I have Avast Home edition 4.7 and Ad-aware 6 running on my computer. My computer is operating on Windows XP
I keep getting a pop-up telling me the I have a Trojan Horse: Win32:Zlob-BN(Trj) to be exact. I move it to the chest, even delete it and it keeps coming back, each time in a different location but always in C:/windows/system32
What should I do to remove it??
I have tried putting my computer into safe mode and running a scan that way but it still comes back. :(
PLEASE HELP!!
Hi, EmilyW. Welcome to LzD.
Please download HijackThis© from: http://www.thespykiller.co.uk/files/HJTsetup.exe .
Note: This is a complete installer that installs HijackThis to your computer to at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.
At the download prompt, choose "Save". After the download is complete, navigate to the C:\Program Files\HijackThis folder and double-click it. When the installation is complete, double-click the HijackThis icon on your desktop. Select "Do a system scan and save logfile". Select a name for this first logfile. and a text file will be produced. Copy the text file and paste it here as a reply.
Logfile of HijackThis v1.99.1
Scan saved at 8:43:21 AM, on 21/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.ex
e
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar =
http://www.dyvkrgmnmswu.com/Ez/RkmUXyNks34VxtGyiKZ
Ffblfl8OEdNy/fSinLswWR_FylvqroX2asR1s_AOa7.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page =
O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class -
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
- C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) -
{A9DE46B0-E749-428F-9BC7-12C2B98F9C9C} -
C:\WINDOWS\System32\kauthz.dll (file missing)
O2 - BHO: MSNToolBandBHO -
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\MSN
Toolbar\01.02.5000.1021\en-ca\msntb.dll
O2 - BHO: (no name) -
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program
Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MSN -
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\MSN
Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.ex
e
O4 - HKLM\..\Run: [HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray]
C:\WINDOWS\system32\igfxtray.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide -
{E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program
Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C}
(Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab31267.
cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAC
lient.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/ei/S
mileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B}
(Minesweeper Flags Class) -
http://messenger.zone.msn.com/binary/MineSweeper.cab31
267.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.a
pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537}
(MSN Photo Upload Tool) -
http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClie
nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592}
(ZoneIntro Class) -
http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab3424
6.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
(PopCapLoader Object) -
http://zone.msn.com/bingame/dim2/default/popcaploader_v6
.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D}
(Hotmail Attachments Control) -
http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.o
cx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF}
(Solitaire Showdown Class) -
http://messenger.zone.msn.com/binary/SolitaireShowdown.
cab31267.cab
O18 - Protocol: msnim -
{828030A1-22C1-4009-854F-8E305202313F} -
"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui -
C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) -
Unknown owner - C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner -
C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner -
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe"
/service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner -
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe"
/service (file missing)
O23 - Service: PACSPTISVR - Sony Corporation -
C:\Program Files\Common Files\Sony
Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony
Corporation - C:\Program Files\Common Files\Sony
Shared\AVLib\Sptisrv.exe
:D Hi Emily :
I see you took my advise on the Avast Forums to come here; a wise decision.
The Helpers here are very good . Since Emily has not mentioned it, she was
advised on the Avast forums to download the Smitfraudfix program, which she
did; however, she reported on the Avast forums that she was unable to open
the program ( "but it wont let me open SmitfraudFix. It tells me that the
publisher could not be verified " ) .
Hi, Emily. For your next log, please turn ON word wrap in Notepad. I copy/pasted and edited your log for readability since it would delay response.
Logfile of HijackThis v1.99.1
Scan saved at 8:43:21 AM, on 21/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dyvkrgmnmswu.com/Ez/RkmUXyNks34VxtGyiKZFfblfl8OEdNy/fSinLswWR_FylvqroX2asR1s_AOa7.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A9DE46B0-E749-428F-9BC7-12C2B98F9C9C} - C:\WINDOWS\System32\kauthz.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
scan with HijackThis and place a checkmark next to each of the following items and click FIX CHECKED:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dyvkrgmnmswu.com/Ez/RkmUXyNks34VxtGyiKZFfblfl8OEdNy/fSinLswWR_FylvqroX2asR1s_AOa7.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {A9DE46B0-E749-428F-9BC7-12C2B98F9C9C} - C:\WINDOWS\System32\kauthz.dll (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
Close HijackThis. Shutdown/restart, do a bit of what you use your computer for, including another shutdown/restart Then post a fresh HijackThis log. Be sure to turn ON word wrap in Notepad though.
Let us know how you're doing.
Thank you!!
I will try that when I get home from work and post the log for you!!
Avast! On-Scanner is still detecting Win32:Zlob-BM [Trj], and Win32:Zlob-BN [Trj]
Here is the new log, after taking the actions you told me to do.
Logfile of HijackThis v1.99.1
Scan saved at 8:50:58 AM, on 23/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
Does Avast tell you a filepath? Is it always the same, or different each time?
It tells me where it is...which is C:/windows/system32, but it always changes where in that file it is. Sometimes its C:/windows/system32/1024, always different.
Is that what you meant
Well, before we download a bunch of other tools, let's try something simple ...
There are a number of good online a-v scanners. Pick one from this list and see if it detects/deletes what Avast is seeing.
[Note that most require Internet Explorer and ActiveX turned on]
Online virus scanners:
http://housecall.trendmicro.com/ (http://housecall.trendmicro.com/) - Trend Micro
http://www.ravantivirus.com/scan/ (http://www.ravantivirus.com/scan/) - RAV
http://www.pandasoftware.com/activescan/ (http://www.pandasoftware.com/activescan/) - Panda
http://us.mcafee.com/root/mfs/default.asp (http://us.mcafee.com/root/mfs/default.asp) - McAfee
http://www.kaspersky.com/scanforvirus.html (http://www.kaspersky.com/scanforvirus.html) - Kaspersky (single file scan)
http://online.drweb.com/ (http://online.drweb.com/) - Dr. Web
http://www.commandondemand.com/eval/index.cfm (http://www.commandondemand.com/eval/index.cfm) - Command
http://www.bitdefender.com/scan/licence.php (http://www.bitdefender.com/scan/licence.php) - BitDefender
http://security.symantec.com/sscv6/default...id=ie&venid=sym (http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym) - Symantec
BTW, I don't see anything running in your HJT log that would cause a problem.
im trying to d/l one of the online scanners now
Here is an example of the Filename, it jsut popped up 5 mins ago
C:\WINDOWS\system32\1024\ld1EFA.tmp\[Upack]
Now it is in C:\WINDOWS\system32\hp100.tmp
But this time it wont let me "Move to Chest" and I cant delete it b/c its in Windows, dont know if its an important file.
I used the MCAfee scanner and it was working well, I walked away for a minute and when I came back my internet browser had closed. So ill try another scanner, dont know what happened there.
emilyw,
I recommend that you try again to do an on-line scan but if you find that it fails again you could always Download TrojanHunter (http://www.misec.net/) can be used for a 30 day trial .
GR@PH;<'S :breakkie:
I used Symantec scanner, here is what they gave me
C:\WINDOWS\NDNuninstall4_50.exe is infected with Adware.NDotNet
C:\WINDOWS\NDNuninstall4_80.exe is infected with Adware.NDotNet
C:\WINDOWS\SYSTEM32\ld100.tmp is infected with Trojan.Emcodec
C:\WINDOWS\SYSTEM32\regperf.exe is infected with Trojan.Zlob
Hi, Emily.
C:\WINDOWS\system32\hp100.tmp
That definitely means the SmitRem infection. Emily, can you recall exactly what program wouldn't let you open S!Ri's SmitfraudFix? We will need to find a way around that to get your system clean.
I'll get the instructions together for you and be right back :)
Ok, Emily, here goes. Please be sure to ask questions or let us know if you are having a problem. If Avast or another security program asks if you shoudl run the SmitfraudFix, tell it YES:
process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. (See ttp://www.beyondlogic.org/consulting/processutil/processutil.htm )
PRINT or SAVE these instructions to text where you can access them in safe mode.
Please follow the instructions in the order given.INSTRUCTIONS:A. Download and/or update the following programs. Install them but do
NOT run them yet.
- Download SmitfraudFix (© S!Ri) to your Desktop from http://siri.urz.free.fr/Fix/SmitfraudFix.zip . Extract all the files to your Desktop and a folder named SmitfraudFix will be created on your Desktop.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsiri.urz.free.fr%2FFix%2FBitmaps%2FFolder.png&hash=17b5ae1fffedcc9de5634bbb6c6964768b7ac2f9)
- Download CCleaner from Download CCleaner from this direct link: http://www.ccleaner.com/downloadbin.asp?f=2 .
- Download ewido AntiMalware (http://www.ewido.net/en/download/). It is a free version of the program.
- Install ewido AntiMalware[list=a]
- Launch ewido, there will be a large yellow [size=18]e[/size] icon on your desktop, double-click it.
- The program will prompt you to update. Click the OK button.
- The program will now open to the main screen
- On the left-hand side of the main screen, click on Update
- Click on Start. The update will start and a progress bar will show the updates being installed.
- When complete, the status bar at the bottom will display "Update successful".
- Do not scan yet.
- If you have problems with the updater, you can use this link to manually update Ewido -- Ewido manual updates (http://www.ewido.net/en/download/updates/)
[/list]
B. Restart your computer in
Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe Mode.
- Login on your usual account.
If you need further assistance with Safe Mode, see Symantec (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
C. Open the
SmitfraudFix folder
- Double-click smitfraudfix.cmd file to start the tool.
- Select option #2 - Clean by typing 2 and press Enter.
Warning : running option #2 on a uninfected computer will remove your Desktop background.
- Wait for the tool to complete and disk cleanup to finish.
- You will be prompted : "Registry cleaning - Do you want to clean the registry?"
- Answer Yes by typing Y
- Hit Enter.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsiri.urz.free.fr%2FFix%2FBitmaps%2FFix02b.jpg&hash=1ab5a6f4691a5ee5e17959d6a36a299876c5c485)
- The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.
- Answer Yes to the question "Replace infected file?" by typing Y
- Hit Enter.
- A reboot may be needed to finish the cleaning process. If your computer does not restart automatically please do it yourself manually.
- Restart in Safe Mode as instructed above.
- The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
D. Clean
Temporary Internet files with CCleaner as follows:
- Close all open programs, including Internet Explorer, Fire Fox and any instances of Windows Explorer.
- Launch CCleaner and under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
- A pop up box will appear advising this process will permanently delete files from your system.
- To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
- Then select the items you wish to clean up.
- In the Windows Tab:
- Clean all entries in the "Internet Explorer" section.
- Clean all the entries in the "Windows Explorer" section.
- Clean all entries in the "System" section except Windows Log Files.
- In the Applications Tab:
- Clean all in the Firefox/Mozilla section if you use it.
- Clean all in the Opera section if you use it.
- Clean Sun Java in the Internet Section.
- Please UNcheck "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)
- Click the "Run Cleaner" button and it will scan and clean your system.
- Click exit.
E. Run
ewido:
- Open ewido and click on scanner
- Click on Complete System Scan and the scan will begin.
- While the scan is in progress, you will be prompted to clean files, click OK
- When prompted to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
- Checkmark the box: *Create encrypted backup in the quarantine* (recommended). Click OK.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fgladiator-antivirus.com%2Fforum%2Fupload%2Fpost-103-1142724932.gif&hash=3ec45fed650a5ac5dfbcd0473cf075665d3da3e1)
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report.
- Save the report .txt file to your desktop, or any other easily accessible location.
Now close ewido.
F.Restart in Normal Mode
G. Optional: To restore IE Trusted & Restricted Zone, open the
SmitfraudFix folder
- Double-click smitfraudfix.cmd
- Select option #3 - Delete Trusted zone by typing 3 and press Enter
- Answer Yes to the question "Restore Trusted Zone ?" by typing Y
- Hit Enter.
Note: If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
H. Double-click the
HijackThis icon on your desktop. Choose "Do a system scan and save logfile". Include the logfile with your post.
I. Create a topic of your own (or a reply if you have an existing topic) and post the following logs:
- C:\rapport.txt
- ewido log
- HijackThis log
Please let us know if any problems persist.
Thank you so much
I am going to give this a try!! Wish me luck!!
You can do it, Emily!!! :rose:
You'll be fine. We are scattered around the globe, so someone should be here to answer any questions within a reasonable amount of time.
Corrine's instructions should eliminate the rascal.
I don't have ewido AntiMalware
How do I d/l this?? and what is it?
Sorry, Emily. I must have removed the download link line when I was converting the instructions from Freedomlist to post here. For some reason, the formatting gets messed up when going from phpBB software to SMF forum software.
I edited my post above to put it in the instructions in order.
Oh, and ewido is an excellent antimalware software, includes trojans and more.
Thanks ill do that now, Had to take a break from this comp. and while I was gone no pop ups saying I have trojan horse :D
so far so good
Great, we're making progress! You'll get rid of it, don't worry.
Thank you very much!! So far nothing has popped up in almost a day :)
Okay here are the logs!!
Take your time and let me know how it appears!!
SmitFraudFix v2.62
Scan done at 19:21:37.92, 23/06/2006
Run from C:\Documents and Settings\Emily\My Documents\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{05a91164-3c96-47d6-aa74-2c855791b2d0}"="incaged"
[HKEY_CLASSES_ROOT\CLSID\{05a91164-3c96-47d6-aa74-2c855791b2d0}\InProcServer32]
@="C:\WINDOWS\system32\ofcukiz.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{05a91164-3c96-47d6-aa74-2c855791b2d0}\InProcServer32]
@="C:\WINDOWS\system32\ofcukiz.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\Emily\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\MalwareWipe\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\system32\ofcukiz.dll -> Missing File
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:39:16 PM 23/06/2006
+ Scan result:
HKLM\SOFTWARE\Altnet -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\ADM -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\Dashboard -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\Dashboard\Setup -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\Dashboard\Temp Internet Shares -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\DownloadManager -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\LocalFiles -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\TopSearch -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer -> Adware.Delfin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaLoads Enhanced -> Adware.Downloadware : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbToolbar.HbHtmlMenuUI -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbToolbar.HbHtmlMenuUI.1 -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbToolbar.HbHtmlMenuUI\CLSID -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HbToolbar.HbHtmlMenuUI\CurVer -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Hotbar.HbTravelCompareBar -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Hotbar.HbTravelCompareBar.1 -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Hotbar.HbTravelCompareBar\CLSID -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Hotbar.HbTravelCompareBar\CurVer -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1538417202-3207847200-972506294-1006\Software\Updater -> Adware.KeenValue : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\MP.MediaPops -> Adware.NetworkEssentials : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\MP.MediaPops.1 -> Adware.NetworkEssentials : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\MP.MediaPops\CLSID -> Adware.NetworkEssentials : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\MP.MediaPops\CurVer -> Adware.NetworkEssentials : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall4_50.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall4_80.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer.1 -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer\CLSID -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer\CurVer -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1166\A0059913.exe -> Downloader.Zlob.th : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Ignored.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 11:42:31 PM, on 23/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4790/mcfscan.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
Fantastic, Emily!!! Great job. Now to clean up the remnant:
Scan with HijackThis, select the following and click "fix checked"
O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp (file missing)
See this thread about updating Sun Java: http://www.landzdown.com/index.php?topic=7887.0 . For additional information on protecting your PC, please see Tony Klein's "So how did I get infected in the first place?" (http://www.landzdown.com/index.php?topic=2783.0) for important tips on how to prevent future infections. There is also a lot of helpful information in "Mitch's Good Stuff" linked from here (http://www.landzdown.com/index.php?topic=192.0).
Install and update both SpywareBlaster & SpyGuard to prevent the installation of spyware and other potentially unwanted software:
SpywareBlaster -- http://www.javacoolsoftware.com/spywareblaster.html
SpywareGuard -- http://www.javacoolsoftware.com/spywareguard.html
If you use Internet Explorer, IE-Spyad will add thousands of sites into your IE restricted zone: http://www.spywarewarrior.com/uiuc/resource.htm .
Another useful program is StartupMonitor, which will warn you when somethings tries to sneak in: http://www.mlin.net/StartupMonitor.shtml
Regards,
Corrine :rose:
Thank you very much!!
You were very helpful and now my computer is free from that stupid trojan!!
:thumbsup:
You're very welcome. I'm glad we were able to assist.
Now that you're a member here, feel free to stick around, check the Lounge, see the jokes forum, subscribe to an update thread. :)
Hi !
I have the same problem with the Zlob-BN(trj) i have downloded the HijackThis ande here is the report i have become !
Pleace hallp me to remove this Zlob-BN.
Logfile of HijackThis v1.99.1
Scan saved at 10:33:47, on 09.07.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\pupxpman.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\CursorXP\CursorXP.exe
C:\Programme\NoAds\NoAds.exe
C:\WINDOWS\system32\LVComS.exe
C:\Programme\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
C:\Programme\Second Nature\Snsicon.exe
C:\Programme\Windows Media Player\wmplayer.exe
C:\Programme\Avant Browser\avant.exe
C:\Programme\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gayromeo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von chello broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\system32\pupxpman.exe
O4 - HKLM\..\Run: [PwrUpTweakMe] C:\WINDOWS\system32\PUPXPTWK.EXE /TWEAK
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Programme\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [NoAds] "C:\Programme\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programme\eMule.de\emule.exe -AutoStart
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programme\Octoshape Streaming Services\Zoran\OctoshapeClient.exe" -inv:bootrun
O4 - Global Startup: Internet Keyboard.lnk = ?
O4 - Global Startup: Snsicon.lnk = C:\Programme\Second Nature\Snsicon.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programme\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Alle Bilder von gleichem Server filtern - C:\Programme\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Blokiraj sve slike sa istog servera - C:\Programme\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Dodaj na AD Crnu Listu - C:\Programme\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Hervorheben - C:\Programme\Avant Browser\Highlight.htm
O8 - Extra context menu item: In neuem Avant Browser öffnen - C:\Programme\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Najtraženiji - C:\Programme\Avant Browser\Highlight.htm
O8 - Extra context menu item: Otvori sve linkove na ovoj stranici... - C:\Programme\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Suchen - C:\Programme\Avant Browser\Search.htm
O8 - Extra context menu item: Traži - C:\Programme\Avant Browser\Search.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programme\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programme\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programme\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Zur Werbebanner-Filterliste hinzufügen - C:\Programme\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Öffne alle Links auf dieser Seite... - C:\Programme\Avant Browser\OpenAllLinks.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .m3u: C:\Programme\Internet Explorer\PLUGINS\npqtplugin7.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.chello.at/
O16 - DPF: ConferenceRoom Java Client - http://chat.rainbow.or.at/java/cr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/de/win/QuickTimeFullInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126213112562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O18 - Protocol: bw+0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {104F9980-4F70-4364-A43B-F1D93AE60AB7} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVP-SE - Unknown owner - C:\WINDOWS\System32\avp-32.exe" -service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Hi there and welcome to the forum!
Could you please follow the same instructions Corrine gave emilyw, here (http://www.landzdown.com/index.php?topic=8506.msg28807#msg28807) please?
Let us know how you get on.
OK i will do than first the online scening and i will send you the´results .
THX very much for you´r hellp !
Did you get the problem solved I assume?