Hijacked Browser - Help

Discussion in 'Malware Help (A Specialist Will Reply)' started by Fred Klerks, Feb 13, 2007.

  1. Fred Klerks

    Fred Klerks Private E-2

    Hi,
    I sincerely hope that you guys can help me, please. I believe, but I am not really sure, that my Browser(s) have been hijacked.
    Symptoms:
    1. My laptop PC is very slow in opening explore windows
    2. With Windows Update it keeps on loading and updating the
    Windows Malicious Software Removal tool. Last know good update was in September 2006. Since then tool states that it has updated but the log (mrt.log) states September 2006 was the last update
    3. When I look into Windows Task Manager I have noticed that there 7 svchosts process running (5 associated with system, 1 associated with LOCAL SERVICE and 1 associated with Network Services) but one of the system svchost is using 66,856K and always increasing.
    4. Also in Task Manager the ServiceLayer.exe is always high and increasing 59,316K
    5. I have run all of the tasks as per your READ and RUN First. However I have found that certain thinks I can do and certain things that the Computer will not allow me to do.
    • Steps 0 to 3 done. I have installed AVG 7.5 Professional antivirus and AVG Antispyware and are using Microsoft XP firewall.
    • In step 4 Downloaded ccsetup, getrunkey, showNew without problems. Downloading spybot and installing it, somehow the update to the web site was being block. However was able to download spybot with update, which installed OK.
    • Downloaded Hijackthis and pull the zip in c:\download, Create c;\program\HJT as recommended. As soon as I went into the directory c:\download and tried to unzip it, the program was somehow closed. I also notice this is I went into a previously installed directory of Hijackthis, c:\mydocuments\downloads2006\hijack, it automatically closed the Explorer Window and any other Explorer windows that were open. I finally tried moving the zip to c:|\programs\HJT and successfully unzipped it into that directory and renamed it Even if I click on the URL for Hijackthis on the majorgreek.com page READ and Run, it immediately closes all open explorer windows.
    • In Step 5, in Safe Mode, CCleaner worked and Spybot ran and found nothing.. Counterspy V2 again found nothing.
    • In Step 6a, Uninstalled, downloaded and installed the latest version of Java as recommended. In Safe mode with Networking, Bitdefender could not be downloaded as only half the page was shown on bitdefender.com and when I tried bitdefender.co.uk I got the full page but on installation, I received the message that the ActiveX was not authorised for that web site. (I sent a e-mail to them about it). However Panda Active scan did work. I have attached the log. I was impressed by Panda Active Scan, so I signed up for the Active scan Pro, thinking this could be the answer for a quick fix but alias it was not. I attach the log.
    • The Panda Active scan identified that I had a virus in CISCONETWORK.EXE and that virus was also located in The Windows system. CISCONETWORK was loaded in TASKMANGER even in Safe Mode. I rename it to FREDNETWORK.EXE. I reloaded WInndows in Normal mode and followed the instructons to run Hijackthis. To my surprise (Analyse.exe) run as CISCONETWORK was not loaded in Task Manager.
    I will send newfiles.txt in the next thread
    However the problem still exists. Please can you help me.

    Thanks for your help in advance
    Fred Klerks​
     

    Attached Files:

    Fred Klerks, Feb 13, 2007
    #1
  2. Fred Klerks

    Fred Klerks Private E-2

    Hijacked Browser - Help!!!!

    Hi,
    I sincerely hope that you guys can help me, please. I believe, but I am not really sure, that my Browser(s) have been hijacked.
    Symptoms:
    1. My laptop PC is very slow in opening explore windows
    2. With Windows Update it keeps on loading and updating the Windows Malicious Software Removal tool. Last know good update was in September 2006. Since then tool states that it has updated but the log (mrt.log) states September 2006 was the last update.
    3. When I look into Windows Task Manager I have noticed that there 7 svchosts process running (5 associated with system, 1 associated with LOCAL SERVICE and 1 associated with Network Services) but one of the system svchost is using 66,856K and always increasing.
    4. Also in Task Manager the ServiceLayer.exe is always high and increasing 59,316K
    5. I have run all of the tasks as per your READ and RUN First. However I have found that certain thinks I can do and certain things that the Computer will not allow me to do.
    • Steps 0 to 3 done. I have installed AVG 7.5 Professional antivirus and AVG Antispyware and are using Microsoft XP firewall.
    • In step 4 Downloaded ccsetup, getrunkey, showNew without problems. Downloading spybot and installing it, somehow the update to the web site was being block. However was able to download spybot with update, which installed OK.
    • Downloaded Hijackthis and pull the zip in c:\download, Create c;\program\HJT as recommended. As soon as I went into the directory c:\download and tried to unzip it, the program was somehow closed. I also notice this is I went into a previously installed directory of Hijackthis, c:\mydocuments\downloads2006\hijack, it automatically closed the Explorer Window and any other Explorer windows that were open. I finally tried moving the zip to c:|\programs\HJT and successfully unzipped it into that directory and renamed it Even if I click on the URL for Hijackthis on the majorgreek.com page READ and Run, it immediately closes all open explorer windows.
    • In Step 5, in Safe Mode, CCleaner worked and Spybot ran and found nothing.. Counterspy V2 again found nothing.
    • In Step 6a, Uninstalled, downloaded and installed the latest version of Java as recommended. In Safe mode with Networking, Bitdefender could not be downloaded as only half the page was shown on bitdefender.com and when I tried bitdefender.co.uk I got the full page but on installation, I received the message that the ActiveX was not authorised for that web site. (I sent a e-mail to them about it). However Panda Active scan did work. I have attached the log. I was impressed by Panda Active Scan, so I signed up for the Active scan Pro, thinking this could be the answer for a quick fix but alias it was not. I attach the log.
    • I noticed in the Activescan log that CISCONETWORK.EXE had a virus which also effected the operation system as it was loaded in TASK MANGER. I renamed it Frednetwork.exe.
    • I rebooted in Normal mode and was able finally to run Analyse.exe (Hijackthis) Please find attached Log.

    Please can you help me as I still am having problems? I thank you in advance.
    Kind Regards
    Fred Klerks
     

    Attached Files:

    Fred Klerks, Feb 13, 2007
    #2
  3. Fred Klerks

    Fred Klerks Private E-2

    Attached is the newfiles.txt

    Thanks you for any help you can give.

    Kind Regards

    Fred Klerks
     
    Fred Klerks, Feb 13, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Hijacked Browser - Help!!!!

    Welcome to Majorgeeks!

    Please don't start multiple threads! You must keep al posts in the same thread to avoid confusion and unnecssary posting on our part. I merger you messages into one thread.


    Note that according to your ShowNew log you are running Java 2 Runtime Environment, SE v1.4.2_05 which is a very OLD and outdated version. You did not uninstall this and install the new version as you stated. This could be the reason for your problems with Bitdefender. Uninstall the old version and install the new version of Sun Java. Or did you do the steps in the READ ME in the wrong order!


    Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Now to the heart of your poblems!

    Please run this Gromozon Rootkit Removal Tool and attach a log.


    Now let's remove a service from Symantec that was never uninstalled!

    First look in Add/Remove programs for Norton WMI Update and uninstall it if found.
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to SymWMI Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pasteSymWSC into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT and reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
    Start by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O18 - Protocol: bw+0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {9490AF70-E254-4DD2-A753-D9A2FA7C8899} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\CiscoNetwork.exe
    C:\WINDOWS\fredNetwork.exe
    C:\WINDOWS\hfbmm1.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.
    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. Gromozon Rootkit Removal
    2. GetRunKey
    3. ShowNew
    4. HJT
    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Feb 14, 2007
    chaslang, Feb 14, 2007
    #4
  5. Fred Klerks

    Fred Klerks Private E-2

    Dear Chaslang,
    Thank you so much for your help.
    The results are as follows:
    I forgot to uninstall Java 2 Runtime 1.4 (which I have now uninstalled) but had installed Java 6 Runtime.

    Ran Gromozon and during the running of it, a message that Trojan.gromozon had been deleted. However when I looked for the log, I made a mistake in finding it (I searched for removal.log instead of gromozon_removal.log)
    Needless to say I re-ran Gromozon and the log was clean, which I have attached. Sorry.

    Uninstalled Nortons WMI Update via Remove / Add progams. Doublle checked via services.msc which showed no instance of it.

    As to run HJT, I had to type in SymWSC and it can up with a message that it could not find it. I press OK.

    Click all the items you marked and press Fix and exit HJT without any problems

    Did the fixME.reg and the system informed me that the merge was successful

    Ran Pocket Killbox as per your instructions.All went well except for the following:
    CiscoNetwork.exe could not be found as I had renamed it to frednetwork.exe. Also on Yes Reboot prompt, AVG resident shield popped up to identify the virus in the .dll. I closed AVG window without taking any action and Killbox shutdown and rebooted the system.

    I did NOT get PendingFileRenameOperations prompt

    I ran CCleaner then re-ran Getrunkey and ShowNew

    As to the PC it appears to be running OK. Once I got Gromozon got rid of the trojan, Windows update was able to download and install about 10 XP related security updates which had fail to install yesterday. The problem associated with the constant loding of the Windows Malicious Software Removal Tool also appears to be fixed as the mrt.log now releflects that the February tool has been installed and no infections found.

    I have attached the files you requested. Fingers cross that you have fix my problems. I will switch RESTORE back on.

    Kind Regards and so far a million and one thank you's

    Fred Klerks
     
    Fred Klerks, Feb 14, 2007
    #5
  6. Fred Klerks

    Fred Klerks Private E-2

    Files did not attach Try again
     

    Attached Files:

    Fred Klerks, Feb 14, 2007
    #6
  7. Fred Klerks

    Fred Klerks Private E-2

    Here is the gromozo file
     

    Attached Files:

    Fred Klerks, Feb 14, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It appears you did not run the steps as requested with HJT. Shutdown all antivirus and antispyware programs and please fix all those items and attach a new HJT log. All those lines are still in your log.

    By the way you should not need both of the below:
    Browser Hijack Retaliator 4.5
    BHOZapper

    In fact if you have a good antispyware program with realtime protection, you really should not need either of them.
     
    chaslang, Feb 14, 2007
    #8
  9. Fred Klerks

    Fred Klerks Private E-2

    Dear Chaslang,
    Just need some clarification here please:
    Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    At the lower right, click on the Config button
    Then click the Misc tools button
    Select Delete an NT Service
    These steps are all OK
    THEN
    Copy/pasteSymWSC ( Where do I copy and paste from notepad?)
    Errror message SymWSC not found in register
    I OK message
    NOW HOW DO I EXIST HJT as pressing the red/white X (close) does not cause machine to reboot!!

    Fred
     
    Fred Klerks, Feb 14, 2007
    #9
  10. Fred Klerks

    Fred Klerks Private E-2

    Just discovered what I did wrong. When I ran fix I immediately existed and did not safe log. Hence I sent you the log at start of scan.

    Here is the correct one and I bleieve all enters to be removed are removed.

    Look forward to hearing from you.

    Again Thank you for your time and effort.

    Kind Regards

    Fred Klerks
     

    Attached Files:

    Fred Klerks, Feb 14, 2007
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes that's better! ;)

    How is everything working now?

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Feb 16, 2007
    #11
  12. Fred Klerks

    Fred Klerks Private E-2

    Dear Chaslang,
    I can not express my thanks to you and all at MajorGeeks.com enough.

    The PC laptop is like having a new machine. Fast, smooth and No more waiting round for 15 mintute.

    I have followed all your instructions to the lettter in your last e-mail.

    I have also followed your advice and uninstalled Browser Hijack Retaliator 4.5
    BHOZapper.

    I have also stopped using Internet Explorer and now only use Mozilla Firefox which is very good.

    Again, Thank you so much for your help and support. Great job.

    Kind Regards

    Fred Klerks
     
    Fred Klerks, Feb 16, 2007
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Feb 16, 2007
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds