SHERIFF! someone find me a gun

Discussion in 'Malware Help (A Specialist Will Reply)' started by fightthefad, Nov 30, 2005.

  1. fightthefad

    fightthefad Private E-2

    Hello,

    Forgive me if I fail to comply by any policies. It's late and this thing has got me frazzled. Here is the log. I found a post resolving a similar problem but none of the files needing to be corrected could be found. I'm going to stop pretending I know what I'm talking about and hopefully someone can help me get some sound sleep.

    Regards,

    Jas
     

    Attached Files:

    fightthefad, Nov 30, 2005
    #1
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please look in Add or Remove Programs for the following and Uninstall them if found:

    Logitech Desktop Messenger

    Download L2MeFix Tool and save it where you will be able to find it.

    Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

    Exit Browsers now before continuing

    Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. Save this log. You will need to post this log back here later when you come back.
    Next DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

    Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please also attach this log to your next message.

    Now open your browser and come back here and post the above two logs as attachments to your message. Also indicate your current status.


    NOTE: Please do not run any other options or files in the l2mfix Folder!
     
    bjgarrick, Nov 30, 2005
    #2
  3. fightthefad

    fightthefad Private E-2

    Thanks so much, sorry for the slow reply. I attached the two logs from L2MeFix although one doesn't seem to have created much information. It seems as though a majority of the random created Icons have stopped and IE doesn't launch as frequently but it still does load to secure32. My active desktop is gone and windows explorer keeps closing down. Plus there's those damn security centre Xs and "Your computer is infected!" bubbles.

    Jared :rolleyes:
     

    Attached Files:

    fightthefad, Nov 30, 2005
    #3
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please download Spy Sweeper
    • Click the link above to download the program.
    • Install it. Once the program is installed, it will open.
    • It will prompt you to update to the latest definitions, click Yes.
    • Once the definitions are installed, click Options on the left side.
    • Click the Sweep Options tab.
    • Under What to Sweep please put a check next to the following:
      • Sweep Memory
      • Sweep Registry
      • Sweep Cookies
      • Sweep All User Accounts
      • Enable Direct Disk Sweeping
      • Sweep Contents of Compressed Files
      • Sweep for Rootkits
      • Please UNCHECK Do not Sweep System Restore Folder.
    • Click Sweep Now on the left side.
    • Click the Start button.
    • When it's done scanning, click the Next button.
    • Make sure everything has a check next to it, then click the Next button.
    • It will remove all of the items found.
    • Click Session Log in the upper right corner, copy everything in that window.
    • Click the Summary tab and click Finish.
    • Paste the contents of the session log you copied into notepad and save it as spysweeper.txt and attach it to your next post along with a fresh HJT log.
     
    bjgarrick, Nov 30, 2005
    #4
  5. fightthefad

    fightthefad Private E-2

    Sorry for the lag, I had to go out of town. My computer "seems" to be running as it were before this all happened. It's slower and my active desktop is messed up but thos pop-ups and the balloons are gone. for some reason i can't get my spysweeper log to attach...? here's my new HJT though.

    cheers.
     

    Attached Files:

    • log.txt
      File size:
      8.6 KB
      Views:
      2
    fightthefad, Dec 3, 2005
    #5
  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    I need the spysweeper log, if you have to zip it and attach it.
     
    bjgarrick, Dec 3, 2005
    #6
  7. fightthefad

    fightthefad Private E-2

    Hopefully this works. Thanks.
     

    Attached Files:

    fightthefad, Dec 4, 2005
    #7
  8. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    48.3 MB?? Why is this log so large?

    Open Spy Sweeper and click on Results. Now click on the Session Log tab and click Clear Session History. Now click on Quarantine and select all and delete.

    Now go back to post #16 and run one more full sweep and attach the new log from SS along with a fresh HJT log.
     
    bjgarrick, Dec 4, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The log may still be the same size. It is that large because of all the messages like the below two:

    1:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    1:23 AM: Warning: Failed to get log from SSI driver. Insufficient system resources exist to complete the requested service

    There are hundreds of them. Also note that it is running out of memory while trying to scan.
     
    chaslang, Dec 4, 2005
    #9
  10. fightthefad

    fightthefad Private E-2

    It took over 8 hours to run...if that's of any note. So...rerun SS, attach, and add another HJT log?
     
    fightthefad, Dec 4, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since BJ is not around, I'll try to keep you moving along.
    No! Do not run SpySweeper again. Hang on while I work up something for you to do.
     
    chaslang, Dec 4, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You really need to run the SpySheriff (aka SpywareNo) Removal sticky procedure to clean up some of your problems, but let's do the manual steps below first to improve your status. Note that some items may already be gone due to running SpySweeper. So if you do not see them, just note which ones and continue with all steps.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    c:\windows\system32\mdms.exe
    C:\WINDOWS\system32\paytime.exe
    C:\winstall.exe
    C:\WINDOWS\system32\paytime.exe
    C:\PROGRA~1\COMMON~1\ikrr\ikrrm.exe
    C:\WINDOWS\tool2.exe
    C:\WINDOWS\tool2.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe
    O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
    O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - HKCU\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe
    O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - HKCU\..\Run: [ikrr] C:\PROGRA~1\COMMON~1\ikrr\ikrrm.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O18 - Protocol: bw+0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Protocol: offline-8876480 - {BF590967-6EA8-417F-BED1-F7BD20932619} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\fp4q03h5e.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\Program Files\Common Files\ikrr <--- the whole folder
    C:\Program Files\WildTangent <--- the whole folder
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
    c:\windows\system32\mdms.exe
    C:\WINDOWS\system32\paytime.exe
    C:\winstall.exe
    C:\WINDOWS\tool2.exe
    C:\WINDOWS\bxproxy.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 4, 2005
    #12
  13. fightthefad

    fightthefad Private E-2

    thanks for picking up! here's the new log. my computer seems to be running at about the same speed as it was before it all happened. i still cannot change my active desktop and whenever i shut down it has difficulty closing something called "sock caption".

    Jare
     

    Attached Files:

    fightthefad, Dec 4, 2005
    #13
  14. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Scan with HijackThis and Check the Boxes for the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp

    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    (This is remnants from a DirectX upgrade, its an unnecessary entry)

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    Make sure All Browser Windows are Closed when you Click FIX.

    NEXT:
    Run CCleaner to clean up cookies and temp files.

    Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
    Note: Remember to get all updates before doing the scans.


    After you complete the above, to clean any leftovers please download this trial version of Ewido Security Suite

    • Install ewido security suite
    • When installing the program, under "Additonal Options" uncheck..
      • Install background guard
      • Install scan via context menu
    • Launch ewido, there should now be an icon on your desktop, double-click it.
    • You will need to update ewido to the latest definition files:
      • On the left hand side of the main screen click update.
      • Then click on Start Update.
    • The update will start and a progress bar will show the updates being installed.
      (the status bar at the bottom will display "Update successful")
    If you are having problems with the updater, you can use this link to manually update ewido. Ewido Manual Updates

    • Once the updates are installed, exit Ewido.
    • Now print the below instructions or save them locally because I want you to have all browsers closed and also have no connection to the internet (unplug your cable) while doing the below:
    • Click on Scanner
    • Then click Settings
    • Under What to Scan? Select Scan every file
    • Then click OK
    • Click on Complete System Scan and the scan will start.
    • Let the program scan the machine
    • While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.
    • Once the scan has completed, there will be a button located on the bottom of the screen named Save report[/size][/color]
    • Click Save report
    • Save the report to your desktop or anyplace you will be able to find it to upload here.
    • Reboot into normal mode and reconnect to the internet.
    Once your machine reboots please attach the report from Ewido along with a fresh HJT log from normal mode.
     
    bjgarrick, Dec 4, 2005
    #14
  15. fightthefad

    fightthefad Private E-2

    sweet cherry something or other!, my desktop is back. the only thing i've found is that even though i fixed:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp

    it still shows up on my latest HJT log.

    here are the two logs.

    THANK YOU (not sure if all issues are resolved but up until this point anyways)
     

    Attached Files:

    fightthefad, Dec 5, 2005
    #15
  16. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your HJT log is clean, are you having any further problems?
     
    bjgarrick, Dec 5, 2005
    #16
  17. fightthefad

    fightthefad Private E-2

    nothing so far. it actually seems like my computer is running faster than ever. i imagine there were issues unrelated to spy sheriff that i hadn't resolved but needed to be and now are. i know you guys hear it all the time and the word's lost all value, but thanks.
     
    fightthefad, Dec 5, 2005
    #17
  18. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    bjgarrick, Dec 5, 2005
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You actually had a lot more problems than SpySheriff. But it's nice to see you are clean now.
     
    chaslang, Dec 5, 2005
    #19
  20. fightthefad

    fightthefad Private E-2

    Sorry, one more thing. Ever since Spy Sherrif I've lost control of my wallpaper settings in my display properties. I can't select any background, I can only set background by right clicking files- but then I've lost the option to center, stretch, surround colour. Thoughts?
     
    fightthefad, Dec 5, 2005
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you run step 8 of the below thread. If not, please run that step.

    SpySheriff (aka SpywareNo) Removal

    If that does not help, try the below.

    Fixing Locked Desktop
    Also you should right click on your Desktop and select Properties. Then click the Desktop tab and then the Customize Desktop button. Now in the next window that comes up click the Web tab. Make sure at the bottom that Lock desktop items is unchecked. Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too. Then click OK. Apply. OK.
     
    chaslang, Dec 6, 2005
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds