Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

What a Mess...


  • This topic is locked This topic is locked
13 replies to this topic

#1 bobapunk

bobapunk

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 14 April 2006 - 01:15 AM

I thought that my cocktail of CWShredder, Trend-Micro's on-line scan, Ad-Aware, Spy-Bot S&D, and Spyware Blaster was just about fool proof; well, I may have been wrong.

Some how I got into some nasty stuff: "BetterInternet.nail" seems to be the recuring source (Ad-Aware finds in everytime, but its always there again. The Tea Timer part of SBS&D is non-stop blocking vgyjg and ajgigj. Anyway, I read that the "BetterInternet.Nail" was a VX2 "file" so I DL'd the VX2 Cleaner V2.0 from Lavasoft, but it never found the malware. It kept saying "system clean". Then I would do an Ad-Aware scan and the .Nail would be there.

I figured it was time I got Hijack This! and get some "professional" help.

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 2:09:31 AM, on 4/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\hidserv.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINNT\system32\ZoneLabs\vsmon.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\Explorer.EXE
E:\WINNT\system32\svchost.exe
E:\WINNT\System32\svchost.exe
F:\Spy Bot\Spybot - Search & Destroy\TeaTimer.exe
F:\ZoneLabs\ZoneAlarm\zapro.exe
F:\Hijack This\HijackThis.exe
F:\FIREFOX\FIREFOX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
F2 - REG:system.ini: Shell=Explorer.exe, E:\WINNT\system32\qcfug.exe
F2 - REG:system.ini: UserInit=E:\WINNT\system32\userinit.exe,cwmxqqm.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "F:\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spy Bot\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = F:\ZoneLabs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} -
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.reds...rsinstaller.cab
O18 - Protocol: bw+0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINNT\system32\ZoneLabs\vsmon.exe

That is a lot of carp**; I would like to know what I can do to get rid of this .Nail garbage and also, what else, if anything can be cleaned up??

Thanks in Advance!

bobapunk

    Advertisements

Register to Remove


#2 bobapunk

bobapunk

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 21 April 2006 - 04:27 PM

Bump to the top.

I poked around a few other threads and DLed ewido, which I ran in safe mode.

Here is my current HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:18:14 PM, on 4/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
F:\ewido anti-malware\ewidoctrl.exe
F:\ewido anti-malware\ewidoguard.exe
E:\WINNT\system32\hidserv.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINNT\system32\ZoneLabs\vsmon.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\Explorer.EXE
F:\Spy Bot\Spybot - Search & Destroy\TeaTimer.exe
F:\ZoneLabs\ZoneAlarm\zapro.exe
F:\Firefox\firefox.exe
E:\WINNT\System32\svchost.exe
F:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
F2 - REG:system.ini: UserInit=E:\WINNT\system32\userinit.exe,cwmxqqm.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MSConfig] E:\WINNT\msconfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "F:\Quicktime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spy Bot\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = F:\ZoneLabs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145128298996
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} -
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -
O18 - Protocol: bw+0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - F:\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINNT\system32\ZoneLabs\vsmon.exe

#3 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 22 April 2006 - 05:26 AM

Welcome to the forum.

Download FindQoologic.zip save it to your E:\.
http://downloads.sub...on/FindQool.zip

Extract (unzip) the files inside into their own folder called FindQool.
Read here how to unzip/extract properly:
http://metallica.gee...xplanation.html

This folder should be present on your E:\
In case it's not present there, move the FindQool folder to E:\ otherwise it won't work.
Then open the FindQool folder.
Locate and double-click the Qlocate.bat file to run it.

This will scan your system.
Wait until a text opens.
Post this in your next reply

MrC


#4 bobapunk

bobapunk

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 22 April 2006 - 08:51 AM

MrC, Thanks for the advice! Here is the Report.txt that FidQool generated: Sat 04/22/2006 Running from: E:\FindQool PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE. Known file names MD5 Check.... Files found with locate com. Re-check using dir /a:-d E:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup ... HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6} ... Runs, Listed here as a Doublecheck for the locate com results HKLM HKCU ... Files In Winlogon shell and userinit Listed here as a Doublecheck for the locate com results shell REG_SZ Explorer.exe userinit REG_SZ E:\WINNT\system32\userinit.exe,cwmxqqm.exe ... SWReg utility Written by Bobbi Flekman © 2005 Findqool edited 4/05/2006 :scratch: That is all greek to me, but I know you will help me decipher it. Thanks!

#5 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 22 April 2006 - 09:52 AM

Please do this for me:

Download and unzip the KillBox to a folder - we'll use it later.


Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

F2 - REG:system.ini: UserInit=E:\WINNT\system32\userinit.exe,cwmxqqm.exe
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -

Click on Fix Checked when finished and exit HijackThis.

Now open up the KillBox.
Select the Delete on Reboot option.
In the field labeled Full Path of File to Delete copy and paste this in.

E:\WINNT\system32\cwmxqqm.exe

Hit the delete button
OK
Reboot the computer
If you recieve an error message and your computer doesn't restart, please restart it manually.


Reboot and post back a fresh HijackThis log and we will take another look, MrC


#6 bobapunk

bobapunk

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 22 April 2006 - 11:13 AM

Ok, I followed your steps exactly. After rebooting, the BHO's have reappeard in the HJT log. I "fixed" them, and rebooted again, and they came back again:

the cwmxqqm seems to be gone though.

Current Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:04:40 PM, on 4/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
F:\ewido anti-malware\ewidoctrl.exe
F:\ewido anti-malware\ewidoguard.exe
E:\WINNT\system32\hidserv.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\Explorer.EXE
F:\Spy Bot\Spybot - Search & Destroy\TeaTimer.exe
F:\ZoneLabs\ZoneAlarm\zapro.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
F:\Hijack This\HijackThis.exe
E:\WINNT\system32\ZoneLabs\vsmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spy Bot\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = F:\ZoneLabs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145128298996
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.2_01) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} -
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -
O18 - Protocol: bw+0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - F:\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINNT\system32\ZoneLabs\vsmon.exe

#7 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 22 April 2006 - 11:33 AM

Those are harmless - just clutter - but it's my mistake - I forgot to tell you to...

Please disable TeaTimer by opening Spybot SD and on the left menu choose Tools and then Resident. In the right hand pane you will see a check box for TeaTimer and for SDHelper . Please uncheck both boxes and then close Spybot. You can reinstate it later but we don't want it interfering with what we need to do. Reboot when done

-----------------

Then........


Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items:

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.2_01) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} -
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -

Click on Fix Checked and exit HijackThis.

Reboot and post a fresh HijackThis log and we'll take another look. MrC


#8 bobapunk

bobapunk

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 22 April 2006 - 01:55 PM

Ok, Disable Tea Timer. Also set that Ulead proccess to "manual" (it was something form my DVD burning prog; I don't need it auto starting).

Here is my current HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:46:18 PM, on 4/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
F:\ewido anti-malware\ewidoctrl.exe
F:\ewido anti-malware\ewidoguard.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\system32\ZoneLabs\vsmon.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\Explorer.EXE
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
F:\ZoneLabs\ZoneAlarm\zapro.exe
F:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: ZoneAlarm Pro.lnk = F:\ZoneLabs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145128298996
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O18 - Protocol: bw+0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - F:\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - F:\Nero\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINNT\system32\ZoneLabs\vsmon.exe

Thanks for your help so far. I am looking for anyhting else I can get rid of or keep from auto starting. I am running an 866 MHz ship here, so anything that will use less CPU time or help start-up faster would be great.

Here is my "startuplist.txt" from HJT:

StartupList report, 4/22/2006, 2:50:31 PM
StartupList version: 1.52.2
Started from : F:\Hijack This\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
F:\ewido anti-malware\ewidoctrl.exe
F:\ewido anti-malware\ewidoguard.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\system32\ZoneLabs\vsmon.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\Explorer.EXE
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
F:\ZoneLabs\ZoneAlarm\zapro.exe
F:\Hijack This\HijackThis.exe
F:\Firefox\firefox.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[E:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup]
ZoneAlarm Pro.lnk = F:\ZoneLabs\ZoneAlarm\zapro.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINNT\SYSTEM32\Userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon

--------------------------------------------------

Shell & screensaver key from E:\WINNT\SYSTEM.INI:

Shell=
SCRNSAVE.EXE=E:\WINNT\system32\FORDGT~1.SCR
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=E:\WINNT\system32\FORDGT~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

QIC Autoupdate.job
QIC Messenger Bkup.job
QIC Messenger Periodic.job

--------------------------------------------------

Enumerating Download Program Files:

[MUWebControl Class]
InProcServer32 = E:\WINNT\system32\muweb.dll
CODEBASE = http://update.micros...b?1145128298996

[{B1826A9F-4AA0-4510-BA77-9013E74E4B9B}]
CODEBASE = http://www.trendmicr...scan/as4web.cab

[Shockwave Flash Object]
InProcServer32 = E:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: E:\WINNT\system32\NETSHELL.dll
WebCheck: E:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 4,115 bytes
Report generated in 0.030 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Thanks again!

#9 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 22 April 2006 - 02:44 PM

I want to check one more thing.

Download: Registry Search Tool from this link (it's about 2/3 down the page)
http://billsway.com/vbspage/

Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run

In the open field copy and paste the below in blue then hit OK
cwmxqqm.exe
Let in run then copy and paste the results back here.

--------------------------

You have Logitech Desktop Messenger running on the system:

Logitech® Desktop Messenger (LDM) is a free service designed to deliver software support, news and information you can use. LDM ensures that you have simple, speedy, and effortless access to product upgrades, technology tips, and technology news and offers that are relevant to you. LDM delivers information right to your desktop, allowing you to take advantage of all of the advanced features of the Logitech products you own, while staying abreast of new computer-related product and service developments (Logitech and otherwise) that are applicable to your life.


How can I disable it?
To disable this service, simply go to "Start," "Programs," "Logitech," and click on "Desktop Messenger." There are two check boxes which are self descriptive. You can choose to disable either or both check boxes.
This link HERE explains it.

If you do disable it - have HJT fix all of these 018 entries:

Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items:

O18 - Protocol: bw00 - {440A0D91-41CD-4B33-AEBF-AAFD83314F02} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
all of these

Click on Fix Checked and exit HijackThis.

-----------------------------

You can also have HJT fix this one:
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
Check the link below for info on it:
http://www.greatis.c...mobsync.exe.htm
-------------------------------

You can also download and run ccleaner from the link below, removes all temp files - You can use the default settings just uncheck "cookies".
http://www.ccleaner.com/

Let me know, MrC


#10 bobapunk

bobapunk

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 22 April 2006 - 09:20 PM

Ok,

Reg Srch did not find cwmxqqm

I disabled "mobsync"

I looked into the Logitech Messenger. I already had it disabled so I "fixed" all of the HJT enteries.

I've got "ATF Cleaner", haven't looked at the CCleaner yet.

Anyway, Here is my current HJT Log. It looks a lot better to me, then again, what do I know...

Logfile of HijackThis v1.99.1
Scan saved at 10:10:47 PM, on 4/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
F:\ewido anti-malware\ewidoctrl.exe
F:\ewido anti-malware\ewidoguard.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\Explorer.EXE
F:\ZoneLabs\ZoneAlarm\zapro.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\ZoneLabs\vsmon.exe
F:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - Global Startup: ZoneAlarm Pro.lnk = F:\ZoneLabs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office\Office10\EXCEL.EXE/3000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145128298996
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - F:\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - F:\Nero\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINNT\system32\ZoneLabs\vsmon.exe

#11 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 23 April 2006 - 05:49 AM

Reg Srch did not find cwmxqqm

Good, I was just checking

I disabled "mobsync"

Good

I looked into the Logitech Messenger. I already had it disabled so I "fixed" all of the HJT enteries.

Great and the HJT log looks OK :thumbup:

If you have any questions - please post back

I'll leave you with........

Some preventive maintenance:

------------------Must have or do:-----------------

Now that you're clean: <----Important Step!!!!
Delete your system restore files and create a new restore point:
(ME and XP users only)

XP system restore

ME system restore

Visit Windows Update and install all the lastest critical updates.

Install these two free programs, they sit in the backround and protect your system from spy and adware being installed on your system, also from your browser being hijacked.

SpywareBlaster Check for updates weekly.

SpywareGuard

IE-SPYAD
Puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
or try the new ZonedOut

Blocking Unwanted Parasites with a Hosts File

Need a free anti virus?
AVG*free
(check for updates - daily)
Avast free

How about a firewall? The front door to your computer.
ZoneAlarm*free

Other free firewalls

Keep those temp files off your system use
CCleaner
Uncheck "Cookies" under "Internet Explorer".
or
ATF Cleaner - hit "select all" (uncheck cookies is optional - leave it checked if you want to delete all cookies) then just uncheck "cookies" then "empty selected" That will clear out all the temp files on the system.


IMPORTANT!!
Keep your Sun Java up-to-date
Download page
Delete ALL old versions from add/remove programs if listed!

----------Free malware removal programs:----------

SpyBot
AD-Aware
CW-Shredder

Ewido trojan scanner<---VERY GOOD! (XP and 2K only)

Please consider using FireFox instead of Internet Explorer. A more secure browser! Easy to make the change!
FireFox Tutorial


Pop-up stoppers:
GoogleToolBar
Pop-upStopperFree

Disable Windows MessengerXP - 2K (stops pop-up ads -etc):
Disabling Messenger Service in Windows XP
How to Remove Windows Messenger on Windows XP
How to Remove Windows Messenger on Windows XP
Shoot The Messenger

Don't open e-mail attachments without first scanning them with an up-to-date
anti virus program, even after doing that I would be very careful. Don't click on any executables in e-mails or any other links that you're not sure of.
Watch your surfing habits, don't click on or download anything you're not sure of. Don't install a program that hasn't been recommended by a reputable organization.

Good luck and thanks for using the forum - MrC
:wavey:

#12 bobapunk

bobapunk

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 23 April 2006 - 09:07 AM

Thanks for all of your help MrC. I know you guys put a lot of time and effort into helping people just for the sake of helping; it is much appreciated!

------------------Must have or do:-----------------

Now that you're clean: <----Important Step!!!!
Delete your system restore files and create a new restore point:
(ME and XP users only)

I have 2k Pro, so I can not do this

Visit Windows Update and install all the lastest critical updates.

I have auto update enabled. Everytime I see the icon in my sys tray, I run the updates

Install these two free programs, they sit in the backround and protect your system from spy and adware being installed on your system, also from your browser being hijacked.

SpywareBlaster Check for updates weekly.

Been using Spyware Blaster since Dec of 2004! I need to get in a better habit of updating it though.

SpywareGuard

I will have to look into that. There are no conflicts with running Spyware Blaster, Tea Timer, and this at the same time?

IE-SPYAD
Puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
or try the new ZonedOut

Great! I will add those to my anti-mal-ware "cocktail"!

Blocking Unwanted Parasites with a Hosts File

Neat trick; reminds of my old NT4 admin days...

Need a free anti virus?
AVG*free
(check for updates - daily)
Avast free

I use Trend Micro. What is your opinion on them?

How about a firewall? The front door to your computer.
ZoneAlarm*free

Been using Zone Alarm since 1999 or so!

Keep those temp files off your system use
CCleaner
Uncheck "Cookies" under "Internet Explorer".
or
ATF Cleaner - hit "select all" (uncheck cookies is optional - leave it checked if you want to delete all cookies) then just uncheck "cookies" then "empty selected" That will clear out all the temp files on the system.

Been using those since I learned about them here. I got to remember to uncheck the URL auto complete though. Some times I have a hard time finding my way back.

IMPORTANT!!
Keep your Sun Java up-to-date
Download page
Delete ALL old versions from add/remove programs if listed!

----------Free malware removal programs:----------

SpyBot
AD-Aware
CW-Shredder

Ewido trojan scanner<---VERY GOOD! (XP and 2K only)

I have and use all of these!

Please consider using FireFox instead of Internet Explorer. A more secure browser! Easy to make the change!
FireFox Tutorial

Started using Opera in 1999 I think. Been using Fire Fox for over a year now.


Pop-up stoppers:
GoogleToolBar
Pop-upStopperFree

I don't have much of an issue with pop-ups, I thank Fire Fox for that!

Disable Windows MessengerXP - 2K (stops pop-up ads -etc):
Disabling Messenger Service in Windows XP
How to Remove Windows Messenger on Windows XP
How to Remove Windows Messenger on Windows XP
Shoot The Messenger

Yep, disabled that a long time ago.

Don't open e-mail attachments without first scanning them with an up-to-date
anti virus program, even after doing that I would be very careful. Don't click on any executables in e-mails or any other links that you're not sure of.
Watch your surfing habits, don't click on or download anything you're not sure of. Don't install a program that hasn't been recommended by a reputable organization.

Good tips, I follow those already. Heck, in the past 8 years I have only been infected by one virus!

Good luck and thanks for using the forum - MrC :wavey:

Thanks again for all of your time and help!

#13 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 23 April 2006 - 10:50 AM

SpywareGuard: I will have to look into that. There are no conflicts with running Spyware Blaster, Tea Timer, and this at the same time?


No conflicts that I know of - This is what I run.

Good Luck, MrC


#14 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 30 April 2006 - 08:58 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users