please check my log

Started by Ed S, Jul 05 2006 01:24 AM

You cannot reply to this topic

24 replies to this topic

#1 OFFLINE Ed S

Member

Members
13 posts

Posted 05 July 2006 - 01:24 AM

I have been battling a few things (look2me,zlob and a couple others. I think I have it pretty well cleaned up.
Please check my log and see what else I may need to do.
Thankyou
Ed

Logfile of HijackThis v1.99.1
Scan saved at 6:14:31 PM, on 7/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ProDsl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1129758907\ee\AOLSoftware.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Owner\Desktop\My Program Setup Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129758907\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdc_4.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: spamsubtract.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151983670906
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave...bugs/axhost.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.22/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfr...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp...her/MotUtil.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?315
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19....ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDC2E1B3-6CAC-49A9-B367-ADF1BE529CFD}: NameServer = 205.171.3.65 205.171.2.65
O18 - Protocol: bw+0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\ktl4l73q1.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Microsoft SCC Host Protocol (POOLSVR) - Unknown owner - C:\WINDOWS\poolsv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#2 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 July 2006 - 09:05 PM

Hi Ed, Welcome to the forum

Can you let us know what you have used to remove infections such as look2me or zlob , was that by Anti-Spyware scanners, Anti-Virus scanners or by using fixtools ?

You have Windows Defender and Microsoft AntiSpyware installed which isnt needed, Windows Defender is the beta 2 release and Microsoft AntiSpyware is beta 1 so you can remove Microsoft AntiSpyware from the PC using the Add/Remove screen (Start menu > Control Panel > Add or Remove Programs)

Please disable the Real Time protection on Windows Defender (and Microsoft Antispyware if you leave it on the system) so it doesnt interfere with the HijackThis fixes

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Run Hijack This and choose Do A System Scan then place a check next to these entries

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [keyboard] C:\\kybrdc_4.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - h*tp://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\ktl4l73q1.dll (file missing)
O23 - Service: Microsoft SCC Host Protocol (POOLSVR) - Unknown owner - C:\WINDOWS\poolsv.exe

Close all open browser and other windows except for Hijack This and press the Fix Checked button

After making these fixes please Reboot the PC

Next visit VirusTotal and have this file scanned:

C:\WINDOWS\poolsv.exe

Open the scan site and press Browse, locate the file and double click it to load the path into the Virus scan window then press Send, Please copy and paste the Virus scan report back, let us know if you have any problems finding the file.

Repeat the Virus scan steps for this file

C:\\kybrdc_4.exe

Please also copy and paste the results back, It looks like a DollarRevenue malware file but Id like to see the scan results for both files first

Then post back the VirusTotal Results for both files and a new HijackThis log

Cheers

Andy

#3 OFFLINE Ed S

Member

Members
13 posts

Posted 05 July 2006 - 10:36 PM

AndyManchesta, on Jul 5 2006, 04:05 PM, said:

Hi Ed, Welcome to the forum

Can you let us know what you have used to remove infections such as look2me or zlob , was that by Anti-Spyware scanners, Anti-Virus scanners or by using fixtools ?

You have Windows Defender and Microsoft AntiSpyware installed which isnt needed, Windows Defender is the beta 2 release and Microsoft AntiSpyware is beta 1 so you can remove Microsoft AntiSpyware from the PC using the Add/Remove screen (Start menu > Control Panel > Add or Remove Programs)

Please disable the Real Time protection on Windows Defender (and Microsoft Antispyware if you leave it on the system) so it doesnt interfere with the HijackThis fixes

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again.
Run Hijack This and choose Do A System Scan then place a check next to these entries

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [keyboard] C:\\kybrdc_4.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - h*tp://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\ktl4l73q1.dll (file missing)
O23 - Service: Microsoft SCC Host Protocol (POOLSVR) - Unknown owner - C:\WINDOWS\poolsv.exe

Close all open browser and other windows except for Hijack This and press the Fix Checked button

After making these fixes please Reboot the PC

Next visit VirusTotal and have this file scanned:

C:\WINDOWS\poolsv.exe

Open the scan site and press Browse, locate the file and double click it to load the path into the Virus scan window then press Send, Please copy and paste the Virus scan report back, let us know if you have any problems finding the file.

Repeat the Virus scan steps for this file

C:\\kybrdc_4.exe

Please also copy and paste the results back, It looks like a DollarRevenue malware file but Id like to see the scan results for both files first

Then post back the VirusTotal Results for both files and a new HijackThis log

Cheers

Andy

#4 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 July 2006 - 10:38 PM

Please use the Posted Image

button at the bottom of the page when you reply as that doesn't quote my response back

#5 OFFLINE Ed S

Member

Members
13 posts

Posted 05 July 2006 - 10:42 PM

Andy, I use Avg, Spybot, and Adaware these three were flagging the problems but not removing them.
So i tryed Webroot Spy Sweeper and that seemed to do the most. Following are my results from today.

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.

Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.

STATUS: FINISHEDComplete scanning result of "kybrdc_4.exe", received in VirusTotal at 07.06.2006, 00:10:33 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.20 07.05.2006 HEUR/VB.Downloader
Authentium 4.93.8 07.05.2006 no virus found
Avast 4.7.844.0 07.05.2006 no virus found
AVG 386 07.04.2006 no virus found
BitDefender 7.2 07.05.2006 Trojan.Downloader.VB.TC
CAT-QuickHeal 8.00 07.05.2006 TrojanDownloader.VB.agi
ClamAV devel-20060426 07.05.2006 no virus found
DrWeb 4.33 07.05.2006 Trojan.DownLoader.10308
eTrust-InoculateIT 23.72.59 07.04.2006 no virus found
eTrust-Vet 12.6.2287 07.05.2006 no virus found
Ewido 3.5 07.05.2006 Downloader.VB.agi
Fortinet 2.77.0.0 07.05.2006 W32/VB.AGI!tr.dldr
F-Prot 3.16f 07.05.2006 no virus found
F-Prot4 4.2.1.29 07.05.2006 no virus found
Ikarus 0.2.65.0 07.05.2006 no virus found
Kaspersky 4.0.2.24 07.05.2006 Trojan-Downloader.Win32.VB.agi
McAfee 4800 07.05.2006 no virus found
Microsoft 1.1481 07.01.2006 no virus found
NOD32v2 1.1645 07.05.2006 a variant of Win32/TrojanDownloader.Adload.AY
Norman 5.90.23 07.05.2006 no virus found
Panda 9.0.0.4 07.05.2006 no virus found
Sophos 4.07.0 07.05.2006 no virus found
Symantec 8.0 07.05.2006 Downloader
TheHacker 5.9.8.169 07.04.2006 no virus found
UNA 1.83 07.05.2006 no virus found
VBA32 3.11.0 07.04.2006 Trojan-Downloader.Win32.VB.agi
VirusBuster 4.3.7:9 07.05.2006 no virus found

Aditional Information
File size: 28672 bytes
MD5: 54986441aa8300f210a3bc27000828a2
SHA1: 58d69a987780e7fa5fe523b5bcba2c14f50c859c

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
http://www.virustotal.com/ :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.

Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.

STATUS: FINISHEDComplete scanning result of "poolsv.exe", received in VirusTotal at 07.06.2006, 00:06:33 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.20 07.05.2006 Worm/Sdbot.70144.33
Authentium 4.93.8 07.05.2006 no virus found
Avast 4.7.844.0 07.05.2006 no virus found
AVG 386 07.04.2006 no virus found
BitDefender 7.2 07.05.2006 Backdoor.SDBot.BED1623B
CAT-QuickHeal 8.00 07.05.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.05.2006 no virus found
DrWeb 4.33 07.05.2006 Win32.HLLW.MyBot.based
eTrust-InoculateIT 23.72.59 07.04.2006 no virus found
eTrust-Vet 12.6.2287 07.05.2006 no virus found
Ewido 3.5 07.05.2006 Backdoor.SdBot.aad
Fortinet 2.77.0.0 07.05.2006 W32/SDBot.AAD!tr.bdr
F-Prot 3.16f 07.05.2006 no virus found
F-Prot4 4.2.1.29 07.05.2006 no virus found
Ikarus 0.2.65.0 07.05.2006 no virus found
Kaspersky 4.0.2.24 07.05.2006 Backdoor.Win32.SdBot.aad
McAfee 4800 07.05.2006 no virus found
Microsoft 1.1481 07.01.2006 no virus found
NOD32v2 1.1645 07.05.2006 a variant of IRC/SdBot
Norman 5.90.23 07.05.2006 no virus found
Panda 9.0.0.4 07.05.2006 W32/Sdbot.HRG.worm
Sophos 4.07.0 07.05.2006 no virus found
Symantec 8.0 07.05.2006 W32.Spybot.Worm
TheHacker 5.9.8.169 07.04.2006 no virus found
UNA 1.83 07.05.2006 no virus found
VBA32 3.11.0 07.04.2006 Backdoor.Win32.SdBot.aad
VirusBuster 4.3.7:9 07.05.2006 no virus found

Aditional Information
File size: 70144 bytes
MD5: 06c7f373b3e10e83c5b8b1f71f374727
SHA1: 840209c872da116023a325619071734324bbb848
packers: PecBundle, PECompact

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
http://www.virustotal.com/ :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com

Logfile of HijackThis v1.99.1
Scan saved at 5:21:37 PM, on 7/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ProDsl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1129758907\ee\AOLSoftware.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\My Program Setup Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129758907\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: spamsubtract.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151983670906
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave...bugs/axhost.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.22/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfr...outLauncher.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp...her/MotUtil.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?315
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19....ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: bw+0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Microsoft SCC Host Protocol (POOLSVR) - Unknown owner - C:\WINDOWS\poolsv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Thankyou for your help,
Ed

#6 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 July 2006 - 11:00 PM

Hi Ed

That second file poolsv.exe is a serious infection as it could of caused damage in other area's and also allow someone to access your PC,

copy this to notepad and save it to your desktop as the steps will require a reboot.

Its still in the log so please goto Start Menu > Run > and type (or copy and paste)

sc delete POOLSVR

Press OK and you will just notice the cmd screen open and then close, then the service is marked for deletion, please then reboot the PC again and the 023 entry should not show in the log, let me know if it does

Can you send me the file so I can check what it does when it runs on the PC (it will need to be password protected so it doesnt get blocked in the email)

Goto Start Menu > My Computer > C:\Drive > Windows

Locate the poolsv.exe file then right click the file and choose Send To then Compressed Zipped Folder. This will create a copy of the file and add it to another location inside the Windows Folder named poolsv.zip, you can then right click the poolsv.exe file and choose Delete.

Find the poolsv.zip folder which has just been created and right click that zipped folder and choose Explore then goto file on the top bar and choose Add a Password , make the password malware (all lowercase) and send it to

AndyManchesta(AT) hotmail.com (replace (AT) with @)

You can then delete the poolsv.zip folder

Next delete the kybrdc_4.exe file on C:\Drive, also check for any files named drsmartload.exe or drsmartload.dat and also delete them if found.

I will post again in a few minutes regarding the rest of the cleanup but its best we get that backdoor infection removed as quickly as possible

Andy

#7 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 July 2006 - 11:17 PM

If you have any problems with sending the file then please just delete it so its not on your system, I just want to know what this does but it's clear that it allows someone to access your system which is a serious threat. If you do any banking on line or use any confidential sites such as ebay , paypal etc.. or have recently paid for goods using Credit card info then you need to change all passwords where applicable either from a known clean PC or once we get this clean and it would also be wise to contact the bank to notify them of your situation so they can monitor the account. Same goes for email account passwords etc..

After the above steps are complete Download smitfraudFix and Ewido

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Next download, install, and update Ewido Anti-Spyware

Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner tab at the top and then click on Complete System Scan
Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will then display "All actions have been applied" on the right.
Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back

Then copy and paste the SmitfraudFix report and the Ewido log back, If that 023 poolsv.exe doesnt go after running the sc delete command and rebooting then please let me know

Cheers

Andy

#8 OFFLINE Ed S

Member

Members
13 posts

Posted 06 July 2006 - 02:50 AM

Andy, I have done my best to follow your directions to a T. You should have recieved the zip file. Here is my log file from the first half of your directions.
Logfile of HijackThis v1.99.1
Scan saved at 7:45:30 PM, on 7/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ProDsl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1129758907\ee\AOLSoftware.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\My Program Setup Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129758907\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: spamsubtract.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151983670906
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave...bugs/axhost.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.22/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfr...outLauncher.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp...her/MotUtil.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?315
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19....ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: bw+0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {037DAE56-7A92-4DBB-8D66-A862B8751BDC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

And here is the Smit and Ewido files.
SmitFraudFix v2.67

Scan done at 20:18:37.01, Wed 07/05/2006
Run from C:\Documents and Settings\Owner\Desktop\My Program Setup Files\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\dfndr?_?.exe FOUND !
C:\nwnm?_?.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\keyboard1.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.mtv.com/shared/media/news/images/f/Finding_Nemo/sq-dory-marlin-moonfish-pix.jpg"
"SubscribedURL"="http://www.mtv.com/shared/media/news/images/f/Finding_Nemo/sq-dory-marlin-moonfish-pix.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://wizardofclaws.com/lab5.jpg"
"SubscribedURL"="http://wizardofclaws.com/lab5.jpg"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="http://forum.ccleaner.com/style_images/4/v2/back.gif"
"SubscribedURL"="http://forum.ccleaner.com/style_images/4/v2/back.gif"
"FriendlyName"=""

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:38:54 PM 7/5/2006

+ Scan result:

C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\WINDOWS\system32\SHAgentNew.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gtdownlr_118.ocx -> Adware.Gdown : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\09540F1C-0E49-480A-A010-E96E0F\225EA091-1A90-41B9-8457-34E307 -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\09540F1C-0E49-480A-A010-E96E0F\E4294E91-267A-4006-B7D9-F0E41D -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\09540F1C-0E49-480A-A010-E96E0F\FB341CB6-16FB-40EA-9AE6-194539 -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Sandlot Shared\slghex.dll -> Adware.SpywareStorm : Cleaned with backup (quarantined).
HKU\S-1-5-21-995463913-320296254-2443455896-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA356D79-679B-4B4C-8E49-5AF97014F4C1} -> Adware.Starware : Cleaned with backup (quarantined).
HKU\S-1-5-21-995463913-320296254-2443455896-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D49E9D35-254C-4C6A-9D17-95018D228FF5} -> Adware.Starware : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{B9FC2096-9B8F-4193-81C6-C9D5C266D2F0} -> Adware.Tickle : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\My Documents\Brandi's Folder\Yahtzee-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\LemonadeTycoonSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\Yahtzee-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\kybrdc_4[1].exe -> Downloader.VB.agi : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ONS2RIO8\nwnmc_4[1].exe -> Downloader.VB.agp : Cleaned with backup (quarantined).
C:\nwnmc_4.exe -> Downloader.VB.agp : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\dfndrc_4[1].exe -> Hijacker.VB.nh : Cleaned with backup (quarantined).
C:\dfndrc_4.exe -> Hijacker.VB.nh : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\My Program Setup Files\hijackthis\backups\backup-20060705-165427-735.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Ignored.
:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Dad 1\dzwyijjo.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.69:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.51:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.56:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.57:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Dad 1\dzwyijjo.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.14:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Dad 1\dzwyijjo.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Dad 1\dzwyijjo.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Dad 1\dzwyijjo.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.91:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
:mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.61:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.62:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.63:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.64:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.65:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.66:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.67:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.68:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.65:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.66:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.100:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.97:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.98:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.99:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.106:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Chris\e4os6iry.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.103:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.104:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.105:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\dagbf5pg.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned.

::Report end

#9 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 06 July 2006 - 03:32 AM

Hi Ed

Sorry for the delay, I was away from the PC. Thanks for the logs.

You can fix these with HijackThis

Run Hijack This and choose Do A System Scan then place a check next to these entries

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - ht*p://install.wildtangent.com/ActiveLaunc...iveLauncher.cab

Close all open browser and other windows except for Hijack This and press the Fix Checked button

The WildTangent entry isnt anything to be concerned about, its open to debate really but it can be fixed because if its needed again when you visit their site it will just prompt you to re-install it.

http://research.sunbelt-software.com/threa...;threatid=14225

Delete this file if its still present

C:\WINDOWS\keyboard1.dat

SmitfraudFix detected a couple more but Ewido removed them. SmitfraudFix can be removed if you didnt want to keep it as we do not need to use it again.

I will download that file you sent now and see what I can find out about it.

Cheers

Andy

#10 OFFLINE Ed S

Member

Members
13 posts

Posted 06 July 2006 - 03:37 AM

Andy, I just wanted to show you these total virus scans that I did on my own as when I was looking in my C drive they just stuck out to me and they had the same time stamp on them as most of the other files that we already got rid of.
Once again thank you so much for your help,
Ed

STATUS: FINISHEDComplete scanning result of "dfndrc_4a.exe", received in VirusTotal at 07.06.2006, 05:09:15 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.20 07.05.2006 no virus found
Authentium 4.93.8 07.05.2006 no virus found
Avast 4.7.844.0 07.05.2006 no virus found
AVG 386 07.04.2006 no virus found
BitDefender 7.2 07.06.2006 no virus found
CAT-QuickHeal 8.00 07.05.2006 no virus found
ClamAV devel-20060426 07.05.2006 no virus found
DrWeb 4.33 07.06.2006 Trojan.Click.1274
eTrust-InoculateIT 23.72.60 07.06.2006 no virus found
eTrust-Vet 12.6.2287 07.05.2006 no virus found
Ewido 3.5 07.05.2006 no virus found
Fortinet 2.77.0.0 07.05.2006 DollarRevenue!tr
F-Prot 3.16f 07.05.2006 no virus found
F-Prot4 4.2.1.29 07.05.2006 no virus found
Ikarus 0.2.65.0 07.05.2006 no virus found
Kaspersky 4.0.2.24 07.06.2006 Trojan-Clicker.Win32.VB.nh
McAfee 4800 07.05.2006 DollarRevenue.gen
Microsoft 1.1481 07.01.2006 no virus found
NOD32v2 1.1645 07.05.2006 probably a variant of Win32/TrojanClicker.VB.LI
Norman 5.90.23 07.05.2006 no virus found
Panda 9.0.0.4 07.05.2006 no virus found
Sophos 4.07.0 07.06.2006 no virus found
Symantec 8.0 07.06.2006 no virus found
TheHacker 5.9.8.169 07.04.2006 no virus found
UNA 1.83 07.05.2006 no virus found
VBA32 3.11.0 07.06.2006 no virus found
VirusBuster 4.3.7:9 07.05.2006 no virus found

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.

Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.

STATUS: FINISHEDComplete scanning result of "warebundle2.exe", received in VirusTotal at 07.06.2006, 05:15:05 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.20 07.05.2006 TR/Dldr.Smartl.A.2
Authentium 4.93.8 07.05.2006 could be a corrupted executable file
Avast 4.7.844.0 07.05.2006 no virus found
AVG 386 07.04.2006 no virus found
BitDefender 7.2 07.06.2006 Adware.Look2me.C
CAT-QuickHeal 8.00 07.05.2006 no virus found
ClamAV devel-20060426 07.05.2006 no virus found
DrWeb 4.33 07.06.2006 Adware.Look2me
eTrust-InoculateIT 23.72.60 07.06.2006 no virus found
eTrust-Vet 12.6.2287 07.05.2006 no virus found
Ewido 3.5 07.05.2006 no virus found
Fortinet 2.77.0.0 07.05.2006 suspicious
F-Prot 3.16f 07.05.2006 no virus found
F-Prot4 4.2.1.29 07.05.2006 no virus found
Ikarus 0.2.65.0 07.05.2006 no virus found
Kaspersky 4.0.2.24 07.06.2006 no virus found
McAfee 4800 07.05.2006 no virus found
Microsoft 1.1481 07.01.2006 no virus found
NOD32v2 1.1645 07.05.2006 no virus found
Norman 5.90.23 07.05.2006 W32/SmartLoad.C
Panda 9.0.0.4 07.05.2006 no virus found
Sophos 4.07.0 07.06.2006 no virus found
Symantec 8.0 07.06.2006 no virus found
TheHacker 5.9.8.169 07.04.2006 no virus found
UNA 1.83 07.05.2006 no virus found
VBA32 3.11.0 07.06.2006 Adware.Look2me
VirusBuster 4.3.7:9 07.05.2006 no virus found

Aditional Information
File size: 481368 bytes
MD5: 849590288a2d52d71a1fd95421435d8b
SHA1: 5c6c40cff058611a83d0543903d04206580fbacd

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.

Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.

STATUS: FINISHEDComplete scanning result of "setup.exe", received in VirusTotal at 07.06.2006, 05:19:23 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.20 07.05.2006 no virus found
Authentium 4.93.8 07.05.2006 no virus found
Avast 4.7.844.0 07.05.2006 no virus found
AVG 386 07.04.2006 no virus found
BitDefender 7.2 07.06.2006 no virus found
CAT-QuickHeal 8.00 07.05.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.05.2006 no virus found
DrWeb 4.33 07.06.2006 Adware.DollarRevenue
eTrust-InoculateIT 23.72.60 07.06.2006 no virus found
eTrust-Vet 12.6.2287 07.05.2006 no virus found
Ewido 3.5 07.05.2006 no virus found
Fortinet 2.77.0.0 07.05.2006 no virus found
F-Prot 3.16f 07.05.2006 no virus found
F-Prot4 4.2.1.29 07.05.2006 no virus found
Ikarus 0.2.65.0 07.05.2006 no virus found
Kaspersky 4.0.2.24 07.06.2006 no virus found
McAfee 4800 07.05.2006 no virus found
Microsoft 1.1481 07.01.2006 no virus found
NOD32v2 1.1645 07.05.2006 probably unknown NewHeur_PE virus
Norman 5.90.23 07.05.2006 no virus found
Panda 9.0.0.4 07.05.2006 no virus found
Sophos 4.07.0 07.06.2006 no virus found
Symantec 8.0 07.06.2006 no virus found
TheHacker 5.9.8.169 07.04.2006 no virus found
UNA 1.83 07.05.2006 no virus found
VBA32 3.11.0 07.06.2006 no virus found
VirusBuster 4.3.7:9 07.05.2006 no virus found

Aditional Information
File size: 12288 bytes
MD5: b9df5d33175950d64786e1fc7dbd4723
SHA1: cc197ddefd7b6bc8e27fcee6e960077c8f0a5414
packers: PECompact, PecBundle

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.

Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.

STATUS: FINISHEDComplete scanning result of "setup32.exe", received in VirusTotal at 07.06.2006, 05:22:39 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.20 07.05.2006 no virus found
Authentium 4.93.8 07.05.2006 no virus found
Avast 4.7.844.0 07.05.2006 no virus found
AVG 386 07.04.2006 no virus found
BitDefender 7.2 07.06.2006 no virus found
CAT-QuickHeal 8.00 07.05.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.05.2006 no virus found
DrWeb 4.33 07.06.2006 Adware.DollarRevenue
eTrust-InoculateIT 23.72.60 07.06.2006 no virus found
eTrust-Vet 12.6.2287 07.05.2006 no virus found
Ewido 3.5 07.05.2006 no virus found
Fortinet 2.77.0.0 07.05.2006 no virus found
F-Prot 3.16f 07.05.2006 no virus found
F-Prot4 4.2.1.29 07.05.2006 no virus found
Ikarus 0.2.65.0 07.05.2006 no virus found
Kaspersky 4.0.2.24 07.06.2006 no virus found
McAfee 4800 07.05.2006 no virus found
Microsoft 1.1481 07.01.2006 no virus found
NOD32v2 1.1645 07.05.2006 probably unknown NewHeur_PE virus
Norman 5.90.23 07.05.2006 no virus found
Panda 9.0.0.4 07.05.2006 no virus found
Sophos 4.07.0 07.06.2006 no virus found
Symantec 8.0 07.06.2006 no virus found
TheHacker 5.9.8.169 07.04.2006 no virus found
UNA 1.83 07.05.2006 no virus found
VBA32 3.11.0 07.06.2006 no virus found
VirusBuster 4.3.7:9 07.05.2006 no virus found

Aditional Information
File size: 12288 bytes
MD5: b9df5d33175950d64786e1fc7dbd4723
SHA1: cc197ddefd7b6bc8e27fcee6e960077c8f0a5414
packers: PECompact, PecBundle

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com

#11 OFFLINE Ed S

Member

Members
13 posts

Posted 06 July 2006 - 03:56 AM

Andy the last 3 files have been deleted as requested in your last post. The first 2 are no longer in the new log file.

Ed

#12 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 06 July 2006 - 04:08 AM

Well spotted Ed

They are all baddies and should be deleted, Im suprised Ewido didnt detect them but they are all malware. The warebundle2.exe is a look2me installer and is installed without consent with the DollarRevenue junk that you are finding,

We can run a couple more scans abit later but remove those files if they are still on the system,

I still havent run the SDBot file yet Im just getting my test PC setup so it monitors the changes and I wanted to submit the entry to an online database at Castlecops with a link to this thread so that it will make it easier for people to know what it is if it starts showing up in other HijackThis logs.

I'll reply again abit later

Andy

#13 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 06 July 2006 - 06:12 AM

Hi Ed

This is going to take me a while to test, it's certainly a nasty infection and someone does have access to the PC via Internet Relay Chat channels, the IP appears to be in Korea although that may not indicate where the attacker is but they have downloaded alot of junk to the machine like SurfSideKick, Look2me, Target Saver, DollarRevenue and other Trojan files (maybe some sort of affiliate scheme where they get payed for the installs), there is also some damage being caused such as Windows Services being stopped and disabled. Now you have removed the backdoor it will stop any additional junk being installed on your machine but there might be still some things we need to look at once I get everything in some sort of order, there was over 4000 packets sent and received from the PC after I run the file so I will check through them and see if it was commands being sent from the attacker to run the Adware downloaders or if there was anything else being sent.

I will update you later on how it goes.

Andy

#14 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 06 July 2006 - 03:44 PM

Hi Ed

Sorry for the delay, I had a few things I needed to sort out so had to put this on hold for awhile, I've still got abit more testing to do when I get the time but there isnt any rootkit infections being dropped which is always good news. This is quite a clever infection in that there is files being put on the system which do not get detected by any scanner at VirusTotal, the files are being run, renamed, moved and then deleted and then they come back again abit later so it may be a way for the attacker to have some control on the PC. All Ive seen up to now is the bundled Adware installs and no signs of keylogging or info' stealing trojans but as its clear someone does have access I do recommend you change all passwords where applicable and contact the bank if you have recently done any banking online or paid for services.

Here is some Packet Information which shows its connecting to a IRC channel and then waiting for commands

PacketData

Can you download this batch script:

Find.zip

extract it and double click Find.bat, it checks for everything that has been put on my system by this infection and also checks the registry keys that are being changed to disable services and make the system less secure. Can you post back the log after it runs (it will take afew minutes to complete the scan) Can you also let me know what you use for a firewall as we may have to do some repairs.

I need to go back out for a few hours but will check back on here later for any replies

Cheers

Andy

#15 OFFLINE Ed S

Member

Members
13 posts

Posted 06 July 2006 - 09:40 PM

Andy, I use the windows firewall which seems to have been disabled. It is marked to the off position and I am unable to turn it back on.

Here is the Find log.
--Look2Me check--

----------------------File Check-----------------------

-----------------------------------------
C:\
-----------------------------------------

-----------------------------------------
C:\Windows
-----------------------------------------

-----------------------------------------
C:\Windows\System32
-----------------------------------------

-----------------------------------------
C:\Windows\Temp
-----------------------------------------

C:\WINDOWS\Temp\$oddi$.__
C:\WINDOWS\Temp\alcupd.exe
C:\WINDOWS\Temp\Alcxmntr.exe
C:\WINDOWS\Temp\alcxwdm.cat
C:\WINDOWS\Temp\alcxwdm.inf
C:\WINDOWS\Temp\alcxwdm.sys
C:\WINDOWS\Temp\alcxwdm0.inf
C:\WINDOWS\Temp\alcxwdm1.inf
C:\WINDOWS\Temp\alsndmgr.cpl
C:\WINDOWS\Temp\alsndmgr.wav
C:\WINDOWS\Temp\AutoIt
C:\WINDOWS\Temp\CamServr.log
C:\WINDOWS\Temp\CamWizrd.log
C:\WINDOWS\Temp\ChCfg.exe
C:\WINDOWS\Temp\cov11B0.tmp
C:\WINDOWS\Temp\cov1431.tmp
C:\WINDOWS\Temp\cov167B.tmp
C:\WINDOWS\Temp\cov2BAF.tmp
C:\WINDOWS\Temp\cov2BB7.tmp
C:\WINDOWS\Temp\cov2BC8.tmp
C:\WINDOWS\Temp\cov37E.tmp
C:\WINDOWS\Temp\cov3AFB.tmp
C:\WINDOWS\Temp\covA04.tmp
C:\WINDOWS\Temp\covAB7.tmp
C:\WINDOWS\Temp\covACB.tmp
C:\WINDOWS\Temp\covB5D.tmp
C:\WINDOWS\Temp\covD4.tmp
C:\WINDOWS\Temp\covDA.tmp
C:\WINDOWS\Temp\covE4B.tmp
C:\WINDOWS\Temp\devcon.exe
C:\WINDOWS\Temp\dialup.ini
C:\WINDOWS\Temp\dialup.tmp
C:\WINDOWS\Temp\dialupstatus.out
C:\WINDOWS\Temp\flash.log
C:\WINDOWS\Temp\g3.dat
C:\WINDOWS\Temp\hpdbglog.txt
C:\WINDOWS\Temp\id.id
C:\WINDOWS\Temp\IMT9.xml
C:\WINDOWS\Temp\IMTA.xml
C:\WINDOWS\Temp\IMTB.xml
C:\WINDOWS\Temp\Instmed.log
C:\WINDOWS\Temp\InstVid.log
C:\WINDOWS\Temp\IntelGFX.log
C:\WINDOWS\Temp\jre_install.txt
C:\WINDOWS\Temp\ModemTest.exe
C:\WINDOWS\Temp\mpasbase.vdm
C:\WINDOWS\Temp\mpasdlta.vdm
C:\WINDOWS\Temp\MpCmdRun.log
C:\WINDOWS\Temp\MpEngine.dll
C:\WINDOWS\Temp\MpSigStub.log
C:\WINDOWS\Temp\NAV.log
C:\WINDOWS\Temp\netfxsl.log
C:\WINDOWS\Temp\netfxupdate.log
C:\WINDOWS\Temp\newdev.dll
C:\WINDOWS\Temp\NIS.log
C:\WINDOWS\Temp\nsd9.tmp
C:\WINDOWS\Temp\nsqB.tmp
C:\WINDOWS\Temp\oempage.log
C:\WINDOWS\Temp\payload.xml
C:\WINDOWS\Temp\RebootXP.exe
C:\WINDOWS\Temp\regincd.exe
C:\WINDOWS\Temp\regincd2.exe
C:\WINDOWS\Temp\RtlCPAPI.dll
C:\WINDOWS\Temp\RTLCPL.exe
C:\WINDOWS\Temp\SetgMgrt.txt
C:\WINDOWS\Temp\SNDSetup54.log
C:\WINDOWS\Temp\SNDUpdater54I.log
C:\WINDOWS\Temp\soundman.exe
C:\WINDOWS\Temp\SPL1E36.tmp
C:\WINDOWS\Temp\TempFolder.aaa
C:\WINDOWS\Temp\TMP00000179E75143261F73C1A8
C:\WINDOWS\Temp\unpack.log
C:\WINDOWS\Temp\WERb024.dir00
C:\WINDOWS\Temp\WGAErrLog.txt
C:\WINDOWS\Temp\WGANotify.settings
C:\WINDOWS\Temp\_ISTMP0.DIR
C:\WINDOWS\Temp\_ISTMP1.DIR
C:\WINDOWS\Temp\_ISTMP2.DIR
C:\WINDOWS\Temp\_ISTMP3.DIR
C:\WINDOWS\Temp\~INS0363.~MP
C:\WINDOWS\Temp\AutoIt\AutoIt3.exe
C:\WINDOWS\Temp\AutoIt\psapi.dll
C:\WINDOWS\Temp\Cookies\index.dat
C:\WINDOWS\Temp\History\History.IE5\index.dat
C:\WINDOWS\Temp\nsd9.tmp\nsProcess.dll
C:\WINDOWS\Temp\nsqB.tmp\nsProcess.dll
C:\WINDOWS\Temp\TempFolder.aaa\dirapi.dll
C:\WINDOWS\Temp\TempFolder.aaa\iml32.dll
C:\WINDOWS\Temp\TempFolder.aaa\xtras
C:\WINDOWS\Temp\TempFolder.aaa\xtras\budapi.x32
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\075MHFEV\clear[1].gif
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\075MHFEV\coUAprint[1].css
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\075MHFEV\plusCold[1].gif
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\075MHFEV\search_arrow_blue[1].bmp
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\075MHFEV\shared[1].css
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\075MHFEV\Statistics[1].htc
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\075MHFEV\vendorprefs[1].xml
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\32SNI3C8\coUA[1].css
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\32SNI3C8\firstpage[1].htm
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\32SNI3C8\Lang[1].js
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\32SNI3C8\note[1].gif
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\32SNI3C8\PCHSettings[1].htc
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\32SNI3C8\Statistics[1].htc
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\32SNI3C8\topbluebar[1].gif
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3IHCGQOV\Context[1].htm
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3IHCGQOV\HHWRAPPER[1].htm
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3IHCGQOV\hplogo[1].gif
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3IHCGQOV\NavBar[1].htm
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3IHCGQOV\plusHot[1].gif
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3IHCGQOV\shared[1].css
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3IHCGQOV\shared[1].js
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7CTZXL5H\Behaviors[1].css
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7CTZXL5H\blank[1].htm
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7CTZXL5H\Common[1].js
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7CTZXL5H\Common[2].js
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7CTZXL5H\minusCold[1].gif
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7CTZXL5H\NavBar[1].xml
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7CTZXL5H\PCHSettings[1].htc
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7CTZXL5H\shared[1].css
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7CTZXL5H\shared[2].css
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7CTZXL5H\shared[3].css
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7CTZXL5H\UAbrand[1].gif
C:\WINDOWS\Temp\WERb024.dir00\appcompat.txt
C:\WINDOWS\Temp\WERb024.dir00\manifest.txt
C:\WINDOWS\Temp\WERb024.dir00\rundll32.exe.hdmp
C:\WINDOWS\Temp\WERb024.dir00\rundll32.exe.mdmp
C:\WINDOWS\Temp\_ISTMP0.DIR\13ddef34.DLL
C:\WINDOWS\Temp\_ISTMP0.DIR\corecomp.ini
C:\WINDOWS\Temp\_ISTMP0.DIR\IsUninst.Exe
C:\WINDOWS\Temp\_ISTMP0.DIR\value.shl
C:\WINDOWS\Temp\_ISTMP1.DIR\15589c6.DLL
C:\WINDOWS\Temp\_ISTMP1.DIR\corecomp.ini
C:\WINDOWS\Temp\_ISTMP1.DIR\IsUninst.Exe
C:\WINDOWS\Temp\_ISTMP1.DIR\value.shl
C:\WINDOWS\Temp\_ISTMP2.DIR\7a657f.DLL
C:\WINDOWS\Temp\_ISTMP3.DIR\3976b1.DLL
C:\WINDOWS\Temp\_ISTMP3.DIR\Corecomp.ini
C:\WINDOWS\Temp\_ISTMP3.DIR\Ctl3d32.dll
C:\WINDOWS\Temp\_ISTMP3.DIR\IsUninst.Exe
C:\WINDOWS\Temp\_ISTMP3.DIR\value.shl
C:\WINDOWS\Temp\_ISTMP3.DIR\vssver.scc

-----------------------------------------
C:\Documents and Settings\Owner\Application Data
-----------------------------------------

-----------------------------------------
C:\Program Files
-----------------------------------------

-----------------------------------------
C:\Program Files\Common Files
-----------------------------------------

--------------------Registry Check---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"DisplayName"="STX from Hewlett-Packard Desktops (remove only)"
"DisplayName"="3D Groove Playback Engine"
"DisplayName"="Slyder from Hewlett-Packard Desktops (remove only)"
"DisplayName"="Orbital from Hewlett-Packard Desktops (remove only)"
"DisplayName"="Ad-Aware SE Personal"
"DisplayName"="Adobe Download Manager 2.0 (Remove Only)"
"DisplayName"="AIM Toolbar"
"DisplayName"="AOL Instant Messenger"
"DisplayName"="AOL Uninstaller"
"DisplayName"="AVG Free Edition"
"DisplayName"="Updates from HP"
"DisplayName"="Otto from Hewlett-Packard Desktops (remove only)"
"DisplayName"="Bubble Puzzle '97"
"DisplayName"="Canon Setup Utility 2.0"
"DisplayName"="Canon iP4200"
"DisplayName"="CCleaner (remove only)"
"DisplayName"="Click'N Design 3D"
"DisplayName"="Crossword Weaver 8.0"
"DisplayName"="Excavation from Hewlett-Packard Desktops (remove only)"
"DisplayName"="Canon Utilities Easy-PhotoPrint"
"DisplayName"="Easy-WebPrint"
"DisplayName"="ewido anti-spyware 4.0"
"DisplayName"="Microsoft Excel 97"
"DisplayName"="WildCards from WildGames (remove only)"
"DisplayName"="FPAdjust"
"DisplayName"="WildTangent GameChannel (remove only)"
"DisplayName"="HijackThis 1.99.1"
"DisplayName"="HP Instant Support"
"DisplayName"="HP Photo & Imaging 3.0"
"DisplayName"="iTunes"
"DisplayName"="LimeWire"
"DisplayName"="QuickTime"
"DisplayName"="Multimedia Card Reader"
"DisplayName"="Java Web Start"
"DisplayName"="Windows XP Hotfix - KB834707"
"DisplayName"="Windows XP Hotfix - KB867282"
"DisplayName"="Microsoft Data Access Components KB870669"
"DisplayName"="Windows XP Hotfix - KB873333"
"DisplayName"="Windows XP Hotfix - KB873339"
"DisplayName"="Security Update for Windows XP (KB883939)"
"DisplayName"="Windows XP Hotfix - KB885250"
"DisplayName"="Windows XP Hotfix - KB885835"
"DisplayName"="Windows XP Hotfix - KB885836"
"DisplayName"="Windows XP Hotfix - KB886185"
"DisplayName"="Windows XP Hotfix - KB887472"
"DisplayName"="Windows XP Hotfix - KB887742"
"DisplayName"="Windows XP Hotfix - KB888113"
"DisplayName"="Windows XP Hotfix - KB888302"
"DisplayName"="Security Update for Windows XP (KB890046)"
"DisplayName"="Windows XP Hotfix - KB890047"
"DisplayName"="Windows XP Hotfix - KB890175"
"DisplayName"="Windows XP Hotfix - KB890859"
"DisplayName"="Windows XP Hotfix - KB890923"
"DisplayName"="Windows XP Hotfix - KB891781"
"DisplayName"="Windows XP Hotfix - KB893066"
"DisplayName"="Windows XP Hotfix - KB893086"
"DisplayName"="Security Update for Windows XP (KB893756)"
"DisplayName"="Windows Installer 3.1 (KB893803)"
"DisplayName"="Windows Installer 3.1 (KB893803)"
"DisplayName"="Update for Windows XP (KB894391)"
"DisplayName"="Security Update for Windows XP (KB896358)"
"DisplayName"="Security Update for Windows XP (KB896422)"
"DisplayName"="Security Update for Windows XP (KB896423)"
"DisplayName"="Security Update for Windows XP (KB896424)"
"DisplayName"="Security Update for Windows XP (KB896428)"
"DisplayName"="Security Update for Windows XP (KB896688)"
"DisplayName"="Update for Windows XP (KB896727)"
"DisplayName"="Security Update for Step By Step Interactive Training (KB898458)"
"DisplayName"="Update for Windows XP (KB898461)"
"DisplayName"="Security Update for Windows XP (KB899587)"
"DisplayName"="Security Update for Windows XP (KB899588)"
"DisplayName"="Security Update for Windows XP (KB899591)"
"DisplayName"="Update for Windows XP (KB900485)"
"DisplayName"="Security Update for Windows XP (KB900725)"
"DisplayName"="Security Update for Windows XP (KB901017)"
"DisplayName"="Security Update for Windows XP (KB901214)"
"DisplayName"="Security Update for Windows XP (KB902400)"
"DisplayName"="Security Update for Windows XP (KB903235)"
"DisplayName"="Security Update for Windows XP (KB904706)"
"DisplayName"="Security Update for Windows XP (KB905414)"
"DisplayName"="Security Update for Windows XP (KB905749)"
"DisplayName"="Security Update for Windows XP (KB905915)"
"DisplayName"="Security Update for Windows XP (KB908519)"
"DisplayName"="Security Update for Windows XP (KB908531)"
"DisplayName"="Update for Windows XP (KB910437)"
"DisplayName"="Security Update for Windows XP (KB911280)"
"DisplayName"="Security Update for Windows XP (KB911562)"
"DisplayName"="Security Update for Windows Media Player (KB911564)"
"DisplayName"="Security Update for Windows Media Player 10 (KB911565)"
"DisplayName"="Security Update for Windows XP (KB911567)"
"DisplayName"="Security Update for Windows XP (KB911927)"
"DisplayName"="Security Update for Windows XP (KB912812)"
"DisplayName"="Security Update for Windows XP (KB912919)"
"DisplayName"="Security Update for Windows XP (KB913446)"
"DisplayName"="Security Update for Windows XP (KB913580)"
"DisplayName"="Security Update for Windows XP (KB914389)"
"DisplayName"="Security Update for Windows XP (KB916281)"
"DisplayName"="Security Update for Windows XP (KB917344)"
"DisplayName"="Security Update for Windows Media Player 10 (KB917734)"
"DisplayName"="Security Update for Windows XP (KB917953)"
"DisplayName"="Security Update for Windows XP (KB918439)"
"DisplayName"="KBD"
"DisplayName"="LimeWire 4.12.3"
"DisplayName"="LiveReg (Symantec Corporation)"
"DisplayName"="LiveUpdate 2.6 (Symantec Corporation)"
"DisplayName"="Logitech Print Service"
"DisplayName"="Microsoft .NET Framework 1.1 Hotfix (KB886903)"
"DisplayName"="Macromedia Shockwave Player"
"DisplayName"="Microsoft .NET Framework 1.1"
"DisplayName"="iRiver Updater"
"DisplayName"="MSN Money Investment Toolbox"
"DisplayName"="MSN Music Assistant"
"DisplayName"="MSN Toolbar"
"#DisplayName"="Nero OEM"
"ShowDisplayName"=dword:00000000
"DisplayName"="Nero Suite"
"#DisplayName"="Nero Digital"
"ShowDisplayName"=dword:00000000
"DisplayName"="Netscape (7.1)"
"DisplayName"="Netscape (7.2)"
"DisplayName"="NVIDIA Windows 2000/XP Display Drivers"
"DisplayName"="NVIDIA Gart Driver"
"DisplayName"="Sierra Print Artist 6.0"
"DisplayName"="PrintMaster Gold 4.00"
"DisplayName"="PS2"
"DisplayName"="Logitechr Camera Driver"
"DisplayName"="RealPlayer"
"DisplayName"="Regal Solitaire"
"DisplayName"="S3Display"
"DisplayName"="S3Gamma2"
"DisplayName"="S3Info2"
"DisplayName"="S3Overlay"
"DisplayName"="Sandlot Games Client Services"
"DisplayName"="Shockwave"
"DisplayName"="Macromedia Flash Player 8"
"DisplayName"="SimSynth™ 2.x DEMO"
"DisplayName"="Slingo Deluxe"
"DisplayName"="SpamSubtract"
"DisplayName"="Spybot - Search & Destroy 1.4"
"DisplayName"=""
"DisplayName"="Viewpoint Media Player"
"DisplayName"="VX2 Cleaner plug-in for Ad-Aware SE"
"DisplayName"="Windows Genuine Advantage Notifications (KB905474)"
"DisplayName"="Windows Media Encoder 9 Series"
"DisplayName"="Windows Media Format Runtime"
"DisplayName"="Windows Media Player 10"
"DisplayName"="Windows XP Service Pack 2"
"DisplayName"="Yahoo! Toolbar"
"DisplayName"="Yahoo! Browser Services"
"DisplayName"="Yahoo! Internet Mail"
"DisplayName"="Yahoo! Messenger"
"DisplayName"="Yahoo! Toolbar"
"DisplayName"="Microsoft Office 2000 SR-1 Small Business"
"DisplayName"="Microsoft IntelliPoint 4.0"
"DisplayName"="Microsoft Money 2003"
"DisplayName"="Microsoft Money 2003 System Pack"
"DisplayName"="iriver Music Manager"
"DisplayName"="SkinsHP2"
"DisplayName"="Sonic Update Manager"
"DisplayName"="Space Rocks"
"DisplayName"="IntelliMover Data Transfer Demo"
"DisplayName"="HP Software Update"
"DisplayName"="Microsoft Visual J# .NET Redistributable Package 1.1"
"DisplayName"="PC-Doctor for Windows"
"DisplayName"="HpSdpAppCoreApp"
"DisplayName"="Memories Disc Creator 2.0"
"DisplayName"="Unload"
"DisplayName"="J2SE Runtime Environment 5.0 Update 3"
"DisplayName"="J2SE Runtime Environment 5.0 Update 6"
"DisplayName"="LightScribe 1.4.44.1"
"DisplayName"="BLS2005 Companion Clipart"
"DisplayName"="HPImageZone"
"DisplayName"="HPIZ Fix2"
"DisplayName"="Microsoft Windows Journal Viewer"
"DisplayName"="Photosmart 140,240,7200,7600,7700,7900 Series"
"DisplayName"="Virtual Warfare"
"DisplayName"="WordPerfect Office 11"
"DisplayName"="iTunes"
"DisplayName"="TrayApp"
"DisplayName"="HP Photo and Imaging 2.0 - Photosmart Cameras"
"DisplayName"="Pig Pen"
"DisplayName"="PhotoGallery"
"DisplayName"="QuickProjects"
"DisplayName"="Microsoft IntelliType Pro 2.1"
"DisplayName"="InstantShare"
"DisplayName"="Microsoft Works 7.0"
"DisplayName"="PSShortcutsP"
"DisplayName"="BLS-2006"
"DisplayName"="SkinsHP1"
"DisplayName"="Musicmatchr Jukebox"
"DisplayName"="Intel® Extreme Graphics Driver"
"DisplayName"="Logitech Desktop Messenger"
"DisplayName"="Microsoft Office PowerPoint Viewer 2003"
"DisplayName"="RecordNow!"
"DisplayName"="CreativeProjects"
"DisplayName"="Windows Defender Signatures"
"DisplayName"="MSN Messenger 7.0"
"DisplayName"="Adobe Reader 7.0.8"
"DisplayName"="BLS2006Clipart"
"DisplayName"="hpmdtab"
"DisplayName"="QuickTime"
"DisplayName"="HPSystemDiagnostics"
"DisplayName"="Logitech QuickCam Software"
"DisplayName"="Microsoft Plus! Digital Media Edition"
"DisplayName"="Microsoft .NET Framework 1.1"
"DisplayName"="Director"
"DisplayName"="PrintScreen"
"DisplayName"="HP Organize"
"DisplayName"="Nikon Message Center"
"DisplayName"="BLS2006 Manual"
"DisplayName"="Multimedia Card Reader"
"DisplayName"="Windows Media Encoder 9 Series"
"DisplayName"="ArcSoft Software Suite"
"DisplayName"="Java 2 Runtime Environment, SE v1.4.1_02"
"DisplayName"="HP Deskjet Preloaded Printer Drivers"
"DisplayName"="OmniPass"
"DisplayName"="Realtek AC'97 Audio"
"DisplayName"="HighMAT Extension to Microsoft Windows XP CD Writing Wizard"
"DisplayName"="PictureProject"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="N"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000004

#16 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 06 July 2006 - 10:32 PM

Hi Ed

Open Notepad (Start Menu > Run > Type notepad and press OK)

Copy and Paste the contents of the code box into Notepad making REGEDIT4 the top line.


REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Fix.reg then save it to your desktop

Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes and the malicious reg entries will be removed and the other's restored to the default settings.

After running the Reg file goto Start > Run > and type (or copy and paste)

NETSH FIREWALL RESET

Press OK, then when the cmd screen closes Reboot the PC

Then check your firewall settings again

Let us know if you have any problems

Cheers

#17 OFFLINE Ed S

Member

Members
13 posts

Posted 06 July 2006 - 11:02 PM

Ok Andy went smooth as silk, the firewall is turned back on.
Ed

#18 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 06 July 2006 - 11:24 PM

Great News

Can you run a couple more scans now just to make sure nothing is remaining. I only based my script on what they installed on mine but if they can add those files then they could add more easily enough.

A couple of items are showing on the Add/Remove screen that can be removed and a one optional program.

The versions of Java can be removed as there is a newer version available, it's common for them to leave older versions in place when they upgrade so its easier to remove these

Java 2 Runtime Environment, SE v1.4.1_02
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6

Then get the latest version (5.0 Update 7) from Sun's website Here

Optional

Viewpoint Media Player is showing on the Add/Remove which is classed as Foistware and a Potentially unwanted program as its sometimes installed without the users consent, you can read Here for more information and there maybe some indications that they will move into tracking and displaying Adverts at some stage which you can read more about Here. If you value the service they provide then it can be left on the system but if not then it can be removed using the Add/Remove screen

Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file. (I don't expect this to find any hidden files but it only takes a minute or two to run so its worth checking)

Next run the Kaspersky WebScanner

Please go HERE and click Kaspersky Online Scanner
Read and Accept the Agreement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
If you see a Windows dialog asking if you want to install this software, click the Install button.
The program will launch and then begin downloading the latest definition files,
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

Please then post the Blacklight log if it finds any hidden files and the Kaspersky log, if they look ok then your good to go

Regards

Andy

#19 OFFLINE Ed S

Member

Members
13 posts

Posted 07 July 2006 - 12:23 AM

Andy, I seemed to have hit a snag with Blacklight. When I try to run it I get the error. Blacklight could not aquire the necssary privilages.(SeDebug Privilage)
Your computer settings may prevent aquring them. A malicious program may have diabled them.

What now?

#20 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 07 July 2006 - 03:12 AM

Hi Ed

Sorry I didnt even consider that would still be a problem, the Look2me infection removed the privilege but with SpySweeper being able to remove it from the system Id assumed it would of also repaired the damage :rolleyes:

We may as well run the Look2me fix incase there is any parts remaining as the batch script I asked you to use only looked for .dll files in the system32 folder, Ive not tried running this when there isnt a active infection so hopefully it will go ok and restore the SeDebugPrivilege.

If you have any problems with this program not opening after you select run as a task then just move it to C:\drive and attempt to run it again. It doesnt happen often though.

Please download Look2Me-Destroyer.exe to your desktop.

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt into this topic.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX

After its finished and rebooted then try Blacklight again

Andy

Back to Spyware Hell