Ghost invisible IE explorer

  1. 09-04-2009  #1
    meremaiden
    meremaiden is offline Newbie

    Ghost invisible IE explorer- HJT log included

    Hi,
    I've been having a problem with a process called iexplore.exe.
    It seems to be a ghost internet explorer page ( I dont even use IE) and opens whenever my computer starts as found by system processes. I hear a beep often (which is the same sound that IE makes when blocking a pop-up) and this process (iexplore.exe) takes up a lot of CPU usage (34,000+).

    Have cleaned up using many different programs, none seem to be able to locate this process.
    Here's my hijackthis log.
    Thanks in advance for any help!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:44:22 AM, on 4/10/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.ex e
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
    C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
    C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\ProcessGuard\pgaccount.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\ProcessGuard\procguard.exe
    C:\PROGRA~1\MICROS~4\rapimgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ProcessGuard\dcsuserprot.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
    C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Reference, Facts, News - Free and Family-friendly Resources - Refdesk.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
    O2 - BHO: D - {2B9BC7B2-9C14-397A-A1E7-81B68A00C87A} - C:\WINDOWS\system32\xwr40044.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [WD Drive Manager] "C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe"
    O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
    O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46...abblecubes.cab
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v46...amesLoader.cab
    O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://www.worldwinner.com/games/v48...t/brickout.cab
    O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - http://www.worldwinner.com/games/v42/shape/shape.cab
    O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v45.../bejeweled.cab
    O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v49.../blockwerx.cab
    O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinner.com/games/v44...e/wordcube.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46...o/wordmojo.cab
    O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
    O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
    O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) - http://www.worldwinner.com/games/v49...ed/haunted.cab
    O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
    O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41...an/hangman.cab
    O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
    O18 - Protocol: bw+0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {170D72D0-6736-48E6-B230-F96C5C8FD930} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: DiamondCS ProcessGuard Service v3.500 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (Award-winning Security Software for Home and Business Computers) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
    O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.ex e

    --
    End of file - 22335 bytes
    Last edited by meremaiden; 10-04-2009 at 03:20 AM. Reason: want to include HJT log

  3. 10-04-2009  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    It seems to be a ghost internet explorer page ( I dont even use IE) ...

    this process (iexplore.exe) takes up a lot of CPU usage (34,000+).

    By running the following screensaver, you cause IE to be loaded and the usage of the above 'memory' resources - that is the memory that IE uses when loaded:
    GPhotos.scr - Can you trust this file? OASIS
    What does GPhotos.scr do?

    * IE Menu Extension - adds a Menu to Internet Explorer.
    * Process - a process that runs on your computer
    * Autorun - automatically runs every time you start your computer
    * Cache
    * RemoteCode



    ALSO,
    Currently, you have a file that yields very limited or no search results, which can often be found to be malware. Often such files could be a random name variation:


    Submit files to VirusTotal

    Go to VirusTotal - Free Online Virus and Malware Scan
    Copy each of the following lines into the white textbox (OR navigate/browse to the file in question):
    • >[Full Path]\Suspect File<
      C:\WINDOWS\system32\xwr40044.dll

      [also right-click located file>properties - for potential relevant or suspect vendor details, etc.]
    Click ‘Send File’.
    Please post the results of each scan to this thread.



    If VirusTotal's service load is too high, you can use the following scanner instead:
    Online malware scan

    Click ‘Submit’.
    Last edited by VopThis; 10-04-2009 at 01:37 PM.
  4. 10-04-2009  #3
    meremaiden
    meremaiden is offline Newbie
    ThAnks for this excellent reply. I'm trying to find and uninstall the Gphotos thing(which I wasnt even aware of) and here are the results for that file... What to make of them?

    MANY MANY thanks!

    Antivirus Version Last Update Result
    a-squared 4.0.0.101 2009.04.10 -
    AhnLab-V3 5.0.0.2 2009.04.10 -
    AntiVir 7.9.0.138 2009.04.10 -
    Antiy-AVL 2.0.3.1 2009.04.10 -
    Authentium 5.1.2.4 2009.04.10 W32/Agent.CU.gen!Eldorado
    Avast 4.8.1335.0 2009.04.10 -
    AVG 8.5.0.285 2009.04.10 -
    BitDefender 7.2 2009.04.10 -
    CAT-QuickHeal 10.00 2009.04.10 -
    ClamAV 0.94.1 2009.04.10 -
    Comodo 1109 2009.04.10 -
    DrWeb 4.44.0.09170 2009.04.10 -
    eSafe 7.0.17.0 2009.04.07 -
    eTrust-Vet 31.6.6448 2009.04.10 -
    F-Prot 4.4.4.56 2009.04.10 W32/Agent.CU.gen!Eldorado
    F-Secure 8.0.14470.0 2009.04.10 -
    Fortinet 3.117.0.0 2009.04.10 -
    GData 19 2009.04.10 -
    Ikarus T3.1.1.49.0 2009.04.10 -
    K7AntiVirus 7.10.698 2009.04.09 -
    Kaspersky 7.0.0.125 2009.04.10 -
    McAfee 5580 2009.04.10 -
    McAfee+Artemis 5580 2009.04.10 -
    McAfee-GW-Edition 6.7.6 2009.04.10 -
    Microsoft 1.4502 2009.04.10 -
    NOD32 3999 2009.04.10 -
    Norman 6.00.06 2009.04.09 -
    nProtect 2009.1.8.0 2009.04.10 -
    Panda 10.0.0.14 2009.04.10 -
    PCTools 4.4.2.0 2009.04.08 -
    Prevx1 V2 2009.04.10 -
    Rising 21.24.44.00 2009.04.10 -
    Sophos 4.40.0 2009.04.10 -
    Sunbelt 3.2.1858.2 2009.04.10 -
    Symantec 1.4.4.12 2009.04.10 -
    TheHacker 6.3.4.0.305 2009.04.10 -
    TrendMicro 8.700.0.1004 2009.04.10 -
    VBA32 3.12.10.2 2009.04.10 -
    ViRobot 2009.4.10.1688 2009.04.10 -
    VirusBuster 4.6.5.0 2009.04.10 -
    Additional information
    File size: 200704 bytes
    MD5...: 590df4b527fe69bc747c18b2cb403aaf
    SHA1..: 0b2ad7496f9fa9157053fb6fdb84b8bc41af8a99
    SHA256: 38159e6a97571917bd5615535fbd318a8dbcca6fd70949400a e9a11fcfda5f9b
    SHA512: a2cf04d36dc9ee0edc8ab2191cd841b04e2ddd6d049ee09fb0 8dfb3b7120c984
    01a366502c6537c8380f0ebf8b66a3d2a929254a554b01fcb1 7b9a29d2d53bcd
    ssdeep: 6144:1RPNgyVOhFFvOR3s/8I83YiGyJKAUayJK:1RFPVODFG5sMYiJh1
    PEiD..: -
    TrID..: File type identification
    DirectShow filter (52.6%)
    Windows OCX File (32.2%)
    Win32 Executable MS Visual C++ (generic) (9.8%)
    Win32 Executable Generic (2.2%)
    Win32 Dynamic Link Library (generic) (1.9%)
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x1831b
    timedatestamp.....: 0x49b908f3 (Thu Mar 12 13:06:59 2009)
    machinetype.......: 0x14c (I386)

    ( 5 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x1d593 0x1e000 6.32 44c6b6d7b1d5891deedc4f9e7e674615
    .rdata 0x1f000 0x8db0 0x9000 5.41 a6521bd247330caf6907add5796f6eab
    .data 0x28000 0x4966e0 0x2000 2.64 b8ee5fa1e3db7a968edcb08189375919
    .rsrc 0x4bf000 0xa60 0x1000 2.51 cf8512e2568dc01cec7b68033856801d
    .reloc 0x4c0000 0x5060 0x6000 2.50 0ff75de8cfd4182f2b7378d181874aa3

    ( 10 imports )
    > WININET.dll: InternetCheckConnectionA, InternetOpenUrlA, InternetReadFile, InternetCloseHandle, InternetOpenA
    > urlmon.dll: URLDownloadToFileA, UrlMkSetSessionOption, CoInternetCompareUrl
    > KERNEL32.dll: InterlockedExchange, GetVersionExA, GetACP, GetLocaleInfoA, GetThreadLocale, DeleteCriticalSection, LeaveCriticalSection, InterlockedIncrement, EnterCriticalSection, InterlockedDecrement, InitializeCriticalSection, MultiByteToWideChar, GetLastError, WideCharToMultiByte, lstrlenW, FreeLibrary, SizeofResource, LoadResource, FindResourceA, LoadLibraryExA, lstrcpynA, IsDBCSLeadByte, GetModuleHandleA, lstrcatA, ExitProcess, GetTickCount, Sleep, lstrcatW, lstrcpyW, GetVolumeInformationA, CreateProcessA, CloseHandle, TerminateThread, WaitForSingleObject, CreateThread, GetProcAddress, LoadLibraryA, SetFileTime, WriteFile, GetFileTime, CreateFileA, Process32Next, Module32First, GetModuleFileNameA, CreateToolhelp32Snapshot, SetFilePointer, GetStringTypeW, GetStringTypeA, GetCPInfo, GetOEMCP, IsBadCodePtr, IsBadReadPtr, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetStartupInfoA, GetFileType, GetStdHandle, SetHandleCount, SetUnhandledExceptionFilter, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, TlsAlloc, lstrlenA, lstrcpyA, lstrcmpiA, DisableThreadLibraryCalls, LCMapStringA, LCMapStringW, VirtualProtect, GetSystemInfo, VirtualQuery, SetStdHandle, TlsGetValue, SetLastError, TlsFree, HeapSize, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, QueryPerformanceCounter, GetCommandLineA, TlsSetValue, GetCurrentThreadId, GetSystemTimeAsFileTime, HeapAlloc, HeapReAlloc, RaiseException, HeapFree, RtlUnwind, FlushFileBuffers, Process32First
    > USER32.dll: CharNextA, SetTimer, LoadStringA, GetMenuItemCount, DestroyMenu, GetDC, CloseWindow, GetActiveWindow, GetKeyboardLayout, GetInputState, GetLastActivePopup, wsprintfA, FlashWindow, ReplyMessage, DeleteMenu, IsZoomed, GetDoubleClickTime, OpenIcon, IsWindow, EnumWindows, GetFocus, GetKBCodePage, KillTimer, EndDialog, GetDlgCtrlID, FindWindowA, wsprintfW
    > ADVAPI32.dll: RegQueryValueExA, RegDeleteKeyA, RegOpenKeyA, RegQueryInfoKeyA, RegEnumKeyExA, RegCreateKeyExA, RegDeleteValueA, RegCreateKeyA, RegEnumKeyA, RegOpenKeyExA, RegCloseKey, RegSetValueExA
    > SHELL32.dll: SHGetSpecialFolderPathA, ShellExecuteA
    > ole32.dll: StringFromCLSID, CoCreateInstance, CoTaskMemRealloc, CoTaskMemAlloc, CoTaskMemFree, StringFromGUID2
    > OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
    > SHLWAPI.dll: PathFindExtensionA
    > COMCTL32.dll: InitCommonControlsEx

    ( 4 exports )
    DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer
    RDS...: NSRL Reference Data Set
  5. 10-04-2009  #4
    VopThis
    VopThis is offline Senior Member (Canada)
    Remove the following likely non-essential item:

    SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

    O2 - BHO: D - {2B9BC7B2-9C14-397A-A1E7-81B68A00C87A} - C:\WINDOWS\system32\xwr40044.dll

    Make sure that all browser windows and internet links are closed, even this one!
    CLICK ’FIX CHECKED’ with HijackThis.


    Subsequently after reboot, if there are no apparent issues (no hurry here), you can later delete the following file:
    C:\WINDOWS\system32\xwr40044.dll




    * Please download Malwarebytes' Anti-Malware from HERE or HERE

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • Run the scan in SAFEMODE (tapping the F8 key on bootup), if necessary.
    • If an update is found, it will download and install the latest version.
    • If you encounter any problems while downloading the updates, manually download them from HERE and just double-click on mbam-rules.exe to install.
    • Once the program has loaded, select "Full Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked , and click Remove Selected.
    • When disinfection is completed , a log will open in Notepad and you may be prompted to Restart(See Extra Note).
    • A run log is automatically saved by MBAM and can be viewed by clicking the Logs TAB in MBAM.
    • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
    • Please post any current revised observations.

    Extra Note:
    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  6. 14-04-2009  #5
    meremaiden
    meremaiden is offline Newbie
    Save 20% on AVG Internet Security 2012 Suite!
    Just wanted to thank you all for your help-- its all unning smoothly- you're hugely appreciated!
+ Reply to Thread
« Firefox Problems (Virus causes popups and lag) | PC Freezing up and running VERY sluggish »