[biddle1]

My problem started as a suspected hi-jack and after several,several scans,log files, and other attempted fixes, this main issue remains.
It began as my wife was trying to sign into our bank account and received a re-direct. She immediately called the bank and they assured her it was not them trying to harvest/pfish information. Fortunately she didn't give any information up. After all the afore-mentioned scans and fix attempts I was finally able to sign into the bank account without the redirect page showing up but the person helping me in the other forum strongly advised me to reformat as my system had been compromised...so here I am.
I am not very computer savvy and will need specific instruction and will most likely have lots of questions. If you are up for the challenge, then let's proceed.
My computer is a Dell runing Windows XP Home Edition Version 2002 SP3 with a Pentium 4. My first and most intimidating issue is backing up all the things I need to back up. How do I do backups? Do I create a folder and drag important stuff into it and then copy it onto a CD? Will I be able to re-load it easily? What all do I need? Will I need to somehow save settings,too? See what I mean? I'm kinda freaking out here but trust that someone will be able to get me through this. I used to reformat an old Win98 machine but that was before I actually had things I NEED to save and keep....lol.
Thanks so much in advance of your assistance. Look forward to working with whoever is up to the challenge.

[flavallee]

I don't know who advised you to do a hard drive format and fresh install of XP, but that's a pretty drastic step to take at this point.

Follow these instructions in the order listed.

Go here and click the green icon to download and save HijackThis 2.0.2.

Go here and click the green icon to download and save Malwarebytes Anti-Malware 1.41.

Go here and click the green icon to download and save SUPERAntiSpyware 4.30.0.1004.

Close all open windows, then install HijackThis in its default location: C:\Program Files\Trend Micro\HijackThis.

Run a scan with it - which will take 30 seonds or less.

Save the resulting log in Notepad.

Return here, then copy-and-paste the entire log here.

Don't do anything with MBAM and SAS yet. Just download and save them.

--------------------------------------------------------------

What's the service tag number of your Dell?

-------------------------------------------------------------

[biddle1]

My Dell service tag number is 8J63H31. I already have each of the programs you listed on my pc but will uninstall them and download from your links to ensure I have the most updated versions. Be back shortly with the HJT logfile.

[biddle1]

Beore posting my HJT log, I want to point out that one line 018, the filter hijack. This thing has been deleted three times before in working with the person in the other forum. Not sure what it is but it has been noted but will do what you suggest here. Also I pointed out in the other forum that many times when I type in sign-in or password info, I get something that looks like "III II IIII III" without the quotation marks which makes me think there is some kind of key logger but I am definitely not sure. Also when I was here a few minutes ago, after reading your reply, I got the BSOD which I get occasionally with the message Driver_IRQL_NOT_LESS_OR_EQUAL and a the bottom of the page was aswTdi.SYS_Addressf868BFF6 base at F8688000, DateStamp4aaf 7265. My system also seems to be substantially slower since doing uninstalls of SAS and MBAM. Not sure if any of this helps but this is just kinda some of the things I've got going. Thanks again in advance and here is my HJT logfile....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:05 PM, on 11/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATT Internet Tools\blsloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LEX 18 Desktop Weather\liveonline_3251316.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\ATT Internet Tools\blspc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\ATT Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - Startup: LEX 18 Desktop Weather.lnk = C:\Program Files\LEX 18 Desktop Weather\liveonline_3251316.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.75\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/...fslauncher.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} (DellSystemLite.Scanner) - http://support.dell.com/systemprofil...SystemLite.CAB
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} -
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus...es/ax/stub.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01...l/MSNPUpld.cab
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/S...ller_4-2-0.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\System32\lxcgcoms.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 8019 bytes

[biddle1]

By the way- I did not run the programs you had me download nor did I fix anything with HJT.

[flavallee]

According to the service tag number that you provided, it's listed to a Dell Dimension 2400 desktop.

Here is the Dell support and software site that's specific to that service tag number.

I highly suggest that you save this site in your browser favorites list for reference.

If you eventually do need to do a hard drive format and fresh install of XP, you can get the needed device drivers from here.

I never ever format a hard drive and do a fresh install of XP in a computer without first downloading and saving and burning off to a CD-R its device drivers.

-----------------------------------------------------------------

Uninstall Logitech Desktop Messenger and Spybot - Search & Destroy.

Restart your computer.

Go into the C:\Program Files folder and delete the entire Spybot folder - if it's still there.

Go into the C:\Program Files\Logitech folder and delete the entire Desktop Messenger folder - if it's still there.

Restart your computer again.

Start HijackThis and run a scan, then post that new log here.

----------------------------------------------------------------

Quote:

Originally Posted by biddle1

By the way- I did not run the programs you had me download nor did I fix anything with HJT.

Don't install or do anything yet with MBAM or SAS.

And don't get ahead of me on anything.

----------------------------------------------------------------

[biddle1]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:07 AM, on 11/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATT Internet Tools\blsloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LEX 18 Desktop Weather\liveonline_3251316.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\ATT Internet Tools\blspc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\ATT Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - Startup: LEX 18 Desktop Weather.lnk = C:\Program Files\LEX 18 Desktop Weather\liveonline_3251316.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.75\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/...fslauncher.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} (DellSystemLite.Scanner) - http://support.dell.com/systemprofil...SystemLite.CAB
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} -
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus...es/ax/stub.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01...l/MSNPUpld.cab
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/S...ller_4-2-0.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (file missing)
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\System32\lxcgcoms.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 7453 bytes

[flavallee]

Assuming that you followed my previous instructions for Logitech Desktop Messenger, start HijackThis and run a scan, then put a checkmark in

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (file missing)

then click Fix Checked - Yes, then close HijackThis.

--------------------------------------------------------------

Install MBAM and SAS. Make sure to update their definition files during the install process. After they're both installed and updated, restart your computer.

Start MBAM and run a "quick scan" with it. When the scan is finished, select and allow it to remove EVERYTHING it found. Restart your computer if prompted to.

Start SAS and run a "quick scan" with it. When the scan is finished, select and allow it to remove EVERYTHING it found. Restart your computer if prompted to.

Start MBAM again, then go to Logs(tab). Highlight the scan entry, then click Open. When the scan log appears in Notepad, copy-and-paste it here.

Start SAS again, then go to Preferences - Statistics/Logs(tab). Highlight the scan log entry, then click View Log. When the scan log appears in Notepad, copy-and-paste it here.

-------------------------------------------------------------

[biddle1]

Sorry it has taken me so long to get back here this evening. Thanks again,in advance, for all your help. So you'll know, when you instruct me to do something, I will go ahead and do it unless I have questions which I will repost before even trying anything.
I ran HJT and checked and fixed O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (file missing)


Here are my log files:

Malwarebytes' Anti-Malware 1.41
Database version: 3189
Windows 5.1.2600 Service Pack 3

11/17/2009 7:19:40 PM
mbam-log-2009-11-17 (19-19-40).txt

Scan type: Quick Scan
Objects scanned: 147324
Time elapsed: 14 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

now for SAS:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/17/2009 at 07:34 PM

Application Version : 4.30.1004

Core Rules Database Version : 4279
Trace Rules Database Version: 2158

Scan type : Quick Scan
Total Scan Time : 00:13:35

Memory items scanned : 422
Memory threats detected : 0
Registry items scanned : 553
Registry threats detected : 0
File items scanned : 7219
File threats detected : 67

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@ad.m5prod[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.techguy[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ads.pointroll[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@a1.interclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@a1.interclick[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ad.m5prod[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ad.m5prod[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ad.m5prod[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ad.wsod[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@adecn[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@adlegend[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ads.bleepingcomputer[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ads.bleepingcomputer[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ads.bridgetrack[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ads.cnn[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ads.crakmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ads.pointroll[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ads.techguy[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ads.techguy[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ads.techguy[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@ads.undertone[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@adserver1.synapseip[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@at.atwola[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@at.atwola[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@atdmt[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@atwola[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@chitika[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@chitika[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@chitika[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@christmasinthecountry[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@classmates.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@collective-media[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@collective-media[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@counter.surfcounters[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@dmtracker[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@insightexpressai[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@interclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@invitemedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@kontera[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@kontera[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@media.causes[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@media.legacy[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@media6degrees[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@media6degrees[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@msnbc.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@overture[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@overture[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@pluckit.demandmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@pointroll[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@pointroll[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@revsci[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@revsci[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@s.clickability[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@server.iad.liveperson[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@server.iad.liveperson[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@socialmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@tacoda[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@wsclick.infospace[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\owner@www.christmasinthecountry[1].txt

[flavallee]

The scan logs look good. Malwarebytes came up clean and SUPERAntiSpyware found several adware tracking cookies - which is normal.

I suggest about every 2 weeks that you update and run a scan and remove whatever is found. That will keep malware and spyware in check.

Post a new HijackThis log here.

---------------------------------------------------------------

[biddle1]

So you'll know, I have had SAS and MBAM on my pc for a very long time and run them regularly. When all this first started, these were one of my first attempts at fixes before coming back to techguy.org. Neither of them showed any problems back then.I also ran Spybot(which I have removed) and Avast in the normal and Safe Mode and neither of those showed any problems. Mind you, this has been about 3 weeks ago and my pc performance is still very slowed, but better than early on and the redirect page on my bank account has been a huge issue, as you can imagine. I dont mean to get too wordy, but I want you to know the issues I've had. After posting earlier HJT logs in the other forum, I was given quite a few( probably 10) programs to download, which I did although some of them wouldn't run. The thing which was a recurrent theme in each prior posting was 018...filter hijack, which I have deleted 3 times now but it always reappears somehow. My initial thoughts were that my router had been a point of entry(hack/hijack), a virus from a website, or P2P file sharing, which I think is now all gone from my machine. This is just a little history on where I've been prior to meeting you on here.

Now to the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:51 PM, on 11/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATT Internet Tools\blsloader.exe
C:\Program Files\LEX 18 Desktop Weather\liveonline_3251316.exe
C:\WINDOWS\System32\lxcgcoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\ATT Internet Tools\blspc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\ATT Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - Startup: LEX 18 Desktop Weather.lnk = C:\Program Files\LEX 18 Desktop Weather\liveonline_3251316.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.75\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/...fslauncher.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} (DellSystemLite.Scanner) - http://support.dell.com/systemprofil...SystemLite.CAB
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} -
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus...es/ax/stub.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01...l/MSNPUpld.cab
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/S...ller_4-2-0.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\System32\lxcgcoms.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 7349 bytes

[flavallee]

I was unaware that you've been using MBAM and SAS on a regular basis.

Since your main concern is with the O18 log entry, I've reported your thread to the malware section so a malware expert can assist you.

You've previously used P2P file sharing sites, so it's unknown what effect they've had on your computer.

---------------------------------------------------------------

[biddle1]

The malware forums of techguy.org were the one who referred me to THIS forum for reformat help. They have been working with me for several weeks and said, as i mentioned, that my machine has been compromised and should be reformatted. Should I repost the problem in the malware forum or wait for someone to contact me or...?

[flavallee]

I wasn't aware when I read post #1 that it was a malware expert in the TSG forums here that gave you that advice. You should've clarified that and posted the link to that thread when you started this thread. I was assuming it was someone else in an entirely different forum giving you "bad advice".

I'm going to see if I can find your previous thread.

-----------------------------------------------------------------

Formatting a hard drive and doing a fresh install of XP is pretty straight-forward because the XP CD does all the work. There's no startup floppy disk and DOS commands to deal with. There are several on-line pictorial tutorials to walk you through the process.

Two things you need to do before you start is back up your personal data to CD-R's or some other media, and obtain and burn off to a CD-R the XP drivers for that computer - just in case the XP install process doesn't install all the drivers.

----------------------------------------------------------------

[flavallee]

Update: This is your previous thread

http://forums.techguy.org/malware-re...-somebody.html

and it was Cybertech that assisted you and gave you that advice in post #43.

---------------------------------------------------------------