Infected Desktop

Question

'Click here to scan your pc for spyware' appears on desktop and cannot be deleted. AVG detects obfuskat everyday. WHere is button to attach file (i.e. hijack this log file???

Message can't exceed 20000 characters. How to post hijack log?

O23 - Service: Z-SAN Service (Z-SANService) - Zetera Corporation - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe

--
End of file - 22219 bytes

Any help would be appreciated.

Baltoe

Bugbatter · Answer

Welcome. Thank you for using Dell Community Forums.
I am reviewing your log.
In the meantime, you can help me by doing the following:

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you are using any cracked software, please remove it.
Definition of cracked software:
http://en.wikipedia.org/wiki/Software_cracking

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.
The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state.
A list of P2P's is here: http://www.castlecops.com/t204179-P2P_programs_we_ask_that_you_remove_first.html

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.
Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using.

** We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case.
Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

* Please go to Add/Remove Programs and remove Logitech Desktop Messenger. Then please post a new HijackThis log below. It will be shorter. :)

* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.

I look forward to your reply.

The instructions in this topic are only for this Forum member.
Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance, and you will make a cleanup of your system more difficult.

baltoe · Answer

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:09:06 AM, on 13/05/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\PMJ151LA.BINC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\Explorer.EXEC:\Documents and Settings\All Users\Application Data\qbehghmb\wlofgjez.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Java\jre1.5.0\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\LogMeIn\x86\LogMeInSystray.exeC:\Program Files\Matrox Graphics Inc\PowerDesk HF\Matrox.PowerDesk.PDeskNet.exeC:\Program Files\Ahead\InCD\InCD.exeC:\WINDOWS\HCWemMON.exeC:\WINDOWS\Mixer.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\devldr32.exeC:\Program Files\Skype\Phone\Skype.exeC:\WINDOWS\system32\ctfmon.exec:\program files\matrox graphics inc\powerdesk hf\Matrox.PowerDesk.Communications.exeC:\DOCUME~1\IANMAC~1\LOCALS~1\Temp\bwgo00013a54.exeC:\Program Files\Google\Google Updater\GoogleUpdater.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Skype\Plugin Manager\skypePM.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: (no name) - {02715E47-5A8E-495B-8F63-0D30470B8E72} - C:\WINDOWS\system32\xxywTKdd.dll (file missing)O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [!AVG Anti-Spyware] 'C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe' /minimizedO4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exeO4 - HKLM\..\Run: [RemoteControl] 'C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe'O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [Matrox PowerDesk 8] 'C:\Program Files\Matrox Graphics Inc\PowerDesk HF\matrox.powerdesk.exe' /silentO4 - HKLM\..\Run: [LogMeIn GUI] 'C:\Program Files\LogMeIn\x86\LogMeInSystray.exe'O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe'O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exeO4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exeO4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exeO4 - HKLM\..\Run: [emMON] HCWemMON.exeO4 - HKLM\..\Run: [cftmon] C:\WINDOWS\system32\cftmon.exeO4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startupO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] 'C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe'O4 - HKLM\..\Run: [gcasServ] 'C:\Program Files\Microsoft AntiSpyware\gcasServ.exe'O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [Skype] 'C:\Program Files\Skype\Phone\Skype.exe' /nosplash /minimizedO4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKLM\..\Policies\Explorer\Run: [twLHU01kfk] C:\Documents and Settings\All Users\Application Data\qbehghmb\wlofgjez.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Readereader_sl.exeO4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exeO4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exeO4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin
pjpi150.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin
pjpi150.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cabO16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100O17 - HKLM\System\CCS\Services\Tcpip\..\{192AF117-916F-46D2-BA62-D2BB714BC4BA}: NameServer = 85.255.113.123,85.255.112.186O17 - HKLM\System\CCS\Services\Tcpip\..\{31BF1BDC-AB73-4769-B5F8-2D676F0B0512}: NameServer = 85.255.113.123,85.255.112.186O17 - HKLM\System\CCS\Services\Tcpip\..\{76631661-12C5-4B26-9831-E5802236ECC4}: NameServer = 85.255.113.123,85.255.112.186O17 - HKLM\System\CCS\Services\Tcpip\..\{8A4E0A33-9189-454E-B9FB-5F4EE6501117}: NameServer = 85.255.113.123,85.255.112.186O17 - HKLM\System\CCS\Services\Tcpip\..\{DC90209E-5845-4C55-85E6-0309E6951587}: NameServer = 85.255.113.123,85.255.112.186O17 - HKLM\System\CCS\Services\Tcpip\..\{E2F80043-C094-44AA-987E-7CF322408964}: NameServer = 85.255.113.123,85.255.112.186O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.186

baltoe · Answer

O18 - Protocol: bw+0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {DD1FAB3F-6272-461B-92D2-D835BC906E5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll
O20 - Winlogon Notify: xxywTKdd - xxywTKdd.dll (file missing)
O20 - Winlogon Notify: __A - C:\WINDOWS\system32\mshyta16.dll (file missing)
O21 - SSODL: mgsvflkw - {063D13E6-838B-4FFB-B1EA-FA6434332296} - C:\WINDOWS\mgsvflkw.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Z-SAN Service (Z-SANService) - Zetera Corporation - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe

--
End of file - 22219 bytes

baltoe · Answer

I see the quote message button - very handy. Logitech messenger removed. HJT log re-posted below. No cracked software and no file sharing going on.   Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:25:22 AM, on 21/05/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\PMJ151LA.BINC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exeC:\WINDOWS\Explorer.EXEC:\Documents and Settings\All Users\Application Data\qbehghmb\wlofgjez.exeC:\Program Files\Java\jre1.5.0\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\LogMeIn\x86\LogMeInSystray.exeC:\Program Files\Ahead\InCD\InCD.exeC:\WINDOWS\HCWemMON.exeC:\WINDOWS\Mixer.exeC:\Program Files\Skype\Phone\Skype.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\Google Updater\GoogleUpdater.exeC:\Program Files\Matrox Graphics Inc\PowerDesk HF\Matrox.PowerDesk.PDeskNet.exeC:\DOCUME~1\IANMAC~1\LOCALS~1\Temp\bwgo0000f8a8.exec:\program files\matrox graphics inc\powerdesk hf\Matrox.PowerDesk.Communications.exeC:\Program Files\Skype\Plugin Manager\skypePM.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: (no name) - {02715E47-5A8E-495B-8F63-0D30470B8E72} - C:\WINDOWS\system32\xxywTKdd.dll (file missing)O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exeO4 - HKLM\..\Run: [RemoteControl] 'C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe'O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [Matrox PowerDesk 8] 'C:\Program Files\Matrox Graphics Inc\PowerDesk HF\matrox.powerdesk.exe' /silentO4 - HKLM\..\Run: [LogMeIn GUI] 'C:\Program Files\LogMeIn\x86\LogMeInSystray.exe'O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe'O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exeO4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exeO4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exeO4 - HKLM\..\Run: [emMON] HCWemMON.exeO4 - HKLM\..\Run: [cftmon] C:\WINDOWS\system32\cftmon.exeO4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startupO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] 'C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe'O4 - HKLM\..\Run: [gcasServ] 'C:\Program Files\Microsoft AntiSpyware\gcasServ.exe'O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [Skype] 'C:\Program Files\Skype\Phone\Skype.exe' /nosplash /minimizedO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Disk Cleaner] 'C:\Program Files\Disk Cleaner\DiskCleaner.Exe' /bootO4 - HKCU\..\Run: [Registry Helper] 'C:\Program Files\Registry Helper\RegistryHelper.Exe' /bootO4 - HKLM\..\Policies\Explorer\Run: [twLHU01kfk] C:\Documents and Settings\All Users\Application Data\qbehghmb\wlofgjez.exeO4 - HKUS\S-1-5-21-3902238223-1216078584-1609735418-1004\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')O4 - HKUS\S-1-5-21-3902238223-1216078584-1609735418-1004\..\Run: [Skype] 'C:\Program Files\Skype\Phone\Skype.exe' /nosplash /minimized (User '?')O4 - HKUS\S-1-5-21-3902238223-1216078584-1609735418-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')O4 - HKUS\S-1-5-21-3902238223-1216078584-1609735418-1004\..\Run: [Disk Cleaner] 'C:\Program Files\Disk Cleaner\DiskCleaner.Exe' /boot (User '?')O4 - HKUS\S-1-5-21-3902238223-1216078584-1609735418-1004\..\Run: [Registry Helper] 'C:\Program Files\Registry Helper\RegistryHelper.Exe' /boot (User '?')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Readereader_sl.exeO4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exeO4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exeO4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin
pjpi150.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin
pjpi150.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cabO16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100O17 - HKLM\System\CCS\Services\Tcpip\..\{192AF117-916F-46D2-BA62-D2BB714BC4BA}: NameServer = 85.255.113.123,85.255.112.186O17 - HKLM\System\CCS\Services\Tcpip\..\{31BF1BDC-AB73-4769-B5F8-2D676F0B0512}: NameServer = 85.255.113.123,85.255.112.186O17 - HKLM\System\CCS\Services\Tcpip\..\{76631661-12C5-4B26-9831-E5802236ECC4}: NameServer = 85.255.113.123,85.255.112.186O17 - HKLM\System\CCS\Services\Tcpip\..\{8A4E0A33-9189-454E-B9FB-5F4EE6501117}: NameServer = 85.255.113.123,85.255.112.186O17 - HKLM\System\CCS\Services\Tcpip\..\{DC90209E-5845-4C55-85E6-0309E6951587}: NameServer = 85.255.113.123,85.255.112.186O17 - HKLM\System\CCS\Services\Tcpip\..\{E2F80043-C094-44AA-987E-7CF322408964}: NameServer = 85.255.113.123,85.255.112.186O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.186O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dllO20 - Winlogon Notify: xxywTKdd - xxywTKdd.dll (file missing)O20 - Winlogon Notify: __A - C:\WINDOWS\system32\mshyta16.dll (file missing)O21 - SSODL: mgsvflkw - {063D13E6-838B-4FFB-B1EA-FA6434332296} - C:\WINDOWS\mgsvflkw.dll (file missing)O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exeO23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BINO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: Z-SAN Service (Z-SANService) - Zetera Corporation - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe --End of file - 10019 bytes THe Click here to scan your PC for SPyware has inhabited my screen and I cannot get rid of it. AVG also went sideways and they do not reply to my e-mails to re-send the program. Thanks, I am in and out of town so I cannot get back to emails on a timely basis.   Baltoe Bugbatter wrote:Welcome. Thank you for using Dell Community Forums.I am reviewing your log.In the meantime, you can help me by doing the following:* Have you have posted this issue on another forum? If so, please provide a link to the topic.* If you are using any cracked software, please remove it.Definition of cracked software:http://en.wikipedia.org/wiki/Software_cracking* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state.A list of P2P's is here: http://www.castlecops.com/t204179-P2P_programs_we_ask_that_you_remove_first.html* If this computer belongs to someone else, do you have authority to apply the fixes we will use?* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using.** We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a 'RiskTool', 'Hacking tool', 'Potentially unwanted tool', or even 'malware (virus/trojan)' when that is not the case.Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between 'good' and 'malicious' use of such programs, therefore they may alert you or even automatically remove them.* Please go to Add/Remove Programs and remove Logitech Desktop Messenger. Then please post a new HijackThis log below. It will be shorter. :)* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.I look forward to your reply.The instructions in this topic are only for this Forum member.Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance, and you will make a cleanup of your system more difficult.

Bugbatter · Answer

You reply is rather long if you quote the previous message. It is really easier for us if you do not duplicate my replies. If you are in and out, please make sure no one is using the computer in your absence.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt). Close/Save that. you will need to post it in your next reply.

Please download Malwarebytes' Anti-Malware from Here or Here

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. :(see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM. Please include your report from FixWareout along with a fresh HijackThis log as well.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Message Edited by Bugbatter on 05-21-2008 05:17 PM

baltoe · Answer

Thank you for your reply. No one else uses my computer except when my daughters come home from U and use hotmail and facebook etc. I am out now for 3 days - but will invoke your prescription upon my return. Thanks again. No more quotes.

Baltoe

baltoe · Answer

I decided to start with the fix and did the first step successfully. THe malawarebytes program will not install because a message come sup saying

Unable to register the DLL/OCX: RegSvr32 with exit code 0x5, and not recommended to proceed anyway.. SHould proceed anyway?

Bugbatter · Answer

When you encounter this message: 'c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5' Click on ignore mbamext.dll

Bugbatter · Answer

Okay, thanks for letting me know. If I miss your return post, please send me a PM (click on little envelope at top) to let me know that you are back.

*If you daughters will be home, please disconnect the computer and leave them a note to let them know that they need to stay OFF the computer because you are in the process of cleaning malware.

Message Edited by Bugbatter on 05-23-2008 10:20 AM

baltoe · Answer

Username 'Ian MacLeod' - 23/05/2008  8:51:04 [Fixwareout edited 9/01/2007] ~~~~~ Prerun check Successfully flushed the DNS Resolver Cache.System was rebooted successfully. ~~~~~ Postrun checkHKLM\SOFTWARE\~\Winlogon\ 'System'='lsass.exe'........~~~~~ Misc files.....~~~~~ Checking for older varients..... ~~~~~ Current runs (hklm hkcu 'run' Keys Only)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'AAWTray'='C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe''SunJavaUpdateSched'='C:\Program Files\Java\jre1.5.0\bin\jusched.exe''RemoteControl'='\'C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe\'''QuickTime Task'='\'C:\Program Files\QuickTime\qttask.exe\' -atboottime''NeroFilterCheck'='C:\WINDOWS\system32\NeroCheck.exe''Matrox PowerDesk 8'='\'C:\Program Files\Matrox Graphics Inc\PowerDesk HF\matrox.powerdesk.exe\' /silent''LogMeIn GUI'='\'C:\Program Files\LogMeIn\x86\LogMeInSystray.exe\'''iTunesHelper'='\'C:\Program Files\iTunes\iTunesHelper.exe\'''InCD'='C:\Program Files\Ahead\InCD\InCD.exe''HP SchedIndexer'='C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe''HP AutoIndexer'='C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe''emMON'='HCWemMON.exe''cftmon'='C:\WINDOWS\system32\cftmon.exe''C-Media Mixer'='Mixer.exe /startup''ATIPTA'='C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe''Adobe Reader Speed Launcher'='\'C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe\'''gcasServ'='\'C:\Program Files\Microsoft AntiSpyware\gcasServ.exe\'' [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'swg'='C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe''Skype'='\'C:\Program Files\Skype\\Phone\Skype.exe\' /nosplash /minimized''ctfmon.exe'='C:\WINDOWS\system32\ctfmon.exe''Disk Cleaner'='\'C:\Program Files\Disk Cleaner\DiskCleaner.Exe\' /boot''Registry Helper'='\'C:\Program Files\Registry Helper\RegistryHelper.Exe\' /boot'....Hosts file was reset, If you use a custom hosts file please replace it...~~~~~ End report ~~~~~ Fixwareout report. Standing by....   Baltoe

Bugbatter · Answer

Do you have an MBAM log to post?

baltoe · Answer

Malwarebytes' Anti-Malware 1.12 Database version: 781 Scan type: Quick Scan Objects scanned: 43861 Time elapsed: 6 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Bugbatter · Answer

Please post a fresh HijackThis log and let me know how things are running.

baltoe · Answer

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:15:40 AM, on 26/05/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\PMJ151LA.BINC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exeC:\Program Files\Java\jre1.5.0\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Matrox Graphics Inc\PowerDesk HF\Matrox.PowerDesk.PDeskNet.exeC:\Program Files\LogMeIn\x86\LogMeInSystray.exeC:\Program Files\Ahead\InCD\InCD.exeC:\WINDOWS\HCWemMON.exeC:\WINDOWS\Mixer.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Skype\Phone\Skype.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\devldr32.exec:\program files\matrox graphics inc\powerdesk hf\Matrox.PowerDesk.Communications.exeC:\Program Files\Google\Google Updater\GoogleUpdater.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Skype\Plugin Manager\skypePM.exeC:\WINDOWS\system32\hppapml0.exeC:\Program Files\Microsoft Office\Office10\OUTLOOK.EXEC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\explorer.exeC:\Program Files\AutoCAD LT 2004\aclt.exeC:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exeC:\Program Files\Microsoft Office\Office\WINWORD.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exeO4 - HKLM\..\Run: [RemoteControl] 'C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe'O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [Matrox PowerDesk 8] 'C:\Program Files\Matrox Graphics Inc\PowerDesk HF\matrox.powerdesk.exe' /silentO4 - HKLM\..\Run: [LogMeIn GUI] 'C:\Program Files\LogMeIn\x86\LogMeInSystray.exe'O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe'O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exeO4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exeO4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exeO4 - HKLM\..\Run: [emMON] HCWemMON.exeO4 - HKLM\..\Run: [cftmon] C:\WINDOWS\system32\cftmon.exeO4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startupO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] 'C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe'O4 - HKLM\..\Run: [gcasServ] 'C:\Program Files\Microsoft AntiSpyware\gcasServ.exe'O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [Skype] 'C:\Program Files\Skype\Phone\Skype.exe' /nosplash /minimizedO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Disk Cleaner] 'C:\Program Files\Disk Cleaner\DiskCleaner.Exe' /bootO4 - HKCU\..\Run: [Registry Helper] 'C:\Program Files\Registry Helper\RegistryHelper.Exe' /bootO4 - HKUS\S-1-5-21-3902238223-1216078584-1609735418-1004\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')O4 - HKUS\S-1-5-21-3902238223-1216078584-1609735418-1004\..\Run: [Skype] 'C:\Program Files\Skype\Phone\Skype.exe' /nosplash /minimized (User '?')O4 - HKUS\S-1-5-21-3902238223-1216078584-1609735418-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')O4 - HKUS\S-1-5-21-3902238223-1216078584-1609735418-1004\..\Run: [Disk Cleaner] 'C:\Program Files\Disk Cleaner\DiskCleaner.Exe' /boot (User '?')O4 - HKUS\S-1-5-21-3902238223-1216078584-1609735418-1004\..\Run: [Registry Helper] 'C:\Program Files\Registry Helper\RegistryHelper.Exe' /boot (User '?')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Readereader_sl.exeO4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exeO4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exeO4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin
pjpi150.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin
pjpi150.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cabO16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dllO20 - Winlogon Notify: xxywTKdd - xxywTKdd.dll (file missing)O20 - Winlogon Notify: __A - C:\WINDOWS\system32\mshyta16.dll (file missing)O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exeO23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BINO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: Z-SAN Service (Z-SANService) - Zetera Corporation - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe --End of file - 9055 bytes Things are running a lot quicker. However, I would like to get my money's worth out of the AVG that I bought, however, I had to delete it to get the annoying pop up to stop telling me to buy it when I already had! SUggestions?

Bugbatter · Answer

So far so good.Go ahead and delete FixWareout and its report. We are finished with that.If you have an AVG question for a paid version, you could try contacting their support department or post on this forum:http://www.castlecops.com/f106-Grisoft_AVG.html If you want to install another AV, you might like to try one of the free ones. There is a list posted at the top of the Virus/Spyware Board. After reading of problems associated with AVG 8, I removed my AVG and installed Avast. So far I really like Avast.Let's continue cleaning by running Disk Cleanup in each user's profile:Click 'Start > Programs > Accessories > System Tools > Disk Cleanup'Please make sure only the following are checked:-- Downloaded Program Files-- Temporary Internet Files-- Recycle Bin-- Temporary FilesClick 'OK' and Disk Cleanup will delete those files for you.Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.Updating Java: Download the latest version of Java Runtime Environment (JRE) 6. Scroll down to where it says 'Java Runtime Environment (JRE) 6u6 allows end-users to run Java applications'. Click the 'Download' button to the right. Check the box that says: 'Accept License Agreement'. The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each of the Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version. Official JAVA Installation Instructions if needed. Following all that, please post a fresh HijackThis log for final review. If everything is running smoothly, we'll flush your System Restore. Message Edited by Bugbatter on 05-26-2008 11:53 AM

Virus & Spyware

Infected Desktop

Was this post helpful?