dan12
-
Posts
119 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by dan12
-
-
Did you click ok when pasted in the run box?
The text may be on your desktop named host file or host
-
Let's have a look at your host file.
Go to Start>Run and highlight the contents of the box below then use CTRL+C to copy them and CTRL+V to paste them into the run dialogue box.
cmd /c copy C:\WINDOWS\system32\drivers\etc\hosts "%userprofile%\desktop\hosts.txt"
Click OK, notepad will then open with your host file. Copy and paste the whole Hosts file in your next reply.
-
Please continue with combofix,yes, put it on a pen drive and then transfer it to infected machine then run me a scan.
Let's see what were dealing with first
-
Please double-click GooredFix.exe on your Desktop to run it.
- Select "2. Fix Goored" by typing 2 and pressing Enter.
- Make sure all instances of Firefox are closed at this point.
- Type y at the prompt and press Enter again.
- A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.
dan
- Select "2. Fix Goored" by typing 2 and pressing Enter.
-
- Please create a BOOTLOG
- Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
- Select "Enable Boot Logging" option and press enter.
- Windows prompts you to select a Windows Installation (even if there is only one windows installation)
- This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
If you're already running inside Windows you can enable it the following way. - Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
- Click on OK and you will be prompted to RESTART Windows. Please do restart now.
- After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
- From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
- Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
- The tab is called BOOT on Vista. Then choose Boot log
RootRepeal - Rootkit Detector
- Please download the following tool: RootRepeal - Rootkit Detector
- Direct download link is here: RootRepeal.rar
- If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
- Extract the program file to a new folder such as C:\RootRepeal
- Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
- Select ALL of the checkboxes and then click OK and it will start scanning your system.
- If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
- When done, click on Save Report
- Save it to the same location where you ran it from, such as C:\RootRepeal
- Save it as your_name_rootrepeal.txt - where your_name is your forum name
- This makes it more easy to track who the log belongs to.
- Then open that log and select all and copy/paste it back on your next reply please.
- Quit the RootRepeal program.
Post the logs
-
Will await the other two reports
-
Go to Start>Run and highlight the contents of the box below then use CTRL+C to copy them and CTRL+V to paste them into the run dialogue box.
cmd /c copy C:\WINDOWS\system32\drivers\etc\hosts "%userprofile%\desktop\hosts.txt"
Click OK, notepad will then open with your host file. Copy and paste the whole Hosts file in your next reply.
-----------------------------
Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Host file text
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
-
Please download GooredFix from one of the locations below and save it to your Desktop
- Double-click GooredFix.exe to run it.
- Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
- A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.
- Please create a BOOTLOG
- Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
- Select "Enable Boot Logging" option and press enter.
- Windows prompts you to select a Windows Installation (even if there is only one windows installation)
- This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
If you're already running inside Windows you can enable it the following way. - Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
- Click on OK and you will be prompted to RESTART Windows. Please do restart now.
- After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
- From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
- Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
- The tab is called BOOT on Vista. Then choose Boot log
RootRepeal - Rootkit Detector
- Please download the following tool: RootRepeal - Rootkit Detector
- Direct download link is here: RootRepeal.rar
- If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
- Extract the program file to a new folder such as C:\RootRepeal
- Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
- Select ALL of the checkboxes and then click OK and it will start scanning your system.
- If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
- When done, click on Save Report
- Save it to the same location where you ran it from, such as C:\RootRepeal
- Save it as your_name_rootrepeal.txt - where your_name is your forum name
- This makes it more easy to track who the log belongs to.
- Then open that log and select all and copy/paste it back on your next reply please.
- Quit the RootRepeal program.
Post:
Goored txt
bootlog report
rootrepeal report.
should keep you busy,remember, not sure, ask!
Good night
dan
- Double-click GooredFix.exe to run it.
-
Whilst I'm going through your report can you address the two antivirus programs you have on the machine as I mentioned at the begining.
Depending on which one you remove these tools may help
Please note, these tools will remove all applications belonging to the relevant company.
Remove McAfee
Please click HERE and follow the instructions to download and run the Mcafee removal tool
Remove Norton
Please click HERE and follow the instructions to download and run the norton removal tool
---------------------------
Please update malwarebytes now and do a full scan and remember to click > fix items.
-
Knew you would get there
. will give you a further post soon, then I have to get some sleep as it's late here. -
Let's try another way
Please download SystemLook from one of the links below and save it to your Desktop.
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:regHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig /s
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
- Double-click SystemLook.exe to run it.
-
Don't worry, never mind you asking.Save as "mslook.bat"
wait till notepad opens with some text in for me copy it,then you can close if you wish.Do I close Notepad after I've saved it to the Desktop?paste information into the thread for me.
if your still not sure I will do it another way
-
You have to use notepad!
When you save, save as mslook.bat save as type all files!
See how you go.
-
Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O15 - Trusted Zone: http://ilearning.oracle.com
O15 - Trusted Zone: http://www.solutionbeacon.com
O15 - Trusted Zone: http://sbllc3.solutionbeacon.net
O15 - Trusted Zone: http://vis11510.solutionbeacon.net
O24 - Desktop Component 1: Desktop Uninstall - C:\WINDOWS\warnhp.html
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit
- Please create a BOOTLOG
- Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
- Select "Enable Boot Logging" option and press enter.
- Windows prompts you to select a Windows Installation (even if there is only one windows installation)
- This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
If you're already running inside Windows you can enable it the following way. - Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
- Click on OK and you will be prompted to RESTART Windows. Please do restart now.
- After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
- From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
- Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
- The tab is called BOOT on Vista. Then choose Boot log
RootRepeal - Rootkit Detector
- Please download the following tool: RootRepeal - Rootkit Detector
- Direct download link is here: RootRepeal.rar
- If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
- Extract the program file to a new folder such as C:\RootRepeal
- Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
- Select ALL of the checkboxes and then click OK and it will start scanning your system.
- If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
- When done, click on Save Report
- Save it to the same location where you ran it from, such as C:\RootRepeal
- Save it as your_name_rootrepeal.txt - where your_name is your forum name
- This makes it more easy to track who the log belongs to.
- Then open that log and select all and copy/paste it back on your next reply please.
- Quit the RootRepeal program.
Post the logs
-
I assume the msconfig report you wanted was the program list.
No! That's the programs installed list.
Run the batch file again take note of txt highlighted in green
Go to the menu at the top of the Notepad File and Save as
Save it to your Desktop as "mslook.bat" (you MUST include the quotes)
Locate mslook.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the text file will be deleted
post
Msconfig report
-
welcome to malwarebytes forum
My name is Dan, and I will be helping you to remove any infection(s) that you may have.
Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
Please observe these rules while we work:
- Perform all actions in the order given.
- If you don't know, stop and ask! Don't keep going on.
- Please reply to this thread. Do not start a new topic.
- Stick with it till you're given the all clear.
- REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
- Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
- Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.
Installed Programs
Please could you give me a list of the programs that are installed.
- Start HijackThis
- Click on the Misc Tools button
- Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
- Perform all actions in the order given.
-
AntiVirus
You have a couple of AV's running,Norton and McaFee, you're actually doing more harm than good by running more than one Anti Virus program.
When you do this the programs compete for resources, and the end result is none does it's best and can cause system instability.
I recommend that you choose one that you want to keep.
The other/s I would either uninstall, or disable from startup and use as "on demand" for an occasional scan.
Please note that almost all "free" security software is only free for home/private users
Please note, these tools will remove all applications belonging to the relevant company.
Remove McAfee
Please click http://*.mcafee.com
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O18 - Protocol: bw+0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {35B8BD53-9FFB-44F8-93F0-0A2A7A074DCA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit
post a furtherHJT log
Msconfig report
-
welcome to malwarebytes forum
My name is Dan, and I will be helping you to remove any infection(s) that you may have.
Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
Please observe these rules while we work:
- Perform all actions in the order given.
- If you don't know, stop and ask! Don't keep going on.
- Please reply to this thread. Do not start a new topic.
- Stick with it till you're given the all clear.
- REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
- Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
- Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.
Installed Programs
Please could you give me a list of the programs that are installed.
- Start HijackThis
- Click on the Misc Tools button
- Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
- Perform all actions in the order given.
-
Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
----------------------------------------------
--------------
Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.
- Go to http://java.sun.com/javase/downloads/index.jsp
- Go to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.
- In Platform box choose Windows.
- Check the box to Accept License Agreement and click Continue.
- Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
- Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
- Uncheck the Toolbar button (unless you want the toolbar)
- Reboot your computer
Post back:
Combofix report.
A new HijackThis log.
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
-
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
BitTorrent
I'd like you to read the MRU policy for P2P Programs.
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
------------------------
Remove Poker programs
From your log I can see you've installed poker programs. A lot of poker programs are infected/can infect you with malware.
I would advise you to go to Add/Remove programs and uninstall your poker programs.
Full Tilt Poker
Here are links to some poker sites regarded as safe for your reference.
* http://www.pokerstars.net/ - This is a simple play money version.
* http://www.pokerstars.com/ - This is a bigger play money and real money version.
Optional Fix
I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player
-
AntiVirus
It would seem you have a couple of AV's running,Mcafee,and Norton you're actually doing more harm than good by running more than one Anti Virus program.
When you do this the programs compete for resources, and the end result is none does it's best and can cause system instability.
I recommend that you choose one that you want to keep.
The other/s I would either uninstall, or disable from startup and use as "on demand" for an occasional scan.
Please note that almost all "free" security software is only free for home/private users
-----------------
Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA
Then run this tool to help cleanup any left over Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***
- Double-click on JavaRa.exe to start the program.
- From the drop-down menu, choose English and click on Select.
- JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
- Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
- A logfile will pop up. Please save it to a convenient location and post it back when you reply
Then look for the following Java folders and if found delete them.
C:\Program Files\Java
C:\Program Files\Common Files\Java
C:\Documents and Settings\All Users\Application Data\Java
C:\Documents and Settings\All Users\Application Data\Sun\Java
C:\Documents and Settings\username\Application Data\Java
C:\Documents and Settings\username\Application Data\Sun\Java
Set ccleaner up as below:
Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
- Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data. - Click on the Options block on the left. Select Advanced.
Uncheck Only delete files in Windows Temp folders older than 48 hours. - Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane. - Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
----------------------
Create a bootlog file:
A bootlog is a file where windows writes down which drivers are loaded and which not during startup.
Using Windows explorer, see if you find c:\windows\ntbtlog.txt - If it exists, delete the file.
- Click Start then Run and type in msconfig in the edit box and hit Enter or click Ok
- Click on the boot.ini tab and check the box that says /BOOTLOG
- Click Apply & Ok and reboot the PC (may take a bit longer to boot)
- After it reboots, you will get a message that msconfig has been used to change your start settings.
- In msconfig, Check Normal Startup on the GENERAL tab, and on the BOOT.INI tab, Uncheck /BOOTLOG. Click Apply, OK.
- When a message asks if you want to Reboot now, Click Exit Without Reboot. You don't need to.
- Using Windows Explorer, locate c:\windows\ntbtlog.txt and post the content of the file.
RootRepeal - Rootkit Detector
- Please download the following tool: RootRepeal - Rootkit Detector
- Direct download link is here: RootRepeal.rar
- If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
- Extract the program file to a new folder such as C:\RootRepeal
- Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
- Select ALL of the checkboxes and then click OK and it will start scanning your system.
- If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
- When done, click on Save Report
- Save it to the same location where you ran it from, such as C:\RootRepeal
- Save it as your_name_rootrepeal.txt - where your_name is your forum name
- This makes it more easy to track who the log belongs to.
- Then open that log and select all and copy/paste it back on your next reply please.
- Quit the RootRepeal program.
Post the logs
- Double-click on JavaRa.exe to start the program.
-
Congratulations you are clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Create a new System Restore Point
This is a good time to clear your existing system restore points and establish a new clean restore point:
Turn off System Restore-Vista
- Click the Vista/Start icon.
- Right Click >> Computer
- Click Properties.
- Click the System Protection tab.
- Uncheck All drives
- Click "Turn Off System Restore" at the prompt then click "Apply".
- Restart your computer.
Turn ON System Restore-Vista
- Click the Vista/Start icon
- Right Click >> Computer
- Click Properties.
- Click the System Protection tab.
- Checkmark All drives that were selected previously then click "Apply".
Here are some free programs I recommend that could help you improve your computer's security.
(Vista users must ensure that any programs are Vista compatible BEFORE installing)
Spybot Search and Destroy 1.5.2
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here
Find here changes from older version 1.4 here
Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here
Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here
Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here
Install FireTrust SiteHound
You can find information and download it from here
Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information here how to prevent Malware.
Happy safe surfing!
Dan
- Click the Vista/Start icon.
-
Good program to keep when done.
Download ATF (Atribune Temp File) Cleaner
-
Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)
O24 - Desktop Component 0: (no name) - http://www.netvibes.com/#Home
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit
Please download GooredFix from one of the locations below and save it to your Desktop
- Double-click GooredFix.exe to run it.
- Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
- A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.
Go to Start>Run and highlight the contents of the box below then use CTRL+C to copy them and CTRL+V to paste them into the run dialogue box.
cmd /c copy C:\WINDOWS\system32\drivers\etc\hosts "%userprofile%\desktop\hosts.txt"
Click OK, notepad will then open with your host file. Copy and paste the whole Hosts file in your next reply.
Post goored fix log
Host file text
fresh HJT log
- Double-click GooredFix.exe to run it.
Can't remove DAONOL trojan --
in Resolved Malware Removal Logs
Posted
Ok, don't worry,I believe I know what is causing the problem will be back with you later.