After Malware Attack, Cannot Edit Registry

Thanks John for the info on Webshots. I hadn't heard of this program before, however I know that malware can be transmitted through screen-savers, so when I came across the .scr file in the HJT log I assumed that it could be malware. Obviously in this case it isn't, but care should still be exercised with this type of file.
Dwarf
 

My Computer

System One

  • Manufacturer/Model
    Dwarf Dwf/11/2012 r09/2013
    CPU
    Intel Core-i5-3570K 4-core @ 3.4GHz (Ivy Bridge) (OC 4.2GHz)
    Motherboard
    ASRock Z77 Extreme4-M
    Memory
    4 x 4GB DDR3-1600 Corsair Vengeance CMZ8GX3M2A1600C9B (16GB)
    Graphics Card(s)
    MSI GeForce GTX770 Gaming OC 2GB
    Sound Card
    Realtek High Definition on board solution (ALC 898)
    Monitor(s) Displays
    ViewSonic VA1912w Widescreen
    Screen Resolution
    1440x900
    Hard Drives
    OCZ Agility 3 120GB SATA III x2 (RAID 0)
    Samsung HD501LJ 500GB SATA II x2
    Hitachi HDS721010CLA332 1TB SATA II
    Iomega 1.5TB Ext USB 2.0
    WD 2.0TB Ext USB 3.0
    PSU
    XFX Pro Series 850W Semi-Modular
    Case
    Gigabyte IF233
    Cooling
    1 x 120mm Front Inlet 1 x 120mm Rear Exhaust
    Keyboard
    Microsoft Comfort Curve Keyboard 3000 (USB)
    Mouse
    Microsoft Comfort Mouse 3000 for Business (USB)
    Internet Speed
    NetGear DG834Gv3 ADSL Modem/Router (Ethernet) ~4.0 Mb/s (O2)
    Other Info
    Optical Drive: HL-DT-ST BD-RE BH10LS30 SATA Bluray
    Lexmark S305 Printer/Scanner/Copier (USB)
    WEI Score: 8.1/8.1/8.5/8.5/8.25
    Asus Eee PC 1011PX Netbook (Windows 7 x86 Starter)
Sidney,
First off, you're the best! I cannot express my gratitude for your taking your time to diagnose my situation.

Before I remove the Intel software, is it not necessary for my video card? I'll remove it just as soon as you reassure me that it won't affect any of my display or video features.

I read the READ ME file for the Intel hardware, and it is used with my RAID external hard drive. I have a dual drive system, so I am scared to uninstall it. That would probably disable the RAID function! Please advise.

2) My homepage is no longer blocked. I fixed this through Webroot's SPYSWEEPER. There is no question that the home page was hijacked during one of my malware attacks.

3) I AM able to export from HCKU. I don't know about importing, since I don't want to import unless I know exactly what I'm doing.

My experience with HijackThis is that when I click to delete something like:
O2 - BHO: (no name) - {1C98ED08-32BF-4B69-BC80-625CDA74D9EF} - C:\Windows\system32\vTlkIBTn.dll (file missing)

...that it returns when I run it again. Oddly, this file is missing, I do not see it in my system 32 folder, yet it continues to show up on HijackThis. Why is that I wonder??



Steve
 

Attachments

  • Readme.txt
    44.4 KB · Views: 30

My Computer

System One

Hello, Dwarf,
Thanks for your post.
This file, which you corrrectly spotted on HijackThis:
O2 - BHO: (no name) - {1C98ED08-32BF-4B69-BC80-625CDA74D9EF} - C:\Windows\system32\vTlkIBTn.dll (file missing)

is indeed suspicious. But the file is no longer in my system 32 folder, so I'm optimistic that it can't do its mischief. But I cannot eradicate it from HiJackThis. Sid is doing a wonderful job sniffing out the problem.

I agree with you about BitComet. I believe that either the program itself or one of the files I was downloading is the prime suspect in the attack. I believe that the portal is where it comes in, through BitComet.

I have been using Free Download Manager for years. It is pretty clean, I believe. I hate to get rid of it, because it is very fast and can download tons of files simultaneously.

Yes, I am dogged and will pursue this issue. But I'm optimistic that Sid will be able to get rid of whatever plagues my system.

All the best, Steve
 

My Computer

System One

Hi Stephen,

Open the registry editor and search for '1C98ED08-32BF-4B69-BC80-625CDA74D9EF'. Please post back with what you find, and if you have submitted a HJT report to one of the forums as suggested in my earlier reply, please send a copy to them as well. The fact that it keeps returning indicates that you may have some remnant of malware on your system. What you find in the registry might give a clue as to why this is happening.
Dwarf
 

My Computer

System One

  • Manufacturer/Model
    Dwarf Dwf/11/2012 r09/2013
    CPU
    Intel Core-i5-3570K 4-core @ 3.4GHz (Ivy Bridge) (OC 4.2GHz)
    Motherboard
    ASRock Z77 Extreme4-M
    Memory
    4 x 4GB DDR3-1600 Corsair Vengeance CMZ8GX3M2A1600C9B (16GB)
    Graphics Card(s)
    MSI GeForce GTX770 Gaming OC 2GB
    Sound Card
    Realtek High Definition on board solution (ALC 898)
    Monitor(s) Displays
    ViewSonic VA1912w Widescreen
    Screen Resolution
    1440x900
    Hard Drives
    OCZ Agility 3 120GB SATA III x2 (RAID 0)
    Samsung HD501LJ 500GB SATA II x2
    Hitachi HDS721010CLA332 1TB SATA II
    Iomega 1.5TB Ext USB 2.0
    WD 2.0TB Ext USB 3.0
    PSU
    XFX Pro Series 850W Semi-Modular
    Case
    Gigabyte IF233
    Cooling
    1 x 120mm Front Inlet 1 x 120mm Rear Exhaust
    Keyboard
    Microsoft Comfort Curve Keyboard 3000 (USB)
    Mouse
    Microsoft Comfort Mouse 3000 for Business (USB)
    Internet Speed
    NetGear DG834Gv3 ADSL Modem/Router (Ethernet) ~4.0 Mb/s (O2)
    Other Info
    Optical Drive: HL-DT-ST BD-RE BH10LS30 SATA Bluray
    Lexmark S305 Printer/Scanner/Copier (USB)
    WEI Score: 8.1/8.1/8.5/8.5/8.25
    Asus Eee PC 1011PX Netbook (Windows 7 x86 Starter)
Yes, i found what you asked me to search for, Dwarf. The default value data is empty.
It's in HKCU/Software/Microsoft Windows/Current Version/Ext/Stats. There is a subfolder called iExplorer.
There are many files under it:Default, Count, Flags, Count, Type. I could provide a screeshot of anything, if you wish it.

I have not submitted my HiJackThis log to any other forums except to this thread in this forum. I will submit other places if you and Sid are unsuccessful in extirpating the remnants of the Vulvo. I believe it's Vulvo, but it may be remnants of something else,

Anyway, I can't thank you enough. You guys are terrific!

Steve
 

My Computer

System One

Allthatjazznj said:
Before I remove the Intel software, is it not necessary for my video card? I'll remove it just as soon as you reassure me that it won't affect any of my display or video features.
Click to expand...

Hey, i am talking about the media server part of Intel progs ;)
If you cannot uninstall just the media server (if you don't use it) it is not a problem but the strange user will stay (does not really matter)

OK, as everything is running smoothly, you can do the following.
Close all Windows opened.
Run hijackthis (no log this time) and tick these lines:

O2 - BHO: (no name) - {1C98ED08-32BF-4B69-BC80-625CDA74D9EF} - C:\Windows\system32\vTlkIBTn.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)

Then, click on "Fix Checked"
Reboot
With regards to this service:
O23 - Service: SupportSoft Repair Service (chatsupport.palm.com) (tgsrvc_chatsupport.palm.com) - SupportSoft, Inc. - C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
Check you installed it on purpose, if you do not need it anymore you may uninstall it.
Then, you can delete
C:\Users\Stephen C. Galleher\Desktop\Fix Vundo\FixVundo15.exe
Run hijackthis and this time attach a log file on next post.

Hope it helps.
 

My Computer

System One

Hi Sid,

Thanks for checking over the HJT file. I had picked up on the first 2 items, but didn't see the 3rd. Hopefully, we should be well on the way in helping Stephen with his problem.
Dwarf
 

My Computer

System One

  • Manufacturer/Model
    Dwarf Dwf/11/2012 r09/2013
    CPU
    Intel Core-i5-3570K 4-core @ 3.4GHz (Ivy Bridge) (OC 4.2GHz)
    Motherboard
    ASRock Z77 Extreme4-M
    Memory
    4 x 4GB DDR3-1600 Corsair Vengeance CMZ8GX3M2A1600C9B (16GB)
    Graphics Card(s)
    MSI GeForce GTX770 Gaming OC 2GB
    Sound Card
    Realtek High Definition on board solution (ALC 898)
    Monitor(s) Displays
    ViewSonic VA1912w Widescreen
    Screen Resolution
    1440x900
    Hard Drives
    OCZ Agility 3 120GB SATA III x2 (RAID 0)
    Samsung HD501LJ 500GB SATA II x2
    Hitachi HDS721010CLA332 1TB SATA II
    Iomega 1.5TB Ext USB 2.0
    WD 2.0TB Ext USB 3.0
    PSU
    XFX Pro Series 850W Semi-Modular
    Case
    Gigabyte IF233
    Cooling
    1 x 120mm Front Inlet 1 x 120mm Rear Exhaust
    Keyboard
    Microsoft Comfort Curve Keyboard 3000 (USB)
    Mouse
    Microsoft Comfort Mouse 3000 for Business (USB)
    Internet Speed
    NetGear DG834Gv3 ADSL Modem/Router (Ethernet) ~4.0 Mb/s (O2)
    Other Info
    Optical Drive: HL-DT-ST BD-RE BH10LS30 SATA Bluray
    Lexmark S305 Printer/Scanner/Copier (USB)
    WEI Score: 8.1/8.1/8.5/8.5/8.25
    Asus Eee PC 1011PX Netbook (Windows 7 x86 Starter)
Sid,

>>O2 - BHO: (no name) - {1C98ED08-32BF-4B69-BC80-625CDA74D9EF} - C:\Windows\system32\vTlkIBTn.dll (file missing)

This file no longer appears in HiJackThis. But it was appearing in the log file. That is strange, I think!

As for the Palm Chat program, it was installed remotely by a technician one day when I had a Palm issue.

And I could not delete the file tgsrvc.exe!!:cry:
I ended Explorer.exe from the Windows Task Manager, then I checked the items you asked me too (noting that the BHO with vTlkLVBRN did not appear) and I pushed the PC button without shutting down.

I ran HiJackThis again. I have a feeling the computer has burgeoned some more crap! More strange garbage appears in HijackThis, and that file tgsrvc related to the Palm Chat seems to have gone away.♠

When I got my to my desktop, I am now running HijackThis again. Here is the log file:
Code: 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:54 PM, on 6/25/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\FeedReader30\feedreader.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Users\Stephen C. Galleher\Desktop\Fix Vundo\FixVundo15.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\palmOne\Palm.exe
C:\PROGRA~1\palmOne\AlarmApp.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_director.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MM_TDM~1.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMJB.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: (no name) - {1C98ED08-32BF-4B69-BC80-625CDA74D9EF} - C:\Windows\system32\vTlkIBTn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [CCUTRAYICON] "C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [WeatherWatcher] "C:\Program Files\Weather Watcher\ww.exe"
O4 - HKCU\..\Run: [feedreader.exe] "C:\Program Files\FeedReader30\feedreader.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{74ACBBE0-91DF-4D44-9C5B-3560F9E5FF87}
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4007085414-3141258670-3358870935-1006\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /detectMem (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-4007085414-3141258670-3358870935-1006\..\Run: [WeatherWatcher] "C:\Program Files\Weather Watcher\ww.exe" (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-4007085414-3141258670-3358870935-1006\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-4007085414-3141258670-3358870935-1006\..\Run: [Radio365Agent] (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-4007085414-3141258670-3358870935-1006\..\Run: [feedreader.exe] "C:\Program Files\FeedReader30\feedreader.exe" (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-4007085414-3141258670-3358870935-1006\..\Run: [Aim6] (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-4007085414-3141258670-3358870935-1006\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-4007085414-3141258670-3358870935-1006\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User 'IUSR_NMPR')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: [URL="http://*.mcafee.com/"]http://*.mcafee.com[/URL]
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) DHTrace Controller (DHTRACE) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Desktop Manager 5.7.805.16405 (GoogleDesktopManager-051608-133132) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Intel(R) NMSCore (NMSCore) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Intel(R) Quality Manager (QualityManager) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SupportSoft Repair Service (chatsupport.palm.com) (tgsrvc_chatsupport.palm.com) - SupportSoft, Inc. - C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
--
End of file - 15663 bytes
 
Last edited:

My Computer

System One

Hi Stephen,

The HJT log you submitted is an old one that you have already submitted to this thread.

"Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:54 PM, on 6/25/2008"

Please scan again and send a fresh log. Check the date. You might need to delete the old log first.
Dwarf
 

My Computer

System One

  • Manufacturer/Model
    Dwarf Dwf/11/2012 r09/2013
    CPU
    Intel Core-i5-3570K 4-core @ 3.4GHz (Ivy Bridge) (OC 4.2GHz)
    Motherboard
    ASRock Z77 Extreme4-M
    Memory
    4 x 4GB DDR3-1600 Corsair Vengeance CMZ8GX3M2A1600C9B (16GB)
    Graphics Card(s)
    MSI GeForce GTX770 Gaming OC 2GB
    Sound Card
    Realtek High Definition on board solution (ALC 898)
    Monitor(s) Displays
    ViewSonic VA1912w Widescreen
    Screen Resolution
    1440x900
    Hard Drives
    OCZ Agility 3 120GB SATA III x2 (RAID 0)
    Samsung HD501LJ 500GB SATA II x2
    Hitachi HDS721010CLA332 1TB SATA II
    Iomega 1.5TB Ext USB 2.0
    WD 2.0TB Ext USB 3.0
    PSU
    XFX Pro Series 850W Semi-Modular
    Case
    Gigabyte IF233
    Cooling
    1 x 120mm Front Inlet 1 x 120mm Rear Exhaust
    Keyboard
    Microsoft Comfort Curve Keyboard 3000 (USB)
    Mouse
    Microsoft Comfort Mouse 3000 for Business (USB)
    Internet Speed
    NetGear DG834Gv3 ADSL Modem/Router (Ethernet) ~4.0 Mb/s (O2)
    Other Info
    Optical Drive: HL-DT-ST BD-RE BH10LS30 SATA Bluray
    Lexmark S305 Printer/Scanner/Copier (USB)
    WEI Score: 8.1/8.1/8.5/8.5/8.25
    Asus Eee PC 1011PX Netbook (Windows 7 x86 Starter)
Allthatjazznj said:
As for the Palm Chat program, it was installed remotely by a technician one day when I had a Palm issue.

And I could not delete the file tgsrvc.exe!!:cry:
I ended Explorer.exe from the Windows Task Manager, then I checked the items you asked me too (noting that the BHO with vTlkLVBRN did not appear) and I pushed the PC button without shutting down.

I ran HiJackThis again. I have a feeling the computer has burgeoned some more crap! More strange garbage appears in HijackThis, and that file tgsrvc related to the Palm Chat seems to have gone away.
Click to expand...

Yep, you always copied the same log file :)
Please Attach (do not copy/paste) the new one.
 

My Computer

System One

Wow, gentlemen, I cannot believe this about the log file!
I went into the HijackThis folder and deleted the log file, and guess what?
I continue to get a log file with the same date and time!!

What is this about?

I am attaching the log file from a HiJackThis that I just performed.

When I analyzed it on one of the website HiJackThis analysis sites, I get results different from the one I did earlier. YET...the same date appears. I am confused!

One thing to note: I went to the HijackThis folder and deleted the backup folder with tons and tons of files! In the course of my first attempt to do this, McAfee gave me the alarm that it had detected the Vundo malware!!!!! I was successful in deleting the folder on my second try.

The log I am submitting was generated by the last usage(2:25 am, 6/28/08), but it has the old time on it. I cannot figure this out!!

You guys are longsuffering!

Steve
 

Attachments

  • hijackthis.log
    15.3 KB · Views: 37

My Computer

System One

OK, open windows in safe mode, then run hijackthis and tick the lines we were talking about earlier (3 lines with file missing), fix checked, boot windows in normal mode, clean your cache, temp files etc... with crap cleaner for example and repost a new log file.
 

My Computer

System One

Good Afternoon, Sid and Dwarf,

I have done as Sid directed. I could tick only the second of the three items. The first did not show up!

I rebooted, did a clean with CCleaner. Attached is the log file.

A couple of things to note:
1. I ran Spysweeper, Malware Bytes' Anti-Malware, and SUPERAntiSpyware--all three came up clean with no infections.
2. This morning I definitely had an attack on my IE home page! Spysweeper alerted me to the threat and I was able to abort the hijack.
3. I have uninstalled the program BitComet.

Hope this will present some progress.

Steve
 

Attachments

  • hijackthis.log 1-14 PM EST.txt
    13.7 KB · Views: 47

My Computer

System One

Yep, clean!
Just the 2 lines regarding bitdefender online scan, i do not know why they still appear if you fixed them in safe mode?
bdoscandel.exe is the uninstaller of this program but no problem.
Anyway, go a bit deeper in your configuration to be sure that no activeX or things like that can be installed without your consent and maybe register some sites in the black list....
 

My Computer

System One

Hello, Sid,

I am delighted that you don't see too much trouble with my PC, but I do not know what you mean when you write:

>>go a bit deeper in your configuration to be sure that no [COLOR=blue ! important][COLOR=blue ! important]activeX[/COLOR][/COLOR] or things like that can be installed without your consent and maybe register some sites in the black list.

WHERE WOULD I DO THIS?

I cannot thank you enough for all your help. I truly, truly appreciate it! :D

Steve
 

My Computer

System One

You must log in or register to reply here.
Back
Top