Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help removing "TrojanSPM/LX"

Started by demian42 , Sep 23 2006 12:08 PM

  • Please log in to reply

#1
demian42
Posted 23 September 2006 - 12:08 PM

demian42

    New Member

  • Member
  • Pip
  • 8 posts
I'm getting plenty of pop-ups (windows message boxes, not IE pop ups). There are several different ones, with this message being the most popular

There is a security vulnerability from the TrojanSPM/LX. We recommend you DOWNLOAD one of the security software programs to prevent malware infections.


I've ran VirtumundoBeGone, ewido anti-spyware, VundoFix, RegCure, XoftSpySE, and I have McAfree always running. Any help would be appreciated.

My HiJackThis log ....

Logfile of HijackThis v1.99.1
Scan saved at 1:58:50 PM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Avalio\AVALIO~1\COMPON~1\AVALIO~1.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperManagerExe.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Mike.DCCQ3S51\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Harmony Monitor.lnk = C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsu...asp/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157671600796
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O18 - Protocol: bw+0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AvalioTaskScheduler - Unknown owner - C:\PROGRA~1\Avalio\AVALIO~1\COMPON~1\AVALIO~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


My VBG Files ....

[09/23/2006, 13:26:49] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Mike.DCCQ3S51\Local Settings\Temporary Internet Files\Content.IE5\HEAT8R5X\VirtumundoBeGone[1].exe" )
[09/23/2006, 13:28:48] - Detected System Information:
[09/23/2006, 13:28:48] - Windows Version: 5.1.2600, Service Pack 2
[09/23/2006, 13:28:48] - Current Username: Mike (Admin)
[09/23/2006, 13:28:48] - Windows is in NORMAL mode.
[09/23/2006, 13:28:48] - Searching for Browser Helper Objects:
[09/23/2006, 13:28:48] - BHO 1: {48ABBAF3-27BD-4EDE-9A0C-7138E2C28371} ()
[09/23/2006, 13:28:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 13:28:48] - Checking for HKLM\...\Winlogon\Notify\LOADGDI
[09/23/2006, 13:28:48] - Found: HKLM\...\Winlogon\Notify\LOADGDI - This is probably Virtumundo.
[09/23/2006, 13:28:48] - Assigning {48ABBAF3-27BD-4EDE-9A0C-7138E2C28371} MSEvents Object
[09/23/2006, 13:28:48] - BHO list has been changed! Starting over...
[09/23/2006, 13:28:48] - BHO 1: {48ABBAF3-27BD-4EDE-9A0C-7138E2C28371} (MSEvents Object)
[09/23/2006, 13:28:48] - ALERT: Found MSEvents Object!
[09/23/2006, 13:28:48] - Finished Searching Browser Helper Objects
[09/23/2006, 13:28:48] - *** Detected MSEvents Object
[09/23/2006, 13:28:48] - Trying to remove MSEvents Object...
[09/23/2006, 13:28:49] - Terminating Process: IEXPLORE.EXE
[09/23/2006, 13:28:49] - Terminating Process: RUNDLL32.EXE
[09/23/2006, 13:28:49] - Disabling Automatic Shell Restart
[09/23/2006, 13:28:49] - Terminating Process: EXPLORER.EXE
[09/23/2006, 13:28:49] - Suspending the NT Session Manager System Service
[09/23/2006, 13:28:49] - Terminating Windows NT Logon/Logoff Manager
[09/23/2006, 13:28:49] - Re-enabling Automatic Shell Restart
[09/23/2006, 13:28:49] - File to disable: C:\WINDOWS\system32\LOADGDI.dll
[09/23/2006, 13:28:49] - Renaming C:\WINDOWS\system32\LOADGDI.dll -> C:\WINDOWS\system32\LOADGDI.dll.vir
[09/23/2006, 13:28:49] - ! File rename was unsucessful.
[09/23/2006, 13:28:49] - Attempting to Deny Access to C:\WINDOWS\system32\LOADGDI.dll
[09/23/2006, 13:28:49] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[09/23/2006, 13:28:49] - processed file: C:\WINDOWS\system32\LOADGDI.dll

[09/23/2006, 13:28:49] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[09/23/2006, 13:28:49] - Removing HKLM\...\Browser Helper Objects\{48ABBAF3-27BD-4EDE-9A0C-7138E2C28371}
[09/23/2006, 13:28:49] - Removing HKCR\CLSID\{48ABBAF3-27BD-4EDE-9A0C-7138E2C28371}
[09/23/2006, 13:28:49] - Adding Kill Bit for ActiveX for GUID: {48ABBAF3-27BD-4EDE-9A0C-7138E2C28371}
[09/23/2006, 13:28:49] - Deleting ATLEvents/MSEvents Registry entries
[09/23/2006, 13:28:49] - Removing HKLM\...\Winlogon\Notify\LOADGDI
[09/23/2006, 13:28:49] - Searching for Browser Helper Objects:
[09/23/2006, 13:28:49] - Finished Searching Browser Helper Objects
[09/23/2006, 13:28:49] - Finishing up...
[09/23/2006, 13:28:49] - A restart is needed.
[09/23/2006, 13:28:49] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[09/23/2006, 13:29:06] - Attempting to Restart via STOP error (Blue Screen!)

[09/23/2006, 13:37:44] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Mike.DCCQ3S51\Desktop\VirtumundoBeGone.exe" )
[09/23/2006, 13:37:45] - Detected System Information:
[09/23/2006, 13:37:45] - Windows Version: 5.1.2600, Service Pack 2
[09/23/2006, 13:37:45] - Current Username: Mike (Admin)
[09/23/2006, 13:37:45] - Windows is in NORMAL mode.
[09/23/2006, 13:37:45] - Searching for Browser Helper Objects:
[09/23/2006, 13:37:45] - BHO 1: {48ABBAF3-27BD-4EDE-9A0C-7138E2C28371} ()
[09/23/2006, 13:37:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 13:37:45] - Checking for HKLM\...\Winlogon\Notify\LOADGDI
[09/23/2006, 13:37:45] - Found: HKLM\...\Winlogon\Notify\LOADGDI - This is probably Virtumundo.
[09/23/2006, 13:37:45] - Assigning {48ABBAF3-27BD-4EDE-9A0C-7138E2C28371} MSEvents Object
[09/23/2006, 13:37:45] - BHO list has been changed! Starting over...
[09/23/2006, 13:37:46] - BHO 1: {48ABBAF3-27BD-4EDE-9A0C-7138E2C28371} (MSEvents Object)
[09/23/2006, 13:37:46] - ALERT: Found MSEvents Object!
[09/23/2006, 13:37:46] - Finished Searching Browser Helper Objects
[09/23/2006, 13:37:46] - *** Detected MSEvents Object
[09/23/2006, 13:37:46] - Trying to remove MSEvents Object...
[09/23/2006, 13:37:47] - Terminating Process: IEXPLORE.EXE
[09/23/2006, 13:37:47] - Terminating Process: RUNDLL32.EXE
[09/23/2006, 13:37:47] - Disabling Automatic Shell Restart
[09/23/2006, 13:37:47] - Terminating Process: EXPLORER.EXE
[09/23/2006, 13:37:47] - Suspending the NT Session Manager System Service
[09/23/2006, 13:37:47] - Terminating Windows NT Logon/Logoff Manager
[09/23/2006, 13:37:47] - Re-enabling Automatic Shell Restart
[09/23/2006, 13:37:47] - File to disable: C:\WINDOWS\system32\LOADGDI.dll
[09/23/2006, 13:37:47] - Renaming C:\WINDOWS\system32\LOADGDI.dll -> C:\WINDOWS\system32\LOADGDI.dll.vir
[09/23/2006, 13:37:47] - ! File rename was unsucessful.
[09/23/2006, 13:37:47] - Attempting to Deny Access to C:\WINDOWS\system32\LOADGDI.dll
[09/23/2006, 13:37:47] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[09/23/2006, 13:37:47] - Access denied: C:\WINDOWS\system32\LOADGDI.dll

[09/23/2006, 13:37:47] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[09/23/2006, 13:37:47] - Removing HKLM\...\Browser Helper Objects\{48ABBAF3-27BD-4EDE-9A0C-7138E2C28371}
[09/23/2006, 13:37:47] - Removing HKCR\CLSID\{48ABBAF3-27BD-4EDE-9A0C-7138E2C28371}
[09/23/2006, 13:37:47] - Adding Kill Bit for ActiveX for GUID: {48ABBAF3-27BD-4EDE-9A0C-7138E2C28371}
[09/23/2006, 13:37:47] - Deleting ATLEvents/MSEvents Registry entries
[09/23/2006, 13:37:47] - Removing HKLM\...\Winlogon\Notify\LOADGDI
[09/23/2006, 13:37:47] - Searching for Browser Helper Objects:
[09/23/2006, 13:37:47] - Finished Searching Browser Helper Objects
[09/23/2006, 13:37:47] - Finishing up...
[09/23/2006, 13:37:47] - A restart is needed.
[09/23/2006, 13:37:47] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[09/23/2006, 13:37:49] - Attempting to Restart via STOP error (Blue Screen!)


  • 0

Advertisements

#2
Wizard
Posted 23 September 2006 - 12:31 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi demian42 and Welcome to GeekstoGo!


If you will,please go to the HijackThis folder and right click on HijackThis.exe

Select Rename and Rename it to foo.exe

Double Click foo.exe to launch HijackThis

Do a System Scan and Save a Logfile.


Download combofix.exe
http://download.blee...Bs/combofix.exe

Restart in Safe Mode

Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Restart Normal and post the log from ComboFix and the new HijackThis log.
  • 0

#3
demian42
Posted 24 September 2006 - 07:03 AM

demian42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for the response!! I followed your instructions and have attached the logs. I did a hijackthis in safe mode and normal mode because I didn't know which would help you help me :whistling:

My first hijack this ....

Logfile of HijackThis v1.99.1
Scan saved at 08:31, on 06-09-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Avalio\AVALIO~1\COMPON~1\AVALIO~1.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperManagerExe.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mike.DCCQ3S51\Desktop\hoo.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Harmony Monitor.lnk = C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsu...asp/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157671600796
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O18 - Protocol: bw+0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {0ECFD6F1-F95B-4FAB-85B8-ED8DD46EA43A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AvalioTaskScheduler - Unknown owner - C:\PROGRA~1\Avalio\AVALIO~1\COMPON~1\AVALIO~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


My combofix .... Attached File  ComboFix.txt   9.65KB   205 downloads

hijack in safe mode .... Attached File  hijackthis_after__safe.txt   20.47KB   180 downloads

hijack in normal mode .... Attached File  hijackthis_after__normal.txt   22.88KB   193 downloads
  • 0

#4
Wizard
Posted 24 September 2006 - 08:03 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Download this program:

Submit Files Packer
http://www.safer-net...g/files/sfp.zip

Highlight the entries listed below in bold and right-click,then select Copy.


C:\WINDOWS\SYSTEM32\jkklj.exe
C:\WINDOWS\SYSTEM32\LOADGDI.dll
C:\WINDOWS\SYSTEM32\awtqoll.dll


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

It will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example Monster.cab).

Then go to:
http://www.uploadmalware.com/
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.



Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click blbeta.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
  • 0

#5
demian42
Posted 25 September 2006 - 05:05 AM

demian42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I submitted the files as requested. Ran the backlight scan with no files found.

I haven't got popups the last day or so, but have no confidence that I'm clean - what do you think?
  • 0

#6
Wizard
Posted 25 September 2006 - 12:20 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go to Safe Mode and Run the Submit Files Packer again.

Add this file please,it didnt get loaded the last time

C:\WINDOWS\SYSTEM32\LOADGDI.dll

I see it was allready renamed once by something,probably ewido or an online scanner.


You said you have VundoFix?

What version is it?

Updated version was released late last week.
  • 0

#7
demian42
Posted 25 September 2006 - 12:30 PM

demian42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I just got version 6.1.0.6 of VundoFix as instructed by the standard instructions for removing a trojan.

I have uploaded a new cab file "demian42" with that file as requested.

Thanks for your help :whistling:
  • 0

#8
Atribune
Posted 25 September 2006 - 12:37 PM

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
The file requested wasn't in the cab.
Run vundofix and right click the white list box and then select add more files?.

In add more files type this in exact

C:\WINDOWS\SYSTEM32\LOADGDI.dll

Then click add files then click close window.

Next click remove vundo. Once it your machine has rebooted, you will find LOADGDI.dll.bad in the C:\Vundofix Backups folder, please send it in via upload malware.

Edited by Atribune, 25 September 2006 - 12:38 PM.

  • 0

#9
Wizard
Posted 25 September 2006 - 12:40 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
The ghost of Atribune speaks! :whistling:

Load all 3 files for deletion and follow his instructions please.

C:\WINDOWS\SYSTEM32\jkklj.exe
C:\WINDOWS\SYSTEM32\LOADGDI.dll
C:\WINDOWS\SYSTEM32\awtqoll.dll
  • 0

#10
demian42
Posted 25 September 2006 - 01:12 PM

demian42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OK, the reason that LOADGDI.dll was not in the cab file was because it's name had been changed. When I browsed in the SYSTEM32 folder the file was

LOADGDI.dll.vir

I don't know what program or when this name change occured.

So, I ran VundoFix on THESE files ....
C:\WINDOWS\SYSTEM32\jkklj.exe
C:\WINDOWS\SYSTEM32\LOADGDI.dll.vir
C:\WINDOWS\SYSTEM32\awtqoll.dll

and have uploaded demian42.cab with these files ...

C:\VundoFix Backups\awtqoll.dll.bad
C:\VundoFix Backups\jkklj.exe.bad
C:\VundoFix Backups\LOADGDI.dll.vir.bad
  • 0

Advertisements

#11
Wizard
Posted 25 September 2006 - 01:48 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets see the log from Vundo Fix please.

The reason I had you add that file is becasue it regenerated.

Your ComboFix log:

Mike - 06-09-24 8:37:09.29 Service Pack 2
ComboFix 06.09.23.2 - Running from: "C:\Documents and Settings\Mike.DCCQ3S51\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-08-23 to 2006-09-23 ))))))))))))))))))))))))))))))))))


2006-09-23 13:37 0 --a------ C:\WINDOWS\SYSTEM32\LOADGDI.dll.vir
2006-09-22 14:31 23,434 --a------ C:\WINDOWS\SYSTEM32\jkklj.exe
2006-09-22 14:31 16,934 --a------ C:\WINDOWS\SYSTEM32\LOADGDI.dll
2006-09-22 07:42 8,976 --a------ C:\WINDOWS\SYSTEM32\awtqoll.dll
2006-09-08 05:04 127,208 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2006-09-04 08:46 278,528 C:\WINDOWSComcast PhotoShow.scr


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-24 05:57 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-23 13:14 -------- d-------- C:\Program Files\Windows Defender
2006-09-23 10:12 -------- d-------- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\McAfee.com Personal Firewall
2006-09-20 09:29 -------- d-------- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\Comcast
2006-09-18 16:18 -------- d-------- C:\Program Files\iWin.com
2006-09-08 13:08 29696 --a------ C:\WINDOWS\mickey32.dll
2006-09-08 13:08 232784 --a------ C:\WINDOWS\Matrix Code.scr
2006-09-08 13:08 2285222 --a------ C:\WINDOWS\Matrix Code.exe
2006-09-08 13:08 -------- d-------- C:\Program Files\Screensavers.com
2006-09-08 08:13 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-03 08:43 -------- d-------- C:\Program Files\Common Files\Simple Star Shared
2006-09-03 08:43 -------- d-------- C:\Program Files\Common Files
2006-09-03 08:43 -------- d-------- C:\Program Files\Comcast
2006-09-03 08:41 -------- d---s---- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\Microsoft
2006-08-25 17:17 -------- d-------- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\Adobe
2006-08-22 09:09 -------- dr-h----- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\yahoo!
2006-08-21 08:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-12 22:56 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 15:21 -------- d-------- C:\Program Files\Common Files\Oberon Media
2006-08-10 15:21 -------- d-------- C:\Program Files\Comcast Play Games
2006-08-01 20:04 -------- d-------- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\LimeWire
2006-08-01 20:03 -------- d-------- C:\Program Files\LimeWire
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-23 02:59 -------- d-------- C:\Program Files\PokerStars
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Sonic RecordNow!"=""
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Comcast\\COMCAS~1\\data\\Xtras\\mssysmgr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"Logitech Utility"="Logi_MwX.Exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Application Accelerator\\iaanotif.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"EPSON Stylus CX4600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9AA.EXE /P26 \"EPSON Stylus CX4600 Series\" /O6 \"USB002\" /M \"Stylus CX4600\""
"VF0060 STISvc"="RunDLL32.exe V0060Pin.dll,RunDLL32EP 513"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"CTHelper"="CTHELPER.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,62,00,00,00,00,00,00,00,9e,04,00,00,da,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,62,00,00,00,00,00,00,00,9e,04,00,00,da,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"item"="Logitech Desktop Messenger"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LDMConf.exe /start"
"location"="Common Startup"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LDM]
"item"="LDM"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"hkey"="HKEY"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\mmtask]
"item"="mmtask"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"item"="MSMSGS"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"hkey"="HKEY"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCMService]
"item"="PCMService"
"command"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"item"="QuickTime Task"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Sonic RecordNow!]
"item"="Sonic RecordNow!"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"hkey"="HKEY"
"key"="Run"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: Sun 09/24/2006 8:42:33.21
ComboFix.txt



So open VundoFix again and add that file please

C:\WINDOWS\SYSTEM32\LOADGDI.dll

Let vundofix remove the file,may take a reboot again.

Then see if you can locate this folder---> C:\Vundofix Backups



Post the results from VundoFix and let me know if you locate that folder?
  • 0

#12
demian42
Posted 27 September 2006 - 05:09 AM

demian42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
When I run VundoFix and attempt to add C:\WINDOWS\SYSTEM32\LOADGDI.dll I hit the add files button and nothing is added to the main vundofix window - is that because it's not there? I looked in system32 and it is not there. I don't know where the VundoFix log is. The contents of the VundoFix Backups folder ...

addmorefiles.txt 0 KB
awtqoll.dll.bad 9 KB
jkklj.exe.bad 23 KB
LOADGDI.dll.vir.bad 0 KB

how rampant are these "trojans"?
  • 0

#13
Wizard
Posted 27 September 2006 - 02:17 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Run combofix again and lets have a look at that report please.
  • 0

#14
demian42
Posted 28 September 2006 - 05:21 AM

demian42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Mike - 06-09-28 7:11:13.39 Service Pack 2
ComboFix 06.09.23.2 - Running from: "C:\Documents and Settings\Mike.DCCQ3S51\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-08-28 to 2006-09-28 ))))))))))))))))))))))))))))))))))


2006-09-26 16:31 94,263 --a------ C:\WINDOWS\DLA.EXE
2006-09-26 16:31 61,500 --a------ C:\WINDOWS\SYSTEM32\DLAAPI_W.DLL
2006-09-26 15:29 7,882 --a------ C:\WINDOWS\SYSTEM32\GTKCMOS.sys
2006-09-26 15:29 7,626 --a------ C:\WINDOWS\SYSTEM32\GPCIEnum.sys
2006-09-26 15:29 7,168 --a------ C:\WINDOWS\SYSTEM32\DLPT64.sys
2006-09-26 15:29 6,977 --a------ C:\WINDOWS\SYSTEM32\DDMI2.sys
2006-09-26 15:29 6,656 --a------ C:\WINDOWS\SYSTEM32\DLPT2.sys
2006-09-26 15:29 5,632 --a------ C:\WINDOWS\SYSTEM32\GPCIEn64.sys
2006-09-26 15:29 5,120 --a------ C:\WINDOWS\SYSTEM32\GTKCMO64.sys
2006-09-26 15:29 4,608 --a------ C:\WINDOWS\SYSTEM32\DDMI64.sys
2006-09-25 09:19 184,320 --a------ C:\PlayerHost.dll
2006-09-08 05:04 127,208 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2006-09-04 08:46 278,528 C:\WINDOWSComcast PhotoShow.scr


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-28 05:06 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-26 16:39 -------- d-------- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\Roxio
2006-09-26 16:31 -------- d-------- C:\Program Files\Roxio
2006-09-26 16:31 -------- d-------- C:\Program Files\Common Files\Sonic Shared
2006-09-26 16:31 -------- d-------- C:\Program Files\Common Files\Roxio Shared
2006-09-26 16:30 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-26 16:29 -------- d-------- C:\Program Files\Common Files
2006-09-26 16:26 -------- d-------- C:\Program Files\Sonic
2006-09-26 15:29 -------- d--h----- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\Gtek
2006-09-26 15:17 -------- d-------- C:\Program Files\Common Files\Sonic
2006-09-25 14:31 -------- d---s---- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\Microsoft
2006-09-25 13:57 -------- d-------- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\Adobe
2006-09-25 11:58 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-25 11:58 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-25 11:55 -------- d-------- C:\Program Files\msaccrt
2006-09-23 13:14 -------- d-------- C:\Program Files\Windows Defender
2006-09-23 10:12 -------- d-------- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\McAfee.com Personal Firewall
2006-09-20 09:29 -------- d-------- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\Comcast
2006-09-18 16:18 -------- d-------- C:\Program Files\iWin.com
2006-09-08 13:08 29696 --a------ C:\WINDOWS\mickey32.dll
2006-09-08 13:08 232784 --a------ C:\WINDOWS\Matrix Code.scr
2006-09-08 13:08 2285222 --a------ C:\WINDOWS\Matrix Code.exe
2006-09-08 13:08 -------- d-------- C:\Program Files\Screensavers.com
2006-09-03 08:43 -------- d-------- C:\Program Files\Common Files\Simple Star Shared
2006-09-03 08:43 -------- d-------- C:\Program Files\Comcast
2006-08-22 09:09 -------- dr-h----- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\yahoo!
2006-08-21 08:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-12 22:56 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 15:21 -------- d-------- C:\Program Files\Common Files\Oberon Media
2006-08-10 15:21 -------- d-------- C:\Program Files\Comcast Play Games
2006-08-01 20:04 -------- d-------- C:\Documents and Settings\Mike.DCCQ3S51\Application Data\LimeWire
2006-08-01 20:03 -------- d-------- C:\Program Files\LimeWire
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Sonic RecordNow!"=""
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Comcast\\COMCAS~1\\data\\Xtras\\mssysmgr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"Logitech Utility"="Logi_MwX.Exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Application Accelerator\\iaanotif.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"EPSON Stylus CX4600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9AA.EXE /P26 \"EPSON Stylus CX4600 Series\" /O6 \"USB002\" /M \"Stylus CX4600\""
"VF0060 STISvc"="RunDLL32.exe V0060Pin.dll,RunDLL32EP 513"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"CTHelper"="CTHELPER.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
@=""
"RoxWatchTray"="\"C:\\Program Files\\Common Files\\Roxio Shared\\SharedCOM8\\RoxWatchTray.exe\""
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,3e,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,62,00,00,00,00,00,00,00,9e,04,00,00,da,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,62,00,00,00,00,00,00,00,9e,04,00,00,da,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"item"="Logitech Desktop Messenger"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LDMConf.exe /start"
"location"="Common Startup"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LDM]
"item"="LDM"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"hkey"="HKEY"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\mmtask]
"item"="mmtask"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"item"="MSMSGS"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"hkey"="HKEY"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCMService]
"item"="PCMService"
"command"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"item"="QuickTime Task"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Sonic RecordNow!]
"item"="Sonic RecordNow!"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"hkey"="HKEY"
"key"="Run"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: Thu 09/28/2006 7:16:47.70
ComboFix.txt
ComboFix2.txt


  • 0

#15
Wizard
Posted 28 September 2006 - 12:22 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a fresh HijackThis log.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP