HI
I'm a newbie on this forum. Since about a week I've had pop ups coming up even though they were supposed to be blocked, the homepage on my browsers (firefox + IE) had somehow changed to a dubios site that couldn't be found.
With the help of a friend we have changed these back to my usual homepage.
But it appears that we have caught a trojan. We googled for a few hours today and found a few posts that seemed to describe similar behaviours to that of my PC.
We ran Lavasoft Ad-aware SE Professional 1.06r1 with latest updates
Did find some critical objects which we removed but that didn't fix the pop ups.
Googled more and found HiJackThis, Process Explorer, VirtualMondeRemover and ran all 3 of them.
Now after long checking and cross checking we've come across some files in
c:\WINNT\Prefetch that look very suspicious
FOUR SURF.EXE-174B94CB.pf
FOURSU~1.EXE-1152AE1C.pf
SOFT DATE LIES.EXE-1C7A47B0.pf
SOFTDA~1.EXE-19550787.pf
Mainly because in the Processexplorer we had 2 instances of InternetExplorer running even though we hadn't opened them.
When trying to kill them above files with the ~in their filename flashed up briefly and then the InternetExplorer instance was back running.
I have attached logs of
HiJackThis
Logfile of HijackThis v1.99.1
Scan saved at 15:59:08, on 29-May-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINNT\system32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\LVComS.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.soscijayskt.net/UOUuxCWXz6thbpt...aLezlO9ywGj.jpg
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {89CF44A1-50DE-EF96-6BDF-0E28BFB0604B} - C:\DOCUME~1\RICHAR~1\APPLIC~1\COALCI~1\Way Curb.exe (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Wipelieswarnthat] C:\Documents and Settings\All Users\Application Data\PINGCITYWIPELIES\four surf.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Itch Mode] C:\DOCUME~1\RICHAR~1\APPLIC~1\AMENTR~1\soft date lies.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119849917218
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: bw+0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
ProcessExplorer NT
Process PID CPU Description Company Name
System Idle Process 0 100.00
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 572 Windows NT Session Manager Microsoft Corporation
csrss.exe 780 Client Server Runtime Process Microsoft Corporation
winlogon.exe 804 Windows NT Logon Application Microsoft Corporation
services.exe 848 Services and Controller app Microsoft Corporation
svchost.exe 1016 Generic Host Process for Win32 Services Microsoft Corporation
LVComS.exe 3052 LVCom Server Logitech Inc.
msmsgs.exe 3420 Windows Messenger Microsoft Corporation
svchost.exe 1072 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1216 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1260 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1416 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1676 Spooler SubSystem App Microsoft Corporation
CCEVTMGR.EXE 1708 Event Manager Service Symantec Corporation
incdsrv.exe 492 incdsrv AHEAD Software
MDM.EXE 520 Machine Debug Manager Microsoft Corporation
NAVAPSVC.EXE 536 Norton AntiVirus Auto-Protect Service Symantec Corporation
svchost.exe 1196 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 1288 Windows User Mode Driver Manager Microsoft Corporation
vsmon.exe 1388 TrueVector Service Zone Labs, LLC
CALMAIN.exe 1516 Canon Camera Access Library 8 Canon Inc.
SymWSC.exe 1560 Norton Security Center Service Symantec Corporation
alg.exe 892 Application Layer Gateway Service Microsoft Corporation
iPodService.exe 2864 iPodService Module Apple Computer, Inc.
lsass.exe 860 LSA Shell (Export Version) Microsoft Corporation
WgaTray.exe 2112 Windows Genuine Advantage Notification Microsoft Corporation
explorer.exe 664 Windows Explorer Microsoft Corporation
jusched.exe 2104 Java™ 2 Platform Standard Edition binary Sun Microsystems, Inc.
ccApp.exe 2124 Common Client CC App Symantec Corporation
bpcable.exe 2148 BigPond Broadband Cable Login Telstra
LogiTray.exe 2188 ImageStudio Tray Application Logitech Inc.
InCD.exe 2204 InCD Ahead Software AG
iTunesHelper.exe 2220 iTunesHelper Module Apple Computer, Inc.
zlclient.exe 2244 Zone Labs Client Zone Labs, LLC
ctfmon.exe 2260 CTF Loader Microsoft Corporation
LogitechDesktopMessenger.exe 2272 Logitech Desktop Messenger Logitech
procexp.exe 2172 Sysinternals Process Explorer Sysinternals
iexplore.exe 2644 Internet Explorer Microsoft Corporation
iexplore.exe 2668 Internet Explorer Microsoft Corporation
Lavasoft VirtualMOnde Remover came up emptyhanded.
Has anyone got an idea how to get rid of this trojan?
Any help would be very much appreciated.
Full Version: Trojan - Hijacked four surf.exe + soft date lies .exe
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive General Support Issues
You've gotten a LOP parasite infection that Adaware doesn't detect yet. Hold on while I write up some steps for you to follow - we can manually get rid of it.
I need for you to go here:
Go here: http://www.thespykiller.co.uk/forum/index.php?board=1.0
to upload some files as an attachment so I can submit them for future detection.
Just press new topic (Make the subject: For CalamityJane from puzzled at LS ),
fill in a short message & then scoll down to the section that says "Attach", press the browse button and then navigate to & select these files on your computer. If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press Post to upload the files
Files to upload in the named folders below in bold:
C:\Documents and Settings\All Users\Application Data\PINGCITYWIPELIES (upload all files in this folder)
C:\DOCUMENTS AND SETTINGS\RICHAR~1\APPLICATION DATA\AMENTR (upload all files in this folder) Note: The folder name is longer than that and may contain spaces...such as: Amen Tr...
C:\DOCUMENTS AND SETTINGS\RICHAR~1\APPLICATION DATA\COALCI (upload all files in this folder if any - it might be empty) Again, the folder name is longer than that and may spaces, for example: Coal Ci...
Press the *Post* button to upload the files
Note: You DO NOT need to be a member to upload, anybody can upload the files
You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect it from there and will reply back to you here in your topic once I have a moment to examine the file.
Go here: http://www.thespykiller.co.uk/forum/index.php?board=1.0
to upload some files as an attachment so I can submit them for future detection.
Just press new topic (Make the subject: For CalamityJane from puzzled at LS ),
fill in a short message & then scoll down to the section that says "Attach", press the browse button and then navigate to & select these files on your computer. If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press Post to upload the files
Files to upload in the named folders below in bold:
C:\Documents and Settings\All Users\Application Data\PINGCITYWIPELIES (upload all files in this folder)
C:\DOCUMENTS AND SETTINGS\RICHAR~1\APPLICATION DATA\AMENTR (upload all files in this folder) Note: The folder name is longer than that and may contain spaces...such as: Amen Tr...
C:\DOCUMENTS AND SETTINGS\RICHAR~1\APPLICATION DATA\COALCI (upload all files in this folder if any - it might be empty) Again, the folder name is longer than that and may spaces, for example: Coal Ci...
Press the *Post* button to upload the files
Note: You DO NOT need to be a member to upload, anybody can upload the files
You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect it from there and will reply back to you here in your topic once I have a moment to examine the file.
Thanks, got the first 10 files. If there are more please upload those as well. I'll be submitting these for detection.
The files recevied so far are:
* Bash Bags Dash.exe (10.25 KB - downloaded 1 times.)
* chic ford.exe (354.61 KB - downloaded 1 times.)
* cnwotgcb.exe (357.38 KB - downloaded 1 times.)
* comp cast.exe (356.32 KB - downloaded 1 times.)
* copy name.exe (312.31 KB - downloaded 1 times.)
* DoesPoll.exe (357.38 KB - downloaded 1 times.)
* Eggs License.exe (354.61 KB - downloaded 1 times.)
* film cdrom.exe (356.26 KB - downloaded 1 times.)
* four surf.exe (359.95 KB - downloaded 1 times.)
* Gpl less.exe (357.38 KB - downloaded 1 times.)
.............................................
After you have done that, let's start the steps to remove this infection.
1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)
2. Reboot into Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
3. Once in Safe mode, Open HijackThis and do a *scan only*. When it finishes, place a checkmark next to these entries in the list, then press the *fix checked* button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.soscijayskt.net/UOUuxCWXz6thbpt...aLezlO9ywGj.jpg
O2 - BHO: (no name) - {89CF44A1-50DE-EF96-6BDF-0E28BFB0604B} - C:\DOCUME~1\RICHAR~1\APPLIC~1\COALCI~1\Way Curb.exe (file missing)
O4 - HKLM\..\Run: [Wipelieswarnthat] C:\Documents and Settings\All Users\Application Data\PINGCITYWIPELIES\four surf.exe
O4 - HKCU\..\Run: [Itch Mode] C:\DOCUME~1\RICHAR~1\APPLIC~1\AMENTR~1\soft date lies.exe
4. Stay in Safe Mode, and delete these folders and their contents:
C:\DOCUMENTS AND SETTINGS\RICHAR~1\APPLICATION DATA\COALCI (Delete entire folder)
C:\Documents and Settings\All Users\Application Data\PINGCITYWIPELIES (Delete entire folder)
C:\Documents and Settings\All Users\Application Data\PINGCITYWIPELIES (Delete entire folder)
5. Reboot back into normal mode.
6. Scan once more with Hijackthis to make a log. Post the new log back here please.
The files recevied so far are:
* Bash Bags Dash.exe (10.25 KB - downloaded 1 times.)
* chic ford.exe (354.61 KB - downloaded 1 times.)
* cnwotgcb.exe (357.38 KB - downloaded 1 times.)
* comp cast.exe (356.32 KB - downloaded 1 times.)
* copy name.exe (312.31 KB - downloaded 1 times.)
* DoesPoll.exe (357.38 KB - downloaded 1 times.)
* Eggs License.exe (354.61 KB - downloaded 1 times.)
* film cdrom.exe (356.26 KB - downloaded 1 times.)
* four surf.exe (359.95 KB - downloaded 1 times.)
* Gpl less.exe (357.38 KB - downloaded 1 times.)
.............................................
After you have done that, let's start the steps to remove this infection.
1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)
2. Reboot into Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
3. Once in Safe mode, Open HijackThis and do a *scan only*. When it finishes, place a checkmark next to these entries in the list, then press the *fix checked* button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.soscijayskt.net/UOUuxCWXz6thbpt...aLezlO9ywGj.jpg
O2 - BHO: (no name) - {89CF44A1-50DE-EF96-6BDF-0E28BFB0604B} - C:\DOCUME~1\RICHAR~1\APPLIC~1\COALCI~1\Way Curb.exe (file missing)
O4 - HKLM\..\Run: [Wipelieswarnthat] C:\Documents and Settings\All Users\Application Data\PINGCITYWIPELIES\four surf.exe
O4 - HKCU\..\Run: [Itch Mode] C:\DOCUME~1\RICHAR~1\APPLIC~1\AMENTR~1\soft date lies.exe
4. Stay in Safe Mode, and delete these folders and their contents:
C:\DOCUMENTS AND SETTINGS\RICHAR~1\APPLICATION DATA\COALCI (Delete entire folder)
C:\Documents and Settings\All Users\Application Data\PINGCITYWIPELIES (Delete entire folder)
C:\Documents and Settings\All Users\Application Data\PINGCITYWIPELIES (Delete entire folder)
5. Reboot back into normal mode.
6. Scan once more with Hijackthis to make a log. Post the new log back here please.
Hi Calamity Jane
We've done what you've suggested - actually you had asked to cancel these files/folders
C:\DOCUMENTS AND SETTINGS\RICHAR~1\APPLICATION DATA\COALCI (Delete entire folder)
C:\Documents and Settings\All Users\Application Data\PINGCITYWIPELIES (Delete entire folder)
C:\Documents and Settings\All Users\Application Data\PINGCITYWIPELIES (Delete entire folder)
Noticed pingcitywipelies was duplicated... and assumed you meant to wipe
C:\DOCUMENTS AND SETTINGS\RICHAR~1\APPLICATION DATA\AMENTR
So we did delete that folder and files as well.
Below is the logfile of the Hijack scan immediately after rebooting in normal mode.
Hopefully that has fixed it.
In any event, manyt many thanks for your help.
Logfile of HijackThis v1.99.1
Scan saved at 15:23:45, on 01-June-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\WgaTray.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\RDSHOST.exe
C:\WINNT\system32\sessmgr.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\PCHealth\HelpCtr\Binaries\HelpCtr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119849917218
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: bw+0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
We've done what you've suggested - actually you had asked to cancel these files/folders
C:\DOCUMENTS AND SETTINGS\RICHAR~1\APPLICATION DATA\COALCI (Delete entire folder)
C:\Documents and Settings\All Users\Application Data\PINGCITYWIPELIES (Delete entire folder)
C:\Documents and Settings\All Users\Application Data\PINGCITYWIPELIES (Delete entire folder)
Noticed pingcitywipelies was duplicated... and assumed you meant to wipe
C:\DOCUMENTS AND SETTINGS\RICHAR~1\APPLICATION DATA\AMENTR
So we did delete that folder and files as well.
Below is the logfile of the Hijack scan immediately after rebooting in normal mode.
Hopefully that has fixed it.
In any event, manyt many thanks for your help.
Logfile of HijackThis v1.99.1
Scan saved at 15:23:45, on 01-June-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\WgaTray.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\RDSHOST.exe
C:\WINNT\system32\sessmgr.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\PCHealth\HelpCtr\Binaries\HelpCtr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119849917218
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: bw+0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {14766AC5-73B9-48C7-8E6A-505ABDFA2717} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
QUOTE(puzzled @ Jun 1 2006, 01:32 AM) 
Noticed pingcitywipelies was duplicated... and assumed you meant to wipe
C:\DOCUMENTS AND SETTINGS\RICHAR~1\APPLICATION DATA\AMENTR
So we did delete that folder and files as well.
Below is the logfile of the Hijack scan immediately after rebooting in normal mode.
Hopefully that has fixed it.
C:\DOCUMENTS AND SETTINGS\RICHAR~1\APPLICATION DATA\AMENTR
So we did delete that folder and files as well.
Below is the logfile of the Hijack scan immediately after rebooting in normal mode.
Hopefully that has fixed it.
Ooops, yes. Glad you caught that.
Your Hijackthis log looks good. How is your computer acting now?
And many thanks for submitting all those file
Holy Moly! I'll get them submitted for detection!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.