Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Nasty pop-ups - Someone read the Hijack this please

Posted on 2006-05-23
23
Medium Priority
?
713 Views
Last Modified: 2010-04-11
I have come to my whit's end on my in-laws computer....they have really bad pop-ups coming very frequently on their computer...after a lot of work I was able to clean the system mostly (running SAV 11 on it, Spybot, Ad-aware, Panda-on-line, Zone-Alarm).  However, although the pop-ups are blank white now, they still keep coming.  Does someone mind looking at the hijack-this log & telling me what I may be missing for clean-up.

Thanks:

Logfile of HijackThis v1.99.1
Scan saved at 10:10:50 AM, on 5/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Graham\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O1 - Hosts: www.morpheus.com C:\windows\no.html
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpF6E4.tmp (file missing)
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O18 - Protocol: bw+0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {89B50155-B9AC-47C5-8CFB-B948E0B7F5D9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbjt32 - C:\WINDOWS\SYSTEM32\winbjt32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

0
Comment
Question by:rustyrpage
  • 7
  • 3
  • 3
  • +4
23 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 2000 total points
ID: 16744472
You should post this up on www.hijackthis.de for analysis, and post questions up regarding anything specific.  There are a few things in the log that need clearing up, esp Viewpoint, but then the www.hijackthis.de site will tell you all this anyway...  :)

I recommend downloading the eval copy of www.ewido.com to clear out the rubbish.  The apps you've listed are OK, but not exhaustive enough for your requirements.  They're good to PREVENT infection, but not to REMOVE infection, if you know what I mean... ;)
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 16744610
I did that & it didn't find anything bad...not sure what it is.

Just an FYI, the two pop-ups are ULWindowsURL & ULWindowSeek...hopefully that helps
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 16744742
Did you try out ewido?
Are there any System Restore points you could use?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 6

Author Comment

by:rustyrpage
ID: 16744756
I am a little concerned about loading yet another spyware program...it is only those two pop-ups I am getting, so it should be a simple solution (instead of needing an evaluation of another spyware app)
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 16744773
Okay, I will try their on-line scan & see if it finds anything (doubtful...but, worth a shot)
0
 
LVL 32

Expert Comment

by:r-k
ID: 16744846
Your saved analyzed HJT log is at: http://www.hijackthis.de/logfiles/6e1463065c7d3b64fc5ac86eee8cf9f0.html

Im would definitely use HJT itself to clean up those items marked as "Nasty". Reboot and run HJT again and see those entries are gone, and if so, is the problem any better.

Also review the items marked "possibly nasty" just in case.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 16744887
I did HJT & removed all Nasty & "possibly nasty" (along with "unknown")...rebooting, still there.

I am running the on-line scan & it found a few things...we'll see.
0
 
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 16744894
fyi...
spyware removal often takes an army of applications/tools to remove.  there is no one tool that will catch it all.  most spyware tools are easy to install / uninstall ... so you could install, clean and then uninstall the programs if you don't want to keep them around.

other helpful things:  delete all IE cache files.  delete all TEMP files.  and remember that spyware (and viruses) can reside in your restore points... so you might consider deleting your restore points as well.

finally, i do see signs of spyware infection in your hijackthis log.  delete those items (one of them is a search bar, which may take care of the popups you're having)

AND ... you have a TON of stuff in your hijackthis log listed as Logitech\Desktop Messenger.  no program should have that many entries in hijackthis.  i would get rid of it (the O18 entries)
get rid of winbjt32.dll (O20)
get rid of CXTSearch.html (O8), which is part of Viewpoint Toolbar
get rid of yt.dll (O3) and hpF6E4.tmp
i personally would not trust the morpheus entry for no.html (O1)
and the default URLSearchHook at R3 can be removed.

link to your saved analysis: http://www.hijackthis.de/logfiles/90feb393f2d29872b64f87f86290caa0.html
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 16744907
The Logitech ones are for a camera that they use (with messaging software).  the winbjt32.dll I believe is bad...I got rid of all those. =)
0
 
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 16744915
if items are still there after removing with HJT, then first try running HJT in safe mode.  if that doesn't remove the baddies, it's time to start with good spyware removal applications.  always run them in safe mode.
ewido
spybot
xcleaner
spyware blaster
adaware

do *not* use Trend Micro's spyware removal tool.  it sometimes works, but sometimes has weird side-effects, like removing all programs from your start menu.
0
 
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 16744927
then logitech has some serious issues... no application should ever look like that in HJT.  that's usually what spyware looks like... it tries to install itself everywhere.

i would double check and make sure it is indeed valid Logitech software.  don't forget that spyware and viruses can install in any directory.... and from my experience, those "logitech" entries do not look valid.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16745616
zephyr, I think that is more of a bug in Logitech software. I have seen that before, where it creates multiple virtual devices to talk with the camera. Probably a good idea to remove them anyway, but that is probably not malware.

I think this entry is definitely one of the main problems:

 O20 - Winlogon Notify: winbjt32 - C:\WINDOWS\SYSTEM32\winbjt32.dll

as pointed out by zephyr_hex above.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 16745673
I am running a scan.  I have removed that winbjt32.

Last I checked it was still doing it, but I will keep you posted
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16746539
does HJT say (file missing) next to it ?
run a scan and look at it pls.
0
 

Expert Comment

by:Captain_Spyware
ID: 16746605
Where (File Missing) is displayed, HijackThis can only be trusted where 02 & 03 entries are concerned. It's a bug in the program where is sometimes cannot see the file in question.

Configure Windows Explorer to reveal hidden files and folders:
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/50/

Reboot into Safe Mode and use Windows Explorer to locate that file and delete if it exists.
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16746796
winbjt32 is the onset of a Smitfraud infection. Killbox it with delete on reboot.

http://www.downloads.subratam.org/KillBox.zip 

copy this ----> C:\WINDOWS\SYSTEM32\winbjt32.dll

Next in Killbox go to File > Paste from clipboard
"Click on the All Files button."
Next click on the button that has the red circle with the white X in the middle.
It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now.
Click Yes and let the computer reboot.

Goto Safe Mode & run SmitfraudFix & Ewido.

http://siri.urz.free.fr/Fix/SmitfraudFix.zip


0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16747058
r-k hit the nail on the head this one is your problem: it is not smitfraud, running smitfraud when you're not infected with smitfraud will remove your desktop background.

Fix this entry as r-k suggested and killbox the file or  manually delete it --> C:\WINDOWS\SYSTEM32\winbjt32.dll

O20 - Winlogon Notify: winbjt32 - C:\WINDOWS\SYSTEM32\winbjt32.dll
0
 
LVL 32

Expert Comment

by:r-k
ID: 16747191
Thanks, rpggamergirl. To be fair, that file was first brought to our attention by zephyr_hex.

Hoping rustyrpage will have an update soon....

0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16747307
cpt spyware you can trust hjt reporting file missing for 20 winlogon entries. Double checking is always good.

no matter who suggested, winbjt should be dead now. Please give us a new HJT log.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16747461
Oops!! r-k,
my apology zephy_hex, I didn't read the whole thread to be honest I'm sorry.
Purply_Sky is right, it doesn't matter who suggested it as long as it solves the problem, :)

About the hijackthis bug, it's the 09 and 023 is where it plays. 09 doesn't really matter but when it's the 023 entries with file missing that's where you have to be extremely careful.

rustyrpage,
If you don't really use Logitech desktop messenger you can uninstall it via Add/remove programs and it should get rid of those 018 entries(though they are harmless clutters).
0
 

Expert Comment

by:Captain_Spyware
ID: 16747729
Purple_Sky,

A good job this Expert paid no attention to HJT's reliability where 020's are concerned:

http://www.dslreports.com/forum/remark,15746415?hilite=airplus

But granted, generally it's a safe bet.


0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16747957
>>A good job this Expert paid no attention to HJT's reliability where 020's are concerned:<<

All those 020 entries with file missing belongs to look2me infection.
With regards to 020 entries "file missing" I think there's a little difference to whether the file missing is from a legit program or if it's a file missing malware entries.
You can not trust when the 020 file missing is a malware entry because malware can do that, a lot of malware can even hide from hijackthis scan and not show up in the log.

But if the 020 "file missing" is of a legit program it's mostly correct, I haven't seen any legit entry "file mising" on this line where the program is still present, I'd be interested if someone has a link to one.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 16751802
It seems like the problem was fixed by running ewido..I will award the points
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question