeg.bak1 C:\WINDOWS\bstdin.bin C:\WINDOWS\tasks\At10.job C:\WINDOWS\tasks\At11.job C:\WINDOWS\tasks\At12.job C:\WINDOWS\tasks\At14.job C:\WINDOWS\tasks\At17.job C:\WINDOWS\tasks\At2.job C:\WINDOWS\tasks\At3.job C:\WINDOWS\tasks\At4.job C:\WINDOWS\tasks\At5.job C:\WINDOWS\tasks\At6.job C:\WINDOWS\tasks\At7.job C:\WINDOWS\tasks\At8.job C:\WINDOWS\tasks\At9.job C:\Program Files\LimeWireWin.exe (include this line only if you decide to not use limewire) Folder:: C:\WINDOWS\system32\pmcubosf C:\WINDOWS\Spyware Slayer Settings C:\Program Files\Logitech\Desktop Messenger C:\Program Files\Spyware Slayer C:\Program Files\Enigma Software Group (include this line only if you uninstalled Spyhunter) Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13BAA56A-9570-AC65-EA8E-EDE19CE7FD52}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{143B9440-CA24-BED6-D9CD-08CC6A984764}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15FEC491-F0D8-A206-B818-8D1D3FEDF979}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AB80E5C-C6A3-016D-788D-E1F289A65E42}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AD27B78-A144-13BF-3CFD-8C2B118FCB77}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C0087A1-5D6B-3765-B30B-8A302FBA4596}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3AE414DC-B2A7-0DAD-989F-AC39ADF529E6}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E7061C4-43FC-71F4-46DC-05A0D8524F6C}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B1C5C48-BA9D-4905-65D8-B9E278BF991D}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CD05B77-C677-4D01-5562-25BA68012376}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{563AC50A-6D00-C342-5EC7-D1C5C40E2122}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DAA3B7C-6DEC-B6D5-9597-81AFF0B315AA}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63AEC6B0-2656-D7C1-9D55-6B66F78A3D1A}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69B41F32-4AC6-1E89-433B-C41C1477D07C}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83241F15-A38D-4603-9874-0E32E3A2D544}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A8EABA7-19AA-BB2B-F288-8E8741D4A2E0}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F69ADF9-A5DE-30DA-0B84-99655E5A16A4}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96316EB2-0E4E-6A7E-7A88-DD575904EDB4}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9FBCDEFF-A6FC-C42E-2DA5-84537095BAA5}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1A0A8B0-1426-AEE6-1AF3-A0AEC3BAA6FA}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3D347B5-8D22-1E55-4D3E-C94C91F76762}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5C17366-4766-30CF-5AD1-138CC5B3E64A}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8A40086-20B8-C1F2-809A-00534310B657}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C054F454-DB2C-0434-31BF-C3C717973C71}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c29ffbe7-9286-40b8-8121-cf9475315eba}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC492B23-D765-1168-B1BB-2E0624A5E876}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DCB7AA47-29E8-5669-EB30-7BCD8254F742}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DECD8E91-E600-DF80-A5DB-061BB58F74D4}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBA74261-7CAA-F270-26F4-4E2A669761D1}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F05E944D-A6BE-48F3-A206-5BFEB880123F}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LDM"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "{554A0D4D-FE36-4A33-8526-172CDC545691}"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"="" [-HKEY_CLASSES_ROOT\PROTOCOLS\Protocol\bwfile-8876480] Filelook:: C:\WINDOWS\system32\ZBScreenSaver.scr C:\Documents and Settings\Owner\Desktop\aff_test_morton.exe Dirlook:: C:\Program Files\Common Files\Scanner Save it. Drag and drop CFScript.txt to your copy of combofix. You can take a look at the image below if you're unsure on how to do it. Combofix wil restart your machine then it will produce a log afterwards. Please post the contents of that log along with a fresh HijackThis log. _____________ Please do an online scan with Kaspersky WebScanner Click on Kaspersky Online Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. This post has been edited by Angelfire777: Jul 13 2007, 06:57 PM

jessliv82

Jul 13 2007, 08:44 PM

Post