Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help needed, HJT log here, need rid of CELLDORADO malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » March 28th, 2008, 5:32 pm

HI

please see orig post (took to long to reply)
viewtopic.php?f=11&t=28045

I'm trying to get rid of CELLDORADO on my dads laptop and i am having an absolute nightmare. I didnt have access the laptop but i now have it for the next 7 days so fingers X'd, with this forums help, we can get this sorted.

Heres my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:34:58, on 28/03/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\aol\1169821358\ee\aolsoftware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\ntvdm.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Google\Google_BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1169821358\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SetPoint] C:\Program Files\Logitech\SetPoint\SetPoint.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SmpcSys] C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resour ... cctrl2.cab
O18 - Protocol: bw+0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {B224B726-5F34-4619-ACB2-A9E4ACB25FEC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 22279 bytes

thanks
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am
Advertisement
Register to Remove

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby chryssi2001 » April 2nd, 2008, 3:48 pm

Hello weegieq,

I will be assisting you with your malware issues.
Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
IMPORTANT NOTE:
If you are using Windows Vista you must right click on the desktop icon and choose Run as Administrator all tools.

PLEASE DO NOT POST REPORTS AS ATTACHMENTS
----------------------------------------------
I need you to run Navilog1.
I am reposting the instructions to install the program in case you uninstalled it. If you still have the program skip the installation instructions and run Option #1.
----------------------------------------------
Navilog1 for Vista

Installation:

Disable UAC-User Account Control (Please remember to re-enable it afterwards when disinfection is complete):
  • Go to Start > Control Panel
  • Double click on the User Account icon
  • Then click Disable and validate.
  • Now download Navilog1 from the following link:
  • http://pagesperso-orange.fr/il.mafioso/Navifix/Navilog1.exe
  • Right click on the above link and choose Save target as and save it to your Desktop.
  • Right-click on navilog1.exe and choose "Run as Administrator" to install it.
  • Wait for the end of installation.
----------------------------------------------
Navilog1 for Vista

Option #1:

Make sure the UAC-User Account Control is turned off.
  • Right-click Navilog1 shortcut on Desktop and choose "Run as Administrator".
  • On main menu, choose 1
  • Follow the instructions and wait.
  • Wait for the *** Search completed *** message (It may take a reasonable amount of time)
  • Press any key as requested.
  • A new notepad document will be produced: fixnavi.txt.
  • Please copy/paste the contents of this report in your next reply.
The report fixnavi.txt is also saved in %systemdrive%. (usually C:\)
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 3rd, 2008, 5:11 am

Hi

First of all I'd like to say thanks for your help.

I seem to have a problem with Navilog1. I've turned UAC off and when i run Navilog1 as administrator, it takes an excessive amount of time without completing. I was wondering if i was just being impatient or if i was doing something wrong. I ran it the other day(under the same conditions and it ran for 2hrs without completing). It has now been running for an hour and it is yet to complete. When i first downloaded and ran it (from my orginal post) it took approx 20-25mins to complete. I dont use the pc when it is running for anything else

Thanks again
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby chryssi2001 » April 3rd, 2008, 5:29 am

Hello weegieq,

Let's see if i understand what you are saying.

After your old thread closed as inactive, you still had Navilog1 installed and didn't uninstall it. So you did run Option 1 again yourself, and it didn't complete.

Do you still have the old report?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 3rd, 2008, 6:07 am

Yes thats right - it was already installed but i have since uninstalled and re installed it.

here's the original log

Search Navipromo version 3.4.8 began on 02/03/2008 at 9:28:42.07

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Updated on 25.02.2008 at 20h00 by IL-MAFIOSO

Microsoft Windows Vista 6.0.6000
Version Internet Explorer : 7.0.6000.16609
Filesystem type : NTFS

Done in normal mode

*** Searching for installed Software ***




*** Search folders in C:\Windows ***



*** Search folders in C:\Program Files ***


*** Search folders in C:\ProgramData ***


*** Search folders in C:\ProgramData\Microsoft\Windows\Start Menu\Programs ***


*** Search folders in C:\Users\ANDREW\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs ***


*** Search folders in C:\Users\ANDREW\AppData\Local\virtualstore\Program Files ***

...\InternetGameBox found !


*** Search folders in C:\Users\ANDREW\AppData\Roaming ***


*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

Hidden file(s) :

C:\Users\ANDREW\AppData\Local\kbbwypt.dat
C:\Users\ANDREW\AppData\Local\kbbwypt.exe
C:\Users\ANDREW\AppData\Local\kbbwypt_nav.dat
C:\Users\ANDREW\AppData\Local\kbbwypt_navps.dat



*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in C:\Windows\system32 *



thanks
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby chryssi2001 » April 3rd, 2008, 7:51 am

Hello weegieq,

You posted for help also at Bleeping Computer. Please post back and tell them you are being helped here so they can close the thread. If you prefer to get help at Bleeping Computers, please let me know.
----------------------------------------------
Remove/Disable one of your Anti Virus programs.
You are operating your computer with multiple Anti Virus programs running in memory at once:

Symantec
AVG free


Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove one of them.
----------------------------------------------
Not sure what's wrong with Navilog1 and it can run on your pc now. The fact that you re-run Option #1 might have something to do with it.

Can you please try to run Option#2 as per my instruction below and let me know what happens?
If it runs properly and creates a report please post it here.
----------------------------------------------
Navilog1 for Vista

Option #2:

Make sure the UAC-User Account Control is turned off.

Right-click on Navilog1 shortcut on your Desktop and choose "Run as Administrator".
  • On main menu, choose 2
  • Follow the instructions and wait.
  • The tool will then advise you that it will restart your computer.
  • Save your open documents, if any, and close all windows.
  • Press any key as requested.
  • If your computer doesn't restart automatically, restart it manually.
  • Choose your usual session if necessary.
  • Wait for the *** Cleaning stage complete! *** message (Please be patient. It may take a reasonable amount of time).
  • A new notepad document will be produced.
  • Please save the document and copy/paste the contents of this report in your next reply.
  • Your desktop will now appear.
Re-enable UAC-User Account Control.

Note : In the event you lose your desktop, press CTRL+ALT+Delete to bring up the Task Manager. Then, click on "Process" tab. Click on File and choose "Run" Explorer.
----------------------------------------------
Post back:
Navilog1 report if it runs, or post any problems if the tool wasn't able to run.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 3rd, 2008, 5:14 pm

hi chryssi2001

The post on bleeping computer should already be closed.

1st thing tomorrow morning ill give ur instructions a go

Thnks
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby chryssi2001 » April 4th, 2008, 1:06 am

Ok, please do not try to run Navilog Option #2 twice.
Just once!
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 4th, 2008, 5:07 am

I think its been all my fault. Although I had been running ith UAC off, I hadn't been using "run as administrator".

As you requested I ranoption 2(without rning it as an administrator)and the following message appeared

"To run a cleaning with choice 2 you must do before a search with choice 1 and post the report for the helper
Fix will be stopped
press ay key to continue"

when u hit a key nvilog1 closes. It was then i'd realised my mstake re administrator and i ran the programme, instead of having the language options and then the other options it started doing something and gave me the following results



*** Search files ***


C:\Windows\system32\nvs2.inf found !


*** Search specific Registry keys ***


*** Complementary Search ***
(Search specific files)

1)Search new Instant Access files :


2)Heuristic Search :

* In C:\Windows\system32 :


* In C:\Users\ANDREW\AppData\Local\Microsoft :


* In C:\Users\ANDREW\AppData\Local :


3)Certificates Search :

Egroup certificate found !
Electronic-Group certificate found !
OOO-Favorit certificate found !
Sunny-Day-Design-Ltd certificate not found !

4)Search known files :



*** Search completed on 04/04/2008 at 10:00:43.00 ***


Would this be my new search result file from option 1?

sorry about my stupidity earlier with navilog1
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 4th, 2008, 5:10 am

hi

whilst looking on the c: i noticed next to the fixnavi txt file there was one called cleannavi.

here is the info from the cleannavi txt hope this is useful

*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

Copy C:\Users\ANDREW\AppData\Local\qjocawhseg.dat done !
Copy C:\Users\ANDREW\AppData\Local\qjocawhseg.exe done !
Copy C:\Users\ANDREW\AppData\Local\qjocawhseg_nav.dat done !
Copy C:\Users\ANDREW\AppData\Local\qjocawhseg_navps.dat done !

*** Deleting files found with Catchme ***

C:\Users\ANDREW\AppData\Local\qjocawhseg.dat deleted !
C:\Users\ANDREW\AppData\Local\qjocawhseg.exe !!DELETING FAILED!!
C:\Users\ANDREW\AppData\Local\qjocawhseg_nav.dat deleted !
C:\Users\ANDREW\AppData\Local\qjocawhseg_navps.dat deleted !

** Second pass with Catchme results **

* In C:\Windows\system32 *


* In C:\Users\ANDREW\AppData\Local\Microsoft *


* In C:\Users\ANDREW\AppData\Local *


qjocawhseg.exe found !
Copy qjocawhseg.exe done !
qjocawhseg.exe !!DELETING FAILED!!

*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\Windows\System32 *


* Deletion in C:\Users\ANDREW\AppData\Local\Microsoft *


* Deletion in C:\Users\ANDREW\AppData\Local *
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby chryssi2001 » April 4th, 2008, 7:39 am

Hello weegieq,

Do you still get up pop-ups or redirected to CELLDORADO?
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Post back:
Malwarebytes' Anti-Malware report.
A new Hijackthis log.
Tell me how the pc is running now.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 4th, 2008, 7:52 am

Hi

Yeah i still get pop ups and redirections to celldorado. have downloaded that prgrame and will post back once its completed

Thanks
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby chryssi2001 » April 4th, 2008, 8:09 am

Ok i'll wait for the report.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 4th, 2008, 8:46 am

Hi

heres the log file

Malwarebytes' Anti-Malware 1.10
Database version: 589

Scan type: Full Scan (C:\|)
Objects scanned: 138073
Time elapsed: 49 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\nvs2.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 4th, 2008, 8:54 am

Just had another pop up
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 328 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware