Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help, How Do I Remove This?! Problems With Safe Mode As Well


  • Please log in to reply
1 reply to this topic

#1 Amebix

Amebix

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 15 December 2007 - 05:06 AM

I have tried everything and this keeps coming back. Also I get this little dot on the upper left corner of the Screen. I dont know whats causing this problem but I keep hearing IE clicking and I ran everything. I am now having problems doing stuff in safe mode too..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:02 AM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\PROGRA~1\FAGS_K~1\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\FAGS_K~1\AVG7\avgamsvr.exe
C:\PROGRA~1\FAGS_K~1\AVG7\avgupsvc.exe
C:\PROGRA~1\FAGS_K~1\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\nnnnnnn.dll (file missing)
O2 - BHO: (no name) - {6876E4FA-CDA4-267B-C6D8-024490A56637} - C:\Program Files\Aggpvxdy\aubthdjg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {C31616F2-D846-4594-A43D-3D429F872072} - C:\Program Files\Windows NT\holemu83122.dll (file missing)
O2 - BHO: (no name) - {C80B16E3-BE85-4889-A102-C8DD2C1A621C} - C:\Program Files\Common Files\holemu4444.dll (file missing)
O2 - BHO: {682947f8-07b4-b119-3364-eda0859f06bc} - {cb60f958-0ade-4633-911b-4b708f749286} - C:\WINDOWS\system32\svyknoom.dll (file missing)
O2 - BHO: (no name) - {DC6364BA-9CC5-49FC-827A-ED90E10CFA64} - C:\Program Files\Windows NT\holemu4444.dll (file missing)
O2 - BHO: 0 - {F0C76068-1B67-4C70-429E-C69C37F4421E} - C:\Program Files\ComPlus Applications\lawugepi.dll (file missing)
O2 - BHO: (no name) - {F7390F1F-F9C5-45E9-8D50-ADBE688D4112} - C:\WINDOWS\system32\sstqp.dll (file missing)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\FAGS_K~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [default] C:\Documents and Settings\Jayme\winmain.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\RunOnce: [winmz] C:\Documents and Settings\Jayme\winmain.exe
O4 - HKLM\..\Policies\Explorer\Run: [Userinit] rundll32.exe C:\WINDOWS\system32\winsys16_071105.dll start
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\FAGS_K~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\FAGS_K~1\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A374330A-9696-456C-95F0-BD8B293B53D4}: NameServer = 85.255.116.157,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAD2B3B7-C8C7-4275-B7A3-CCD574799E23}: NameServer = 85.255.116.157,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D3D0DB-79F3-4BEA-8395-0270F0317880}: NameServer = 85.255.116.157,85.255.112.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O20 - Winlogon Notify: nnnnnnn - nnnnnnn.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\FAGS_K~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\FAGS_K~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\FAGS_K~1\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\progyrtajy.html
O24 - Desktop Component 1: (no name) - C:\Program Files\Internet Explorer\progyrtajy.html

--
End of file - 10135 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 15 December 2007 - 10:25 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Amebix
My name is Richie and i'll be helping you to fix your problems.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:
Viewpoint
Viewpoint Manager
Viewpoint Media Player



Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):
C:\Program Files\ComPlus Applications\progyrtajy.html
C:\Program Files\Internet Explorer\progyrtajy.html
C:\Program Files\Aggpvxdy
C:\WINDOWS\system32\winsys16_071105.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Please download FixWareout:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next,then Install,then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load,this is normal.

When your system reboots,follow the prompts.
Afterwards, HijackThis will launch,if it doesn't,launch it manually.
Please click Scan, and checkmark the following items:

O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\nnnnnnn.dll (file missing)
O2 - BHO: (no name) - {6876E4FA-CDA4-267B-C6D8-024490A56637} - C:\Program Files\Aggpvxdy\aubthdjg.dll
O2 - BHO: (no name) - {C31616F2-D846-4594-A43D-3D429F872072} - C:\Program Files\Windows NT\holemu83122.dll (file missing)
O2 - BHO: (no name) - {C80B16E3-BE85-4889-A102-C8DD2C1A621C} - C:\Program Files\Common Files\holemu4444.dll (file missing)
O2 - BHO: {682947f8-07b4-b119-3364-eda0859f06bc} - {cb60f958-0ade-4633-911b-4b708f749286} - C:\WINDOWS\system32\svyknoom.dll (file missing)
O2 - BHO: (no name) - {DC6364BA-9CC5-49FC-827A-ED90E10CFA64} - C:\Program Files\Windows NT\holemu4444.dll (file missing)
O2 - BHO: 0 - {F0C76068-1B67-4C70-429E-C69C37F4421E} - C:\Program Files\ComPlus Applications\lawugepi.dll (file missing)
O2 - BHO: (no name) - {F7390F1F-F9C5-45E9-8D50-ADBE688D4112} - C:\WINDOWS\system32\sstqp.dll (file missing)
O4 - HKLM\..\Policies\Explorer\Run: [Userinit] rundll32.exe C:\WINDOWS\system32\winsys16_071105.dll start
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{A374330A-9696-456C-95F0-BD8B293B53D4}: NameServer = 85.255.116.157,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAD2B3B7-C8C7-4275-B7A3-CCD574799E23}: NameServer = 85.255.116.157,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D3D0DB-79F3-4BEA-8395-0270F0317880}: NameServer = 85.255.116.157,85.255.112.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.157 85.255.112.10
O20 - Winlogon Notify: nnnnnnn - nnnnnnn.dll (file missing)


Click 'Fix Checked'.
Close HijackThis,and click OK to proceed.
At the end of the fix you may need to restart your computer again.

Please post the contents of the logfile C:\fixwareout\report.txtinto your next reply.

Please Note:
Only do the following if you have connection problems after performing the above steps:
Go to Start>Control Panel,and choose 'Network Connections'.
Then right click on your default connection,usually 'Local Area Connection' or 'Dial-up Connection' if you are using Dial-up,then left click on 'Properties'.
Double-click on the 'Internet Protocol (TCP/IP)' item and select the radio button that says: 'Obtain DNS servers Automatically'.
Click OK twice,restart your computer.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users