PC Problem

jonnner · 23-11-2008 5:44pm #1

Last night i noticed strange things happenig while browsing (IE). If i google anything and click the link i get redirected to a site called prefspot.
If i type in an address of a site i have never been to I will get "internet explorer cannot display this page". Any site that i have in my history will open fine.
My AVG Free has been unable to update for over 24hours now so I uninstalled and reinstalled but still it will not update and i get an error when i try to scan.
I downloaded (from my laptop to USB stick)ESET Nod 32 and thats unable to update too.
So i went to the "i think i have a viris" sticky and downloaded all the programs listed (again from the laptop to USB stick as i cannot open the links on the PC). None of them will install except ATF Cleaner.

Any ideas guys? I use my PC primarily for Poker but i'm afraid to open any of the clients incase i have a security problem.

Overheal · 23-11-2008 6:04pm

have you tried performing a system restore

deceit · 23-11-2008 6:23pm

pull the drive out connect it to another pc that already has the stuff on it. Run the software like that and treat it like an external drive?

jonnner · 23-11-2008 6:23pm

Yes I tried restore. I'm just after updating AVG from my USB stick. The update was succesfull but i cannot run a scan.

jonnner · 23-11-2008 7:35pm

I don't have easy access to another PC to scan the hard drive.
I downloaded Spybot search&destroy but it is unable to download the files it needs to install.
I could really do without this! Can i just throw out the harddrive and get a new one?! I can't work without a secure internet connection.

syklops · 23-11-2008 7:59pm

no dont throw out your harddrive and get a new one. It is needless and will cost you too much money

You have a piece of malicious software on your computer which is causing problems with your internet. You say you need a secure internet connection to work? My advice: do not use your PC for work until you have found a solution as you could compromise your company's security with this.

Any new sites you go to, you get forwarded to perfspot.com? It sounds like a DNS poisoning attack to me. When you go to a site, your computer resolves the ip address of the site and remembers it. However it is possible to fool a computer into going to the wrong site.

To test this theory, open your browser and type in this number:

134.226.1.30

It should resolve to TCD.ie, and open up.

Try and open the following file and post up the contents:

c:\windows\system32\drivers\etc\hosts

This is one of the places where your DNS could be poisoned.

Which part of the country are you in?

jonnner · 23-11-2008 8:13pm

Yeah i made it to TCD ok. Also I downloaded a spyware program (on laptop) and it had no problem connecting me to its webpage but AVG cannot connect me to AVG.com
I'm in Kildare using IBB.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

jonnner · 23-11-2008 8:18pm

When i say i can't work without a secure connetion I mean I can't play poker. I play fairly high stakes and have alot of money in my accounts. I'm gonna log onto them using the laptop and change all the passwords.
Poker players are often targeted with keyloggers and remote desktop type threats.

syklops · 23-11-2008 8:25pm

And alot of keyloggers disable or sabotage your AV to stop it from killing the keylogger.

Ok, we are going to bypass DNS for now. Try and update your AVG and post the exact address it is trying to connect to.

jonnner · 23-11-2008 8:48pm

AVG tries to connect to http://guru.avg.com/softw/80free/update/avginfowin.ctf0/2

I can't even get to www.avg.com from IE or Firefox

syklops · 23-11-2008 9:12pm

ok,

open the hosts file you posted earlier

beneath 127.0.0.1 enter:

193.86.3.36

And then type one space, and type:

guru.avg.com

Save the file, and restart the computer and then update again.

Let me know what happens.

jonnner · 23-11-2008 9:25pm

No change.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
193.86.3.36 guru.avg.com

syklops · 23-11-2008 9:32pm

hmmm, are you on ibb breeze or ripwave?

jonnner · 23-11-2008 9:41pm

breeze i think, as in i have an aerial on my roof!
Tried running a scan again there and got the usual "avg has encounterd a problem and needs to close". strange thing is i clicked ok but the scan is actually going ahead. It will take forever but hopefully it might find something as it is up to date. It already found Antispywarebot which i installed and removed about 2 hours ago after i realised it was dodgy.

syklops · 23-11-2008 9:56pm

ok, i might have an idea.

type 66.35.255.33 into your browser. You will get the trend micro website. in the search box type in housecall

the first or second hit should say Trend Micro Housecall - free online virus and spyware scanner. Click on that link. Then click "Click here for free scan"

Agree to the terms and condition and run the scan. Let me know the results. that should do the trick.

jonnner · 23-11-2008 10:08pm

This is real strange.
when i type in 66.35.255.33 i'm directed to 2 pages of google results. They all mention trendmicro but none actually are trendmicro.
If i click on the 1st result www.robtex.com/ip/66.35.255.33.html I end up at prefspot.com, but before it gets to prefspot i go to www.abcjmp/affiliate....... so obviously someone is getting paid to send me to prefspot.
I can get onto some of the results but not the actual site.

guil · 23-11-2008 10:10pm

if i was u i'd cancel any cc or bank details ya have entered on the pc

jonnner · 23-11-2008 10:29pm

guil07 wrote: »

if i was u i'd cancel any cc or bank details ya have entered on the pc

A couple of days ago one of my poker accounts was put on hold due to suspicious activity. I had to send all sorts of id and documents to get it reopened. They would not tell me what had happened.
I changed my passwords tonight on the laptop and cancelled credit card.

guil · 23-11-2008 10:35pm

can ya run hijack this, maybe try that and post it in the virus removal forum or malwareremoval.com

syklops · 23-11-2008 10:57pm

he cant get hijack this as he cant go to any new sites.

OP, did you type the IP in just like you did with the previous IP I gave you. Type it into the address bar not into google.

jonnner · 23-11-2008 11:00pm

syklops wrote: »

he cant get hijack this as he cant go to any new sites.

OP, did you type the IP in just like you did with the previous IP I gave you. Type it into the address bar not into google.

I typed into IE address bar. If i try it with Firefox i get "failed to connect"

jonnner · 23-11-2008 11:02pm

I got a self extracting download of Hijack onto my UsB stick via the laptop and it installed fine, i will post the results in a second.
Malwarebytes wont install from the USB stick, is there a specific way to this?

jonnner · 23-11-2008 11:04pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:34 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
C:\Program Files\Belkin\Belkin keyboard driver\KbdAp32A.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 193.86.3.36 guru.avg.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Belkin\Belkin keyboard driver\KbdAp32A.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AntispywareBot] C:\Program Files\AntispywareBot\AntispywareBot.exe -boot
O4 - HKUS\S-1-5-21-3211948818-2674045574-3015397422-1009\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'johnweldon')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Paddy Power Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\PADDYP~1\client.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {012F24D4-35B0-11D0-BF2D-0000E8D0D156} (InstallControl Class) - http://activex.casinosupportservice.com/Version3.0/InstallHelper.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (PIXACO Drag and Drop upload plugin) - http://ie.pixaco.com/static/download/pixacodndupload.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.salisbury.edu/activex/AxisCamControl.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashpoker.ladbrokes.com/ladbrokes/FlashAX.cab
O16 - DPF: {EAEFAD15-8753-45EF-94B0-1BAA7970CC21} (pmpeg4cam Class) - http://193.138.213.169/MpegInst.cab
O18 - Protocol: bw+0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: offline-8876480 - {F89A58CD-522A-46A5-AF11-6F980726AA39} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 22292 bytes

spannerotoole · 24-11-2008 3:23am

Back up all your important data and reinstall.
BEFORE you install anything else, run Windows Update.

Then install an Antivirus, I recommend the one on www.clamwin.org. It's good and free (Really free as in free speech, not as in free beer)

It knows about it's own updates and stays current. When I say updates, I mean when new features and bugfixes are added. (Lets face it the Big AV's have had bugfix editions also, Remember the Symantec Corporate Bug Problem with Live-update.) Then install a firewall, remember to allow your AV Through, I find Zonealarm to be quite good. I know it's used by a lot of Big Buisness. When you have this done, then install all your other programs, and ffs stay clear of Limewire and Gnutella clients in general, that network is loaded with viruses put there by unscrupulous types.

Have fun

jonnner · 24-11-2008 7:29am

You mean reinstall windows? I don't think I have the disk, i'll have a look.
How dow i go about clearing the harddrive properly?
I was using AVG and Zonealarm.

spannerotoole · 24-11-2008 8:00am

Yes you will need to a complete reinstall. A lot of these viruses are tricky little creatures. to clear the hard drive do a Full Format (as opposed to a quick format.) The windows XP installer gives you this oppurtunity.

Good Luck

jonnner · 24-11-2008 8:52am

Thanks Spanner,
I think this is my best option, i need to get back up and running and don't mind losing a few things. Can i presume that the virus would not be attached to any media files? as that is all i will be backing up. I also have a postgresql database i need.
Also if i can't find the boot disk is there a generic one i can download for a Dell dimension? Ah sure i'll cross that bridge when i come to it.

syklops · 24-11-2008 12:54pm

OP, PM sent.

A full reinstall will need to be done, but considering you have limited internet access at the moment, you need to be sure you have everything you need before you start the reinstall. For example make sure you have your driver disks for things like your network card etc.

Also make sure you have antivirus and firewall on disk and install them before you install the network adapter, as an unprotected machine with a fresh install of windows connected to the internet, does not stand a chance.

Can i presume that the virus would not be attached to any media files?

Unfortunately no, you can not presume that. Thats why viruses are called viruses, because they attach themselves to files to propogate them selves. Where did you get these media files? If you got them from any filesharing sites, its possible this is where you picked up the virus in the first place. I suggest you burn them all onto CD, and scan them with a working and uptodate antivirus system. Or a bootable linux disk with AV on it.

rockal · 24-11-2008 1:15pm

Make sure your DNS servers are set to 'Get Automatically From ISP' in your router.

spannerotoole · 24-11-2008 1:20pm

rockal wrote: »

Make sure your DNS servers are set to 'Get Automatically From ISP' in your router.

These can be overridden with a firmware patch that allows an attacker to change the DNS Settings, in effect ticking the box does nothing.

And I'm sure that a lot of techies steer clear of the standard routers that are provided by the ISP's. I wouldn't use a netopia if you paid me for example, I use Linksys or Netgear. Stay the hell away from belkin, if you know what's good for you, they tend to get a bit hot, and they burn out, due to Ultra Thin chips on the board and nothing to take the heat away.

jonnner · 24-11-2008 1:20pm

Thanks for the help guys. I have AVG on my memory stick and have put my photos and a few documents on a DVD. Gonna backup itunes then see what driver disks i can find.
I have internet access on my Laptop.

spannerotoole · 24-11-2008 1:28pm

jonnner wrote: »

Thanks Spanner,
I think this is my best option, i need to get back up and running and don't mind losing a few things. Can i presume that the virus would not be attached to any media files? as that is all i will be backing up. I also have a postgresql database i need.
Also if i can't find the boot disk is there a generic one i can download for a Dell dimension? Ah sure i'll cross that bridge when i come to it.

It depends where you got them from, provided they have no executable properties you should be fine (This means MP3, OGG and the other non-DRM solutions) .wma if downloaded from Limewire will likely have a virus on it as .wma and .wmv allow for executable parts. I would scan them anyway. And scan that SQL database you have too.

There is a disk floating around that is for use in schools and colleges, Windows XP is Windows XP, the drivers do not come on the windows disk, unless you have very generic parts in use. If needed post me a copy of your hardware and I can put the drivers up on my site which is located at www.boardsireland.net (note this is not a rip off of Boards.ie, we will be offering services to students like Browser OS and a helpdesk and things. of course, Helpdesk will have to be paid for per question, but solutions will be posted for the public to view.

Send me the specs and I'll send you a link for drivers, I will put them in a big .ZIP file and send you a link.

rockal · 24-11-2008 2:05pm

I had one of these trojans recently and a combination of 'Malwarebytes' & 'system restore' resolved my issues. A good insight can be found here....http://www.digitaldrake.com/how-to-remove-the-trojandnschanger-virus/

syklops · 24-11-2008 2:36pm

rockal wrote: »

Make sure your DNS servers are set to 'Get Automatically From ISP' in your router.

He is on Irish broadband Breeze so needs to use their DNS servers and has to specify them in the router.

stevenmu · 24-11-2008 3:28pm

Have you tried starting up in safe mode? That should allow you to run an AVG scan and the other AV software. Should save you having to format/reinstall

jonnner · 24-11-2008 4:31pm

stevenmu wrote: »

Have you tried starting up in safe mode? That should allow you to run an AVG scan and the other AV software. Should save you having to format/reinstall

Of course I have'nt I'm useless! I'm doin it now though and its scanning away thank you.
I tried system restore again a few minutes ago in normal mode and it wouldn't work, i could get as far as picking a date but when i would click next nothing happened.
Maybe i will try a restore in safe mode next.

Just looking at the scan window now and i notice there are a few files not being tested. Is this ok?
e.g c:\b5bca91be7e3dad815cd433e3d21\legitcheckcontrol.dll Locked file. Not tested.

stevenmu · 24-11-2008 4:47pm

That file in particular is to do with Windows Genuine Advantage, so it could be that windows protects it to prevent people tampering and pirating windows. That's an unusual location for it though, it should be in c:\windows\system32. Unless you have a good reason to suspect it should be there (like if you have an ...erm... "improvised" version of windows) I'd be very suspicious of it.

edit: you should be able to use hijackthis in safe mode aswell, check each process and remove any dodgy ones, you should then be able to scan the dll and if needed you can move it to the vault, if anything goes wrong after that you should be able to restore it from the vault again.

jonnner · 24-11-2008 5:47pm

AVG found no infections and I cannot do a system restore from safemode as it says there is no restore points available.

Nichololas · 24-11-2008 7:34pm

You mentioned you have a dell. Dell usually saves executables of the drivers installed into C:\dell, have a look in there and see if there's a drivers folder with R###### folders in it. This will save time searching for the proper drivers if you reinstall (although you should really get the newest drivers for your machine from dell's website).

Overheal · 24-11-2008 7:57pm

OP if you've spent more than 2 days on this - you could have been done by now, by backing up your data, reformatting and reinstalling windows.

guil · 24-11-2008 9:30pm

but whatever he backs up might have a virus in it

Overheal · 24-11-2008 9:43pm

guil07 wrote: »

but whatever he backs up might have a virus in it

True, but once the machine is up and running with anti virus, it'll be easy enough to scan it before putting it back on.

jonnner · 24-11-2008 10:13pm

Overheal wrote: »

OP if you've spent more than 2 days on this - you could have been done by now, by backing up your data, reformatting and reinstalling windows.

I haven't spent the last 2 days at this :rolleyes: I've been using my Laptop

I've reformatted now so hopefully all is well.
Thanks everyone for the help.

spannerotoole · 08-12-2008 8:41am

stevenmu wrote: »

That file in particular is to do with Windows Genuine Advantage, so it could be that windows protects it to prevent people tampering and pirating windows. That's an unusual location for it though, it should be in c:\windows\system32. Unless you have a good reason to suspect it should be there (like if you have an ...erm... "improvised" version of windows) I'd be very suspicious of it.

edit: you should be able to use hijackthis in safe mode aswell, check each process and remove any dodgy ones, you should then be able to scan the dll and if needed you can move it to the vault, if anything goes wrong after that you should be able to restore it from the vault again.

That long directory name is a system restore folder, they are write protected and cannot be tampered with. Fortunatley System Restore also backs up and Malware that was present at the time of the restore.

Happy Hunting.

PC Problem

Comments