cyberlog-x, coolweb search, trojandownloader.xs and more

Discussion in 'Malware Help (A Specialist Will Reply)' started by hartj87, Jun 30, 2008.

  1. hartj87

    hartj87 Private E-2

    Hello,
    On 6/28/08 I was browsing different websites (myspace, youtube, etc.) as usual and I noticed that after clicking on a bulletin and watching 15 seconds of a video that my computer started bogging down in a big bad way and I started getting alerts about "cyberlog-x" and coolwebsearch and trojandownloader.xs infecting my computer. I've gone to many sites to look up this problem, deleted certian things that they said was the problem off my registry, and ran all my anti-spyware programs, and the problem is still occuring. I have reason to believe that this is a myspace related problem because alot of my friends have the same problems that I am encountering. I would run hijack this but I cannot install it to my computer due to the virus. Is there a quick fix that I can do to atleast ward it off so I can install it and post a log? Any suggestions would be greatly appreciated.
     
    hartj87, Jun 30, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not.

    READ & RUN ME FIRST. Malware Removal Guide
     
    chaslang, Jul 1, 2008
    #2
  3. hartj87

    hartj87 Private E-2

    Well, I managed to get superAntiSpyware to open and work, and I followed the instructions on that, and it said that it successfully removed and quarantined all bad files, but when I run a scan again..all the same things keep on popping up, with that being said, my brower is still hijacked and redirecting me to everyother site but this one (i'm on another computer). I can't get to the task manager because everytime I ctrl+alt+delete it says that the admin disabled the function, and I'm fairly sure that due to this infestation, it won't let me open any of the .exe files (combofix, spybotsd install, etc)....any suggestions?
     
    hartj87, Jul 1, 2008
    #3
  4. hartj87

    hartj87 Private E-2

    Update: out of all the files, I was able to get mgtools.exe to work, I put it in the C:/ drive and got the log that came out after running it.
     

    Attached Files:

    hartj87, Jul 1, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I need the log as requested in the READ & RUN ME. Did you you attempt to run Malwarebytes Anti-Malware?

    See if you can run them in safe boot mode.
     
    chaslang, Jul 1, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do not have your PC in Normal Startup mode as requested in step 1 of the READ & RUN ME. You must use MSconfig and select Normal Startup mode now and remain in that mode. You have even disable your antivirus program from what you are doing. No wonder you have infections.

    You also skipped other instructions in step 1! Like these:

    • you did not uninstall old Sun Java versions and then update to the current version.
    • you did not uninstall the Viewpoint Media software as requested
    You also did not install the current version of Spybot. You are using version 1.2 which is 4 years out of date. You also have a very outdated version of Ad-Aware installed. You also a 4 year old version of SpywareBlaster installed. Not keeping your protection software updated is a very, very bad practice.

    What version of Spy Sweeper do you have installed and is it a paid version that actually removes malware?

    Let's try to fix a few of the above issues and then try to make a dent in some of your malware. Make sure you do all of the below steps and do them in the order written; however if any particular step does not work, just note it to explain to me later what happened, but do not stop. Continue on with all steps.

    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Plug and Play (RPC)
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run C:\MGtools\analyse.exe which is really HijackThis, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pastePlugPlayRPC into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
    Uninstall the below software:
    Ad-aware 6 Personal
    Java 2 Runtime Environment, SE v1.4.2
    Java 2 Runtime Environment, SE v1.4.2_05
    Spybot - Search & Destroy 1.2"
    SpyHunter
    SpywareBlaster v3.2
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uoyzsydz.exe,
    O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
    O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
    O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
    O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
    O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
    O2 - BHO: (no name) - {36A48FD6-2145-4985-A328-90D729F80AD7} - C:\WINDOWS\system32\rqRIyXPj.dll
    O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
    O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
    O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
    O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\SYSTEM32\TwcToolbarBho.dll
    O2 - BHO: (no name) - {AF31B019-70AF-292A-FB4D-70A2E0EC42B1} - C:\WINDOWS\system32\ofpmdham.dll (file missing)
    O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
    O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
    O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
    O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
    O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\actxprxyz.exe
    O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\actxprxyz.exe
    O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\actxprxyz.exe
    O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\system32\actxprxyz.exe
    O4 - HKUS\S-1-5-18\..\Run: [IEUpdate] C:\WINDOWS\system32\actxprxyz.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunServices: [IEUpdate] C:\WINDOWS\system32\actxprxyz.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunServices: [IEUpdate] C:\WINDOWS\system32\actxprxyz.exe (User 'Default user')
    O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
    O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {68E53982-CCCE-48C2-89B9-C3C97638F9B4} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
    O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOActiveXInstallerProj1.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50183/QDow_AS2.cab
    O18 - Protocol: bw+0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {B59AFF32-A28C-4B46-A9EE-0642CFE129F3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

    After clicking Fix, exit HJT.

    Now reboot into Safe Boot mode and delete the below files if found. If you do not find certain file or they will not delete, just continue on.
    C:\Documents and Settings\All Users\Desktop\SpyHunter.lnk
    C:\WINDOWS\444.470
    C:\WINDOWS\444.471
    C:\WINDOWS\astctl32.ocx
    C:\WINDOWS\IIS6.LOG
    C:\WINDOWS\mainms.vpi
    C:\WINDOWS\megavid.cdt
    C:\WINDOWS\MSGSOCM.LOG
    C:\WINDOWS\muotr.so
    C:\WINDOWS\OCGEN.LOG
    C:\WINDOWS\OCMSN.LOG
    C:\WINDOWS\portsv.exe
    C:\WINDOWS\rundll32.vbe
    C:\WINDOWS\TSOC.LOG
    C:\WINDOWS\xxxvideo.hta
    C:\WINDOWS\SYSTEM32\000050.exe
    C:\WINDOWS\SYSTEM32\000060.exe
    C:\WINDOWS\SYSTEM32\actxprxyz.exe
    C:\WINDOWS\SYSTEM32\{830f350a-07d3-fd02-536c-c3c086d2c9b4}.dll-uninst.exe
    C:\WINDOWS\SYSTEM32\rqRIyXPj.dll
    C:\WINDOWS\SYSTEM32\winpfz33.sys
    C:\WINDOWS\SYSTEM32\jPXyIRqr.ini
    C:\WINDOWS\SYSTEM32\jPXyIRqr.ini2

    Now delete the below folders if found. If you do not find certain folder or they will not delete, just continue on.
    C:\Documents and Settings\EIIZ WAY.DFSBH741\Application Data\SMANTE~1
    C:\Documents and Settings\All Users\Application Data\ZangoSA
    C:\Program Files\Enigma Software Group
    C:\WINDOWS\ICROSO~1.NET
    C:\WINDOWS\RUlJWiBXQVk
    C:\WINDOWS\SYSTEM32\1049a
    C:\WINDOWS\SYSTEM32\4396
    C:\WINDOWS\SYSTEM32\axc
    C:\WINDOWS\SYSTEM32\bgi
    C:\WINDOWS\SYSTEM32\eb10
    C:\WINDOWS\SYSTEM32\netrax06

    Now reboot into Normal Boot mode!



    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\EIIZ WAY.DFSBH741\Local Settings\Temp

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


    Then attach the below log:
    • C:\MGlogs.zip
     
    chaslang, Jul 1, 2008
    #6
  7. hartj87

    hartj87 Private E-2

    Okay, heres the log after all the steps have been completed, I couldn't install the Java file, it's doing the same thing that all the other .exe files are doing...but it did kill off the error messages, but I can't browse to anyother websites for some reason, the browser is still "hijacked" and redirects me to other search engines..


    Also, I had to do some extra steps to disable the PlugPlayRPC part too, I couldn't just run the file and disable it from the properties.
     

    Attached Files:

    Last edited: Jul 4, 2008
    hartj87, Jul 4, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you find and delete those files and folders I listed?

    Why did you delete other items from your Startup list using HijackThis? Many things you previously had loading no longer show up. You must not remove things we do not ask you to remove. I suggest you restore all items you removed on your own. And again I emphasize that you MUST put your PC into normal startup mode with MSconfig and leave it this way. If you don't do this, I cannot help you.

    Your MGlogs.zip file does not contain all new logs. I suggest that you delete it and then run C:\MGtools\GetLogs.bat again and make sure you allow it to finish running.

    Then attach the new MGlogs.zip file.
     
    Last edited: Jul 4, 2008
    chaslang, Jul 4, 2008
    #8
  9. hartj87

    hartj87 Private E-2

    Thats the thing tho, I do put it in normal startup, it keeps changing I think, and as far as the HJT I didn't click anything for it to fix anything that I'm aware of. Things are horribly screwed up on this comp.
     
    hartj87, Jul 4, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try again and make sure that you run MSconfig and select the Normal Starup button. Make sure it is not on Selective Startup.

    But I gave you a whole list of things to fix. It looks to me like you selected things that were not on the list. I know my list was large, but all of those needed to be fixed and not the other items.

    Run C:\MGtools\analyse.exe by double clicking on it but this time click the Open Misc Tools section button. Then click the Backups button at the top of the next form. Now select all items in this list that were not requested for you to remove. Once you find all of these, click the Restore button.

    Then reboot your PC.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


    Then attach the below log:
    • C:\MGlogs.zip
     
    chaslang, Jul 4, 2008
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds