persistent hijacking

Welcome to Majorgeeks!

You need to attach your HijackThis log! Not the executable program for HijackThis.

Also that is not the correct Bitdefender log. Follow step 6 exactly as written or you will not get the correct log. What you posted is a summary which does not help us.

 

Yes and that is exactly what it says in step 6:

No please follow the directions in step 7 to install HijackThis properly. You are running it from:
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

This means you are running it directly from the ZIP file which we specifically ask that you not do. You must fix this now before we can continue.

Also answer a question! When you obtained the HijackThis log did you have any program installations in progress that you had not completed? Or did you not reboot your PC after installing a few applications that may have needed a reboot?

Now run the procedure in the below and attach the requested vundofix log:

Virtumonde aka Trojan Vundo Removal


Now make sure HJT is installed correctly per step 7. And then fix all of the O18 lines like the below from Logitech Desktop Messenger:
O18 - Protocol: bw+0 - {C57B3772-8114-470E-BCA7-E5FCED77E898} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

Now attach a new HJT log.

 

No Logitech is not malware! They just have some bugs in there program causing it to make these entries into your registry over and over again. Also, in reality most people do not really even want this program to run. You could/should disable it but that is your decision.

I'm looking at your log now (I see you online).

 

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wowt.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [LDM] \Program\
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\asdf.exe
C:\Documents and Settings\Owner\My Documents\NNuninstall.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

First a question! Why are you using msconfig?
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

You must not use this while we are fixing problems (unless we ask for it to be used during a fix). Select Normal Startup.

That O4 line is probably coming back due to the below unnecessary process loading:
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

Read about it here: http://www.bleepingcomputer.com/startups/ldmconf.exe-2605.html
You can probably uninstall Logitech Desktop Messenger from Add/Remove programs to get rid of these two lines. (as long as you don't care about aut updates & personally I rather get updates myself)

You can also have HJT fix the below left over line from Spy Sweeper:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

 

But HJT logs are to be from normal boot mode and at that time MSconfig should not be used.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Re: persistent hijacking IT"S FIXED THANKS!

You're welcome. Surf safely!