Jump to content


binace spyware?

  • Please log in to reply
1 reply to this topic

#1 scottpope



  • New Member
  • Pip
  • 1 posts

Posted 28 July 2004 - 12:38 PM

I never got badly infected before, please help.

I think I got infected by downloaded the update to MsgrPlus, but I'm not certain.
I already ran Spybot and Adaware and CWShredder, and they got rid of one of the Search spyware and something that said keyloggerbut I keep getting my StartupMonitor warning me about a program called "binace" trying to run C:\PROGRA~1\IdleList\Birdwma01.exe which google came up with nothing.

Thanks so much,

Logfile of HijackThis v1.97.7
Scan saved at 12:36:33 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\uphclean\uphclean.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\PaulB\GetHotmail\GetMail\GetMail.exe
C:\Program Files\ePrompter\ePrompter.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pope\Desktop\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.ufozwkolt...lqJZFoCtM.html"); (C:\Program Files\Netscape\Users\asdfds\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINNT\MMKeybd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINNT\System32\taskswitch.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [getmail] "C:\Program Files\PaulB\GetHotmail\GetMail\GetMail.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom In - C:\WINDOWS\web\zoomin.htm
O8 - Extra context menu item: Zoom Out - C:\WINDOWS\web\zoomout.htm
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8111.5059722222
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 LoPhatPhuud


    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 28 July 2004 - 06:01 PM

Your log is actually clean. The problem you describe with 'binace' sounds like an LOP infection. MessengerPlus, in its various forms has been known to invite LOP. Unless you are really attached to it, I would remove Messenger Plus via Add/Remove Programs.

Also, idf you installed PowerMenu, or are aware of it, fine. Here is the log entry: O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on I am suspicious because of the 'Hide' feature.

Once you have this done, post a new HiJackThis log in this thread and let me know if there are any other problems.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image

When angry count four; when very angry, swear

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button