Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help!


  • Please log in to reply
4 replies to this topic

#1 robertthred

robertthred

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 11 June 2005 - 03:10 AM

Having problems with MAJOR slowdowns and unwanted popups, ad aware and spybot have not even touched this problem. AVG antivirus found nothing.

Logfile of HijackThis v1.99.1
Scan saved at 3:08:18 AM, on 6/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avginet.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\uhinacd.exe
C:\Documents and Settings\Mr Murl\Desktop\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKLM\..\Run: [dlhoqih] c:\windows\system32\uhinacd.exe r
O4 - HKLM\..\Run: [xmr] C:\WINDOWS\System32\xmr.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.netzero.net/s/sp
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {121AC498-3F3A-4C39-9BEA-CFC4EA809FDF} (XlocatorInstall.Install) - http://www.xlocator.com/download/xlocatorlight.CAB
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_2.ocx
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: bw+0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - D:\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 11 June 2005 - 10:28 PM

Hi robertthred, welcome to BC.

I'll be helping you with your problems. Please give me a few minutes to look over your log and I'll be right with you.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 12 June 2005 - 12:35 AM

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Reboot your computer into Safe Mode.

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Scan again with HijackThis and put a check by the following--don't be concerned if some of these entries aren't there as Ewido may already have eliminated them:

R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [dlhoqih] c:\windows\system32\uhinacd.exe r
O4 - HKLM\..\Run: [xmr] C:\WINDOWS\System32\xmr.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {121AC498-3F3A-4C39-9BEA-CFC4EA809FDF} (XlocatorInstall.Install) - http://www.xlocator.com/download/xlocatorlight.CAB
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#4 robertthred

robertthred
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 12 June 2005 - 04:19 AM

ok, did as requested. Seems that the XMR wasnt removed.
Here is the EWIDO scan report from safe mode---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:58:57 AM, 6/12/2005
+ Report-Checksum: 25042A48

+ Date of database: 6/12/2005
+ Version of scan engine: v3.0

+ Duration: 77 min
+ Scanned Files: 56339
+ Speed: 12.15 Files/Second
+ Infected files: 43
+ Removed files: 43
+ Files put in quarantine: 43
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\WINDOWS\SYSTEM32\Poller.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057050.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057090.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057472.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057483.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057492.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057496.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057500.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057503.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057525.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00055947.EXE -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056147.EXE -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056149.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056198.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056260.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056314.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056351.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056392.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056535.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056632.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056907.EXE -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056910.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056912.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056914.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056916.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056918.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056921.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056923.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00056927.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057126.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057229.EXE -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057231.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057308.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057386.DLL -> Trojan.Agent.db -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057804.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057805.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057806.DLL -> Spyware.Winsta -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057807.DLL -> Spyware.Winsta -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057808.DLL -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057809.DLL -> Not-A-Virus.PornWare.PopCap.b -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057810.OCX -> Spyware.Winsta -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057811.OCX -> Spyware.Winsta -> Cleaned with backup
C:\RECYCLED\NPROTECT\00057812.EXE -> Trojan.Nail -> Cleaned with backup


::Report End

and here is the log from HiJackThis after restart in normal mode

Logfile of HijackThis v1.99.1
Scan saved at 4:08:54 AM, on 6/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HiJackThis\HijackThis1991.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [xmr] C:\WINDOWS\System32\xmr.exe
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.netzero.net/s/sp
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_2.ocx
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: bw+0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - D:\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {606E60B9-8F8A-4EA2-B378-E55881958638} - D:\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

thank you for your help, you guys are life savers...

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 12 June 2005 - 12:09 PM

OK, I'd like to take a closer look at xmr.exe. Please submit it for examination by doing the following.

Download killbox from here:

KillBox

Unzip the folder to your desktop.


*Start Killbox.exe
*Select the Standard File Kill option.
*Copy the filepath below to the clipboard by highlighting it and pressing Control-C:

C:\WINDOWS\System32\xmr.exe

*Go to the File menu of Killbox, and choose "Paste from Clipboard".
*Click the "Delete File" button that is a red-and-white X. Say yes when asked if you want to delete and backup this file.
*Exit Killbox.

*Now navigate to the C:\!Submit folder that was just created and rename it to robertthred.
*Right click the robertthred folder and choose Send To>Compressed Folders. You should now see a robertthred.zip folder.
*Now go to the BC Malware Submittal page, fill in the required fields, and browse to the robertthred.zip folder. Then click on the Send File button.

If you have any problems with that just continue on with the next steps but let me know what happened.

Download the following file and save it to your desktop:
http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select Install.

Scan again with HijackThis and put a check by the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [xmr] C:\WINDOWS\System32\xmr.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYUS

Close all open windows except for HijackThis and click Fix Checked.

Reboot.

You need to decide on one anitvirus to have installed on your PC and stick with that. They tend to work against each other. It's good to double-check on Norton's effectiveness, but do that with free online scanners. In fact the next step is to run at least two from the following list, and I would strongly urge that you uninstall AVG before doing so:

http://www.kaspersky.com/beta?product=161744315 ( with this one as it's a beta product, they ask for a name & email, just put any email in and any name and company it isn't checked on and they have just used the standard beta page as a doorway to it )
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
http://www.bitdefender.com/scan/licence.php
http://www.commandondemand.com/eval/index.cfm
http://www.freedom.net/viruscenter/...viruscheck.html
http://info.ahnlab.com/english/
http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

You should try to delete any files that these scanners are unable to clean.

Two other things you are going to need to do once we get you fairly cleaned up:

1. You are seriously behind on Windows updates. Running an unpatched system you will continually get reinfected and just be wasting our time. You need to at least be up to Service Pack 1a.

2. All those 018's in the HijackThis log are from Backweb's Desktop Messenger. This is an unnecessary drag on your system and some consider it to be adware/spyware. I recommend that you go into Add/Remove progams via Control Panel and uninstall Desktop Messenger, then use HijackThis to fix all the 018's. Create a Restore point before doing so in case of problems, but for now I would hold off on that and updates until your HJT log is clean.

Last step--start HijackThis and follow these steps:
  • Click on Config button
  • Click on the Misc Tools button
  • Check the checkbox for List minor sections (full)
  • Check the checkbox for List empty sections (complete)
  • Click on the Generate StartupList Log button
  • Click the Yes button to create the list
Post that list as a reply to this post and let me know how things went. Also if you were still experiencing problems after the first fix and please describe them.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users