Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Winbmsv1.exe - how do I remove it for good?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Winbmsv1.exe - how do I remove it for good?

Unread postby ItsTheWooo » August 2nd, 2006, 1:15 am

I had pretty much the same horrific mess this individual had on his computer:
http://www.malwareremoval.com/forum/viewtopic.php?t=11948

On my own, I cleaned things up with adaware, several look2me fixes, and a few others.

This thing is like a hydra. The other programs/cookies/popups are like heads, and cutting htem off just means they'll grow back.

THere's no more pop ups, no more cookies, no more malicious programs, everything is operable...

...except the beast keeps reinstalling itself.

I believe winbmsv1 is the heart of it, since iti s the *last* relic of the infection. I can't seem to make it go away. No matterh ow many times I delete the entry in hijackthis, no matter how many times I delete the exe in system32, it just comes back again. If it's back in, and I leave my computer on, it's only a matter of time till it's loaded with all kinds of garbage.

I prevent another "outbreak" of malicious programs by having prevx1 catch winbmsv1 when it tries to load itself through smss. If it gets in, it is only a matter of time till the computer is infested with "heads" of the hydra, and it is unsafe & inoperable.

So the question is, how do I fix this for real? How do I get RID Of this winbmsv1 thing?

Thank you!
------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:26:46 AM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Laura Velli\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: winbmsv1 - C:\WINDOWS\system32\winbmsv1.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
ItsTheWooo
Active Member
 
Posts: 3
Joined: August 2nd, 2006, 12:27 am
Advertisement
Register to Remove

Unread postby waterfalls » August 2nd, 2006, 2:54 am

Hi,

Welcome to MalwareRemoval! Please do the following.

• Open HijackThis, click Open the Misc Toos section, then click Delete a file on bootup
- a window will open
- Where it says "File Name" - copy and paste: C:\Windows\System32\winbmsv1.dll
- Click Open
- A prompt will appear advising you that the file will be deleted and asking if you want to reboot now
- Click Yes
- Your computer will now reboot.

• Please perform this online scan: Kaspersky Online Scanner
1. Read the Requirements and Privacy statement, then select Accept
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select Install to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click Allow
5. When the download is complete it will say ready, click Next
6. Click Scan Settings and check the option to use the EXTENDED DATABASE, then click OK
7. Select a target to scan: Click on My Computer
8. When the scan is complete choose to save the results as Save as Text

• Post back with the results of the Kaspersky scan and a new HijackThis log.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby ItsTheWooo » August 2nd, 2006, 1:40 pm

Infected Object Name Virus Name Last Action
C:\.quarantine\F1REFOX.EXE.Vir Infected: P2P-Worm.Win32.SpyBot.gl skipped

C:\Documents and Settings\Laura Velli\Local Settings\Temp\art51FA.tmp Infected: Trojan-Proxy.Win32.Xorpix.ag skipped

C:\Documents and Settings\Laura Velli\Local Settings\Temp\art567C.tmp Infected: Trojan-Proxy.Win32.Xorpix.ag skipped

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

C:\Program Files\MSN Gaming Zone\hosec.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{963EAD61-AA34-470E-9B92-DE1FCDCA3245}\RP655\A0314126.dll Infected: not-a-virus:AdWare.Win32.Agent.e skipped

C:\System Volume Information\_restore{963EAD61-AA34-470E-9B92-DE1FCDCA3245}\RP655\A0314137.exe Infected: Trojan-Downloader.Win32.Small.cyb skipped

C:\System Volume Information\_restore{963EAD61-AA34-470E-9B92-DE1FCDCA3245}\RP655\A0314144.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.o skipped

C:\System Volume Information\_restore{963EAD61-AA34-470E-9B92-DE1FCDCA3245}\RP655\A0314146.exe Infected: Trojan-Downloader.Win32.Tibs.gc skipped

C:\WINDOWS\mviiyik.exe Infected: Trojan-Clicker.Win32.VB.ij skipped

C:\WINDOWS\mviiyikA.exe Infected: Trojan-Downloader.Win32.VB.nw skipped

C:\WINDOWS\pdbmcr.dll Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\WINDOWS\srvdgytjqh.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped

C:\WINDOWS\srvdgytjqh.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped

C:\WINDOWS\srvdgytjqh.exe NSIS: infected - 2 skipped

C:\WINDOWS\srvktvemks.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ep skipped

C:\WINDOWS\srvktvemks.exe NSIS: infected - 1 skipped

C:\WINDOWS\system32\2236_28.dll Infected: Trojan.Win32.Agent.pk skipped

C:\WINDOWS\system32\be576c11.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\WINDOWS\system32\bez6n4r21.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped

C:\WINDOWS\system32\iqqr.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped

C:\WINDOWS\system32\maxd641.exe Infected: Trojan.Win32.Dialer.pw skipped

C:\WINDOWS\system32\mscdaux.dll Infected: Backdoor.Win32.Delf.aml skipped

C:\WINDOWS\system32\n9nyb.exe Infected: Trojan.Win32.Runner.j skipped

C:\WINDOWS\system32\redist.dll Infected: Trojan.Win32.Agent.sx skipped

C:\WINDOWS\system32\wba549d2.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped

C:\WINDOWS\system32\WinNB58.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped

C:\WINDOWS\system32bez6n4r21.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped

C:\WINDOWS\system32n9nyb.exe Infected: Trojan.Win32.Runner.j skipped

C:\WINDOWS\unin101.exe Infected: Trojan.Win32.VB.tg skipped

C:\WINDOWS\uni_eh.exe Infected: Trojan.Win32.VB.tg skipped












===============================================
Logfile of HijackThis v1.99.1
Scan saved at 1:40:07 PM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Laura Velli\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
ItsTheWooo
Active Member
 
Posts: 3
Joined: August 2nd, 2006, 12:27 am

Unread postby waterfalls » August 2nd, 2006, 6:02 pm

Hi,

Please follow these directions. You will need to print or copy these instructions because you will be working in Safe Mode without an Internet connection.

• Download and install Ewido Anti-Spyware 4
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\ewido anti-spyware 4.0 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. If you choose to do this, then right click on ewdio in the system tray and uncheck "Start with Windows".
7. Go to Start > Run and type: services.msc
  • Press "OK".
  • In Services, click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Disabled".
  • Now click "Apply", then "OK" and close the Services window.
8. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
9. Exit Ewido when done.
Do NOT perform a scan yet.

• Reboot into SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

• Clean out your Temporary Internet files.
Close ALL browsers and ALL open windows.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin

Close ALL open Windows / Programs / Folders.

• Scan with Ewido as follows:
1. Launch Ewido, click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\ewido anti-spyware 4.0\Reports\
6. Exit Ewido when done.

Note: Close all open windows, programs, and DO NOT USE the computer while Ewido is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper Ewido's ability to clean properly and may result in reinfection.

Note: If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this:
1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.

• Post back with the results of the Ewido scan and a new HijackThis log.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby ItsTheWooo » August 2nd, 2006, 7:46 pm

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:34:14 PM 8/2/2006

+ Scan result:



C:\System Volume Information\_restore{963EAD61-AA34-470E-9B92-DE1FCDCA3245}\RP655\A0314126.dll -> Adware.Agent : No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng -> Adware.BargainBuddy : No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng\Enum -> Adware.BargainBuddy : No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng\Security -> Adware.BargainBuddy : No action taken.
HKU\S-1-5-21-73586283-1606980848-1060284298-1003\Software\BraveSentry -> Adware.Bravesentry : No action taken.
HKU\S-1-5-21-73586283-1606980848-1060284298-1003\Software\BraveSentry\Scan -> Adware.Bravesentry : No action taken.
HKU\S-1-5-21-73586283-1606980848-1060284298-1003\Software\BraveSentry\System Security -> Adware.Bravesentry : No action taken.
HKU\S-1-5-21-73586283-1606980848-1060284298-1003\Software\BraveSentry\Updates -> Adware.Bravesentry : No action taken.
C:\WINDOWS\system32\nvc49933.dll -> Adware.IEHelper : No action taken.
C:\System Volume Information\_restore{963EAD61-AA34-470E-9B92-DE1FCDCA3245}\RP655\A0314144.exe -> Adware.MediaMotor : No action taken.
C:\WINDOWS\system32\WinNB58.dll -> Adware.Mirar : No action taken.
C:\System Volume Information\_restore{963EAD61-AA34-470E-9B92-DE1FCDCA3245}\RP657\A0316309.exe -> Adware.SearchAssistant : No action taken.
C:\WINDOWS\system32\bez6n4r21.exe -> Adware.SearchAssistant : No action taken.
C:\System Volume Information\_restore{963EAD61-AA34-470E-9B92-DE1FCDCA3245}\RP657\A0316306.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\system32\iqqr.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\system32\n9nyb.exe -> Adware.Suggestor : No action taken.
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : No action taken.
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : No action taken.
HKU\S-1-5-21-73586283-1606980848-1060284298-1003\Software\SurfSideKick3 -> Adware.SurfSide : No action taken.
HKU\S-1-5-21-73586283-1606980848-1060284298-1003\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : No action taken.
C:\WINDOWS\system32\mscdaux.dll -> Backdoor.Delf.aml : No action taken.
C:\WINDOWS\system32\wba549d2.dll -> Downloader.Agent.ahv : No action taken.
C:\WINDOWS\system32\wba49c18.dll -> Downloader.Small : No action taken.
C:\WINDOWS\pdbmcr.dll -> Downloader.Small.ajc : No action taken.
C:\Program Files\MSN Gaming Zone\hosec.dll -> Downloader.Small.ctp : No action taken.
C:\System Volume Information\_restore{963EAD61-AA34-470E-9B92-DE1FCDCA3245}\RP655\A0314137.exe -> Downloader.Small.cyb : No action taken.
C:\System Volume Information\_restore{963EAD61-AA34-470E-9B92-DE1FCDCA3245}\RP655\A0314146.exe -> Downloader.Tibs.gc : No action taken.
C:\WINDOWS\mviiyikA.exe -> Downloader.VB.nw : No action taken.
C:\.quarantine\F1REFOX.EXE.Vir -> Heuristic.Win32.Morphine-Crypted : No action taken.
C:\Program Files\Windows Media Player\hoxym.html -> Hijacker.Small.jf : No action taken.
C:\Documents and Settings\Laura Velli\Local Settings\Temp\art51FA.tmp -> Proxy.Xorpix.ag : No action taken.
C:\Documents and Settings\Laura Velli\Local Settings\Temp\art567C.tmp -> Proxy.Xorpix.ag : No action taken.
C:\WINDOWS\Temp\Cookies\laura velli@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\WINDOWS\Temp\Cookies\laura velli@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\WINDOWS\Temp\Cookies\laura velli@data2.perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\WINDOWS\Temp\Cookies\laura velli@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\WINDOWS\Temp\Cookies\laura velli@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\WINDOWS\system32\2236_28.dll -> Trojan.Agent.pk : No action taken.
C:\WINDOWS\system32\redist.dll -> Trojan.Agent.sx : No action taken.
C:\WINDOWS\system32\maxd641.exe -> Trojan.Dialer.pw : No action taken.
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : No action taken.
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : No action taken.


::Report end

==========================================






Logfile of HijackThis v1.99.1
Scan saved at 7:45:58 PM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Laura Velli\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
ItsTheWooo
Active Member
 
Posts: 3
Joined: August 2nd, 2006, 12:27 am

Unread postby waterfalls » August 3rd, 2006, 4:54 am

Hi,

It looks like you did not setup Ewido properly.

You must fix the settings for Quarantaine, and you must click the "Apply all actions" after the scan.

Please run perform a Full/Complete System scan again with Ewido and follow the instructions above.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby 'KotaGuy » August 20th, 2006, 4:24 pm

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 286 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware