[Sk0rch]

Oh I actually deleted findfile.bat.

[Advertisements]

I thought u might have, thats why I told you the instructions we on Post# 51....lol

here they are again:

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\system32\n?tdde.exe /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.

[Excal]

I thought u might have, thats why I told you the instructions we on Post# 51....lol

here they are again:

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\system32\n?tdde.exe /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.

[Sk0rch]

Oh lol whoops.

[Excal]

I think I have the solution to it, reply back if you still need help.


Thanks,



Excal

[Sk0rch]

Yes the popups are still annoyingly coming like crazy. If you have something that'll fix it that is great. I still haven't done what you said in post 86 and 90 though, been kinda busy lately.

[Excal]

Ok thats fine, I still will need you to run that .bat in post #92 soon as we are done this to verify its gone.



Please download the Killbox.

Open kill box and check off replace on reboot. Make sure "Use Dummy" is also checked

copy these:

C:\WINDOWS\System32\n?tdde.exe


Paste them in "Full Path of File to Deleted"

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt


After reboot please fun that .bat.

Thanks,

Excal

[Sk0rch]

K I did it.

Volume in drive C is HP_PAVILION
Volume Serial Number is A8E1-CAEB

Directory of C:\WINDOWS\system32

08/04/2004 02:56 AM 111,104 netdde.exe
07/21/2005 08:55 AM 401,408 n?tdde.exe
2 File(s) 512,512 bytes

Directory of C:\Documents and Settings\Owner\Desktop


-------
Logfile of HijackThis v1.99.1
Scan saved at 3:25:13 PM, on 8/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\program files\steam\steam.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {13A9C7B0-D864-487D-B0AE-FCE0876F55EF} - C:\WINDOWS\system32\mfgdgdg.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\earthlinkim\aim.exe
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: PD - {EC3DAB87-C8C9-49A4-BEEB-B631A4B5EFF3} - C:\Program Files\Pop up Blocker\pd.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096169702640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124393047008
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.c.../ymmapi_416.dll
O18 - Protocol: bw+0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: IW - {F4CB1DC2-BF71-42F5-81AB-4606998A6B56} - C:\Program Files\Walker\ImageWalker220\ImageWalkerHtml.DLL
O18 - Protocol: offline-8876480 - {852BE522-37CC-4BE8-9261-CDD53D3D4C6E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe

-----

[Sk0rch]

Ok, I looked at the thing from findfile.bat, you are trying to get rid of the netdde.exe that was created on 7/21/2005? You had me search for it in windows/system32 and I couldn't find it. I had everything listed in alphabetical order and I only saw one netdde. But then I tried searching it by date created. I went to 7/21/05 and I saw netdde.exe. It has no icon, so I think it was hidden. I'm not sure but I am going to try to delete it with Killbox.

[Excal]

Please uninstall Logitech Desktop Messenger. its an uneeded program and seems to be havng a conflict with your system

Please redo post #96.


Thanks,


Excal

[Sk0rch]

Ok, well I couldn't find it with killbox, I went to browse and I didn't see it. So I just right click and sent it to the recycling bin with explorer. Then I click findfile.bat again.

Volume in drive C is HP_PAVILION
Volume Serial Number is A8E1-CAEB

Directory of C:\WINDOWS\system32

08/04/2004 02:56 AM 111,104 netdde.exe
1 File(s) 111,104 bytes

Directory of C:\Documents and Settings\Owner\Desktop

The hijackthis log still has the about:blanks.

[Sk0rch]

Ok, well I just got a new mouse and that logitech this is to customize it. I'll try to reinstall it.

[Excal]

Ok, when your are done please post a Hijackthis.


Thanks,


Excal

[Sk0rch]

It's been a while and I haven't had a popup. But it is still to early to tell.
Plus Stopzilla blocks some of the popups. But after a while it stops for some reason. And I only got like 10 days left on the trial.
Logfile of HijackThis v1.99.1
Scan saved at 6:39:37 PM, on 8/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\program files\steam\steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Winamp\Winamp.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {13A9C7B0-D864-487D-B0AE-FCE0876F55EF} - C:\WINDOWS\system32\mfgdgdg.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\earthlinkim\aim.exe
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: PD - {EC3DAB87-C8C9-49A4-BEEB-B631A4B5EFF3} - C:\Program Files\Pop up Blocker\pd.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096169702640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124393047008
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.c.../ymmapi_416.dll
O18 - Protocol: bw+0 - (no CLSID) - (no file)
O18 - Protocol: bw+0s - (no CLSID) - (no file)
O18 - Protocol: bw-0 - (no CLSID) - (no file)
O18 - Protocol: bw-0s - (no CLSID) - (no file)
O18 - Protocol: bw00 - (no CLSID) - (no file)
O18 - Protocol: bw00s - (no CLSID) - (no file)
O18 - Protocol: bw10 - (no CLSID) - (no file)
O18 - Protocol: bw10s - (no CLSID) - (no file)
O18 - Protocol: bw20 - (no CLSID) - (no file)
O18 - Protocol: bw20s - (no CLSID) - (no file)
O18 - Protocol: bw30 - (no CLSID) - (no file)
O18 - Protocol: bw30s - (no CLSID) - (no file)
O18 - Protocol: bw40 - (no CLSID) - (no file)
O18 - Protocol: bw40s - (no CLSID) - (no file)
O18 - Protocol: bw50 - (no CLSID) - (no file)
O18 - Protocol: bw50s - (no CLSID) - (no file)
O18 - Protocol: bw60 - (no CLSID) - (no file)
O18 - Protocol: bw60s - (no CLSID) - (no file)
O18 - Protocol: bw70 - (no CLSID) - (no file)
O18 - Protocol: bw70s - (no CLSID) - (no file)
O18 - Protocol: bw80 - (no CLSID) - (no file)
O18 - Protocol: bw80s - (no CLSID) - (no file)
O18 - Protocol: bw90 - (no CLSID) - (no file)
O18 - Protocol: bw90s - (no CLSID) - (no file)
O18 - Protocol: bwa0 - (no CLSID) - (no file)
O18 - Protocol: bwa0s - (no CLSID) - (no file)
O18 - Protocol: bwb0 - (no CLSID) - (no file)
O18 - Protocol: bwb0s - (no CLSID) - (no file)
O18 - Protocol: bwc0 - (no CLSID) - (no file)
O18 - Protocol: bwc0s - (no CLSID) - (no file)
O18 - Protocol: bwd0 - (no CLSID) - (no file)
O18 - Protocol: bwd0s - (no CLSID) - (no file)
O18 - Protocol: bwe0 - (no CLSID) - (no file)
O18 - Protocol: bwe0s - (no CLSID) - (no file)
O18 - Protocol: bwf0 - (no CLSID) - (no file)
O18 - Protocol: bwf0s - (no CLSID) - (no file)
O18 - Protocol: bwg0 - (no CLSID) - (no file)
O18 - Protocol: bwg0s - (no CLSID) - (no file)
O18 - Protocol: bwh0 - (no CLSID) - (no file)
O18 - Protocol: bwh0s - (no CLSID) - (no file)
O18 - Protocol: bwi0 - (no CLSID) - (no file)
O18 - Protocol: bwi0s - (no CLSID) - (no file)
O18 - Protocol: bwj0 - (no CLSID) - (no file)
O18 - Protocol: bwj0s - (no CLSID) - (no file)
O18 - Protocol: bwk0 - (no CLSID) - (no file)
O18 - Protocol: bwk0s - (no CLSID) - (no file)
O18 - Protocol: bwl0 - (no CLSID) - (no file)
O18 - Protocol: bwl0s - (no CLSID) - (no file)
O18 - Protocol: bwm0 - (no CLSID) - (no file)
O18 - Protocol: bwm0s - (no CLSID) - (no file)
O18 - Protocol: bwn0 - (no CLSID) - (no file)
O18 - Protocol: bwn0s - (no CLSID) - (no file)
O18 - Protocol: bwo0 - (no CLSID) - (no file)
O18 - Protocol: bwo0s - (no CLSID) - (no file)
O18 - Protocol: bwp0 - (no CLSID) - (no file)
O18 - Protocol: bwp0s - (no CLSID) - (no file)
O18 - Protocol: bwq0 - (no CLSID) - (no file)
O18 - Protocol: bwq0s - (no CLSID) - (no file)
O18 - Protocol: bwr0 - (no CLSID) - (no file)
O18 - Protocol: bwr0s - (no CLSID) - (no file)
O18 - Protocol: bws0 - (no CLSID) - (no file)
O18 - Protocol: bws0s - (no CLSID) - (no file)
O18 - Protocol: bwt0 - (no CLSID) - (no file)
O18 - Protocol: bwt0s - (no CLSID) - (no file)
O18 - Protocol: bwu0 - (no CLSID) - (no file)
O18 - Protocol: bwu0s - (no CLSID) - (no file)
O18 - Protocol: bwv0 - (no CLSID) - (no file)
O18 - Protocol: bwv0s - (no CLSID) - (no file)
O18 - Protocol: bww0 - (no CLSID) - (no file)
O18 - Protocol: bww0s - (no CLSID) - (no file)
O18 - Protocol: bwx0 - (no CLSID) - (no file)
O18 - Protocol: bwx0s - (no CLSID) - (no file)
O18 - Protocol: bwy0 - (no CLSID) - (no file)
O18 - Protocol: bwy0s - (no CLSID) - (no file)
O18 - Protocol: bwz0 - (no CLSID) - (no file)
O18 - Protocol: bwz0s - (no CLSID) - (no file)
O18 - Protocol: IW - {F4CB1DC2-BF71-42F5-81AB-4606998A6B56} - C:\Program Files\Walker\ImageWalker220\ImageWalkerHtml.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe

Edited by Sk0rch, 22 August 2005 - 05:40 PM.

[Excal]

Can you tell me anything about this program? Walker\ImageWalker220\ImageWalkerHtml.DLL


DOWNLOAD PROGRAMS

Just in case you deleted them....lol

Download CWShredder here to its own folder.

Update CWShredder

• Open CWShredder and click I AGREE
• Click Check For Update
• Close CWShredder

We will be using this program later.

Download and install CleanUp! Here
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Download about:buster by RubbeRDuckY Here.

Update About:Buster

• Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
• Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
• Click "OK" at the prompt with instructions.
• Click "Update" and then "Check For Update" to begin the update process.
• If any updates exist please download them by clicking "Download Update" then click the X to close that window.
• Now close About:Buster

THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

5. Close all browsers, windows and unneeded programs.

6. Open HiJack and do a scan.

7. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {13A9C7B0-D864-487D-B0AE-FCE0876F55EF} - C:\WINDOWS\system32\mfgdgdg.dll (file missing)
O18 - Protocol: bw+0 - (no CLSID) - (no file)
O18 - Protocol: bw+0s - (no CLSID) - (no file)
O18 - Protocol: bw-0 - (no CLSID) - (no file)
O18 - Protocol: bw-0s - (no CLSID) - (no file)
O18 - Protocol: bw00 - (no CLSID) - (no file)
O18 - Protocol: bw00s - (no CLSID) - (no file)
O18 - Protocol: bw10 - (no CLSID) - (no file)
O18 - Protocol: bw10s - (no CLSID) - (no file)
O18 - Protocol: bw20 - (no CLSID) - (no file)
O18 - Protocol: bw20s - (no CLSID) - (no file)
O18 - Protocol: bw30 - (no CLSID) - (no file)
O18 - Protocol: bw30s - (no CLSID) - (no file)
O18 - Protocol: bw40 - (no CLSID) - (no file)
O18 - Protocol: bw40s - (no CLSID) - (no file)
O18 - Protocol: bw50 - (no CLSID) - (no file)
O18 - Protocol: bw50s - (no CLSID) - (no file)
O18 - Protocol: bw60 - (no CLSID) - (no file)
O18 - Protocol: bw60s - (no CLSID) - (no file)
O18 - Protocol: bw70 - (no CLSID) - (no file)
O18 - Protocol: bw70s - (no CLSID) - (no file)
O18 - Protocol: bw80 - (no CLSID) - (no file)
O18 - Protocol: bw80s - (no CLSID) - (no file)
O18 - Protocol: bw90 - (no CLSID) - (no file)
O18 - Protocol: bw90s - (no CLSID) - (no file)
O18 - Protocol: bwa0 - (no CLSID) - (no file)
O18 - Protocol: bwa0s - (no CLSID) - (no file)
O18 - Protocol: bwb0 - (no CLSID) - (no file)
O18 - Protocol: bwb0s - (no CLSID) - (no file)
O18 - Protocol: bwc0 - (no CLSID) - (no file)
O18 - Protocol: bwc0s - (no CLSID) - (no file)
O18 - Protocol: bwd0 - (no CLSID) - (no file)
O18 - Protocol: bwd0s - (no CLSID) - (no file)
O18 - Protocol: bwe0 - (no CLSID) - (no file)
O18 - Protocol: bwe0s - (no CLSID) - (no file)
O18 - Protocol: bwf0 - (no CLSID) - (no file)
O18 - Protocol: bwf0s - (no CLSID) - (no file)
O18 - Protocol: bwg0 - (no CLSID) - (no file)
O18 - Protocol: bwg0s - (no CLSID) - (no file)
O18 - Protocol: bwh0 - (no CLSID) - (no file)
O18 - Protocol: bwh0s - (no CLSID) - (no file)
O18 - Protocol: bwi0 - (no CLSID) - (no file)
O18 - Protocol: bwi0s - (no CLSID) - (no file)
O18 - Protocol: bwj0 - (no CLSID) - (no file)
O18 - Protocol: bwj0s - (no CLSID) - (no file)
O18 - Protocol: bwk0 - (no CLSID) - (no file)
O18 - Protocol: bwk0s - (no CLSID) - (no file)
O18 - Protocol: bwl0 - (no CLSID) - (no file)
O18 - Protocol: bwl0s - (no CLSID) - (no file)
O18 - Protocol: bwm0 - (no CLSID) - (no file)
O18 - Protocol: bwm0s - (no CLSID) - (no file)
O18 - Protocol: bwn0 - (no CLSID) - (no file)
O18 - Protocol: bwn0s - (no CLSID) - (no file)
O18 - Protocol: bwo0 - (no CLSID) - (no file)
O18 - Protocol: bwo0s - (no CLSID) - (no file)
O18 - Protocol: bwp0 - (no CLSID) - (no file)
O18 - Protocol: bwp0s - (no CLSID) - (no file)
O18 - Protocol: bwq0 - (no CLSID) - (no file)
O18 - Protocol: bwq0s - (no CLSID) - (no file)
O18 - Protocol: bwr0 - (no CLSID) - (no file)
O18 - Protocol: bwr0s - (no CLSID) - (no file)
O18 - Protocol: bws0 - (no CLSID) - (no file)
O18 - Protocol: bws0s - (no CLSID) - (no file)
O18 - Protocol: bwt0 - (no CLSID) - (no file)
O18 - Protocol: bwt0s - (no CLSID) - (no file)
O18 - Protocol: bwu0 - (no CLSID) - (no file)
O18 - Protocol: bwu0s - (no CLSID) - (no file)
O18 - Protocol: bwv0 - (no CLSID) - (no file)
O18 - Protocol: bwv0s - (no CLSID) - (no file)
O18 - Protocol: bww0 - (no CLSID) - (no file)
O18 - Protocol: bww0s - (no CLSID) - (no file)
O18 - Protocol: bwx0 - (no CLSID) - (no file)
O18 - Protocol: bwx0s - (no CLSID) - (no file)
O18 - Protocol: bwy0 - (no CLSID) - (no file)
O18 - Protocol: bwy0s - (no CLSID) - (no file)
O18 - Protocol: bwz0 - (no CLSID) - (no file)
O18 - Protocol: bwz0s - (no CLSID) - (no file)

8. click the Fix Checked box

9. Please run about:buster by RubbeRDuckY:

• Click Begin Removal.
• It will begin to check your computer for malicious files.
• AboutBuster will finish and open a new page. Follow the instructions for protection on that page.
• Shut down AboutBuster. A log should have been created.Please Save this log and copy it in your next post.

10. Run the program CleanUp!

11. Reboot into normal mode

12. Please post a fresh HiJackThis log. Let me know how your computer is running.

[Sk0rch]

Imagewalker is a program downloaded. I downloaded because someone emailed me with attached pcx images and I could not open them with paint. I think that program might be deleted though because I do not see it under program files. I haven't used it for a while though. I do not remember deleting it though so it might be somewhere else. Why, what's wrong with it?

And I'm about to do that safemode stuff you said.