Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer Security Plug-in 2006 And Internet Security Addon In Add/remove List


  • This topic is locked This topic is locked
3 replies to this topic

#1 gypsyking

gypsyking

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 26 September 2006 - 06:50 PM

Hi, I have been having some disturbing problems with my computer recently. After running a Spy Sweeper virus scan, I discovered a Trojan/Zlob virus which I thought I took care of by removing. Now, I am having troubles with my Internet Explorer and Firefox browsers, as they will randomly decide to not load anything at all or only after hitting refresh at least 20 times. Typing in a URL takes ages and 3 times so farnone of my browsers were working and when i closed the browser window my computer immediately bluescreened and crashed. When I start Windows back up and report the error, I get a report saying it is caused by an unknown driver. I looked into my Add/Remove list and found Internet Explorer Security plugin 2006 and Internet Security Addon, whihc I thought were suspicious. I googled them and found that they were indeed malware caused by the Trojan/Zlob and I read that removing is in the Add/Remove list would not solve the problem. I dont know what else there may be on my computer, but I performed each step as reccomended in the prep guide for posting a hijackThis log file and I am still having these problems. How can I remove the malware?


Logfile of HijackThis v1.99.1
Scan saved at 7:28:36 PM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\AOL\1133800415\ee\AOLSoftware.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
G:\Downloads\stng260.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\WCZ\LOCALS~1\Temp\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IESniffer Class - {B6ADE150-743D-11D4-8141-00E029626F6A} - G:\Program Files\Unreal Ghost\BrowserSniffer.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [RaidTool] "C:\Program Files\VIA\RAID\raid_tool.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1133800415\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133758702890
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:26 PM

Posted 05 October 2006 - 06:24 AM

Welcome to the BleepingComputer forum. We are currently studying your log and will have instructions for you shortly. Thank you for your patience.

HijackThis is an analysis AND a repair tool. When you fix something in HijackThis, you are deleting a bad entry in the Windows Registry. In case of a mistake being made, there is a reversal for line entry deletions. HijackThis creates a new file which is a backup log of changes and you can reverse the line entry deletion. BUT...HijackThis needs a safe folder to keep these critical backup logs and a temp folder is definitely not safe as you might run Disk Cleanup and delete them.
  • Please place HJT into ITS OWN PERMANANT FOLDER.
    • You can do this by going to My Computer (Windows key+e).
    • Double click on C:
    • If the folder is hidden, click on show the contents of this folder.
    • Right-click on a blank space in the right column and select New > Folder
    • Name it HJT (C:\HJT\HijackThis.exe
    • Move HijackThis.exe into this folder.
    • When you run HijackThis.exe from the C:\HJT folder and have it Fixed checked, it will create a backup file of modifications to use which are easily accessible if restoring any files is necessary.
  • If needed, HijackThis Folder Tutorial and How to Download, Extract and Run HijackThis.
Another way to do this is: Please download HijackThis Self-installer.
  • This is the easiest way to install HijackThis to your computer
  • This is a complete installer that installs HijackThis on the computer to C:\Program Files\HijackThis.
  • It makes an entry in the start menu.
  • It allows you to have a shortcut on your desktop as well.
  • HijackThis is currently at Version 1.99.1 released on 16.02.2005.
  • It is important that you uninstall any previous versions by using Add/Remove programs in your control panel before installing a newer version.

Edited by suebaby41, 05 October 2006 - 09:35 AM.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:26 PM

Posted 05 October 2006 - 01:35 PM

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 1

Please download smitRem.exe and save the file to your desktop.
If you cannot access that link, here are alternate links:
Link 1
Link 2
Double click on the file to extract it to its own folder on the desktop.

Step 2

Place a shortcut to Panda ActiveScan on your desktop.

Step 3

Please download and install AVG Anti-Spyware 7.5
  • After download, double click on the file to launch the install process.
  • Choose a language, click OK and then click Next.
  • Read the License Agreement and click I Agree.
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click Next, then click Install.
  • After setup completes, click Finish to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • The main Status menu will appear. Select Change state to inactivate Resident Shield and Automatic Updates.
  • Right click on AVG Anti-Spyware in the system tray and uncheck Start with Windows.
  • Click Start > Run and type: services.msc
    • Press OK.
    • Click the Extended tab and scroll down the list to find AVG Anti-Spyware guard.
    • When you find the guard service, double-click on it.
    • In the Properties Window > General Tab that opens, click the Stop button.
    • From the drop-down menu next to Startup Type, click on Manual.
    • Click Apply >OK and close the Services window.
  • Select the Update button and click Start update. Wait until you see the Update successful message.
  • If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer.
  • Exit AVG Anti-Spyware. DO NOT perform a scan yet.
Step 4
  • Please download Ad-Aware SE Personal and install it. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06. If you already have Ad-Aware SE, please configure it as indicated below.
  • Run Ad-Aware, and click the Gear wheel at the top which opens the Ad-Aware Configuration window. Select configurations as follows:
    • General > General Settings > Safety , make sure all three are checked.
    • Click Tweak button > Cleaning Engine. UNcheck Always try to unload modules before deletion.
    • Click Proceed to save settings.
  • Exit Ad-aware.
Don't run it yet!

Step 5

Please download the ATF-Cleaner ATF-Cleaner features include:
  • Cleaning of all user temp folders, administrator only can use this feature.
  • Cleaning of the Java cache, which seems to be harboring more and more malware.
  • Cleaning for the Opera and Firefox browser, including cache, cookies, history, download history, saved passwords and visited links
Do not run it yet.

Step 6

If you have an always on connection to the Internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Step 7

Please reboot your computer in SafeMode by doing the following:
  • Restart your computer.
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, run Windows in Safe Mode.
  • If needed: How To Start Windows in Safe Mode. NOTE: To avoid the risk of any of the files or folders not being found due to their having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show. If needed, How to see hidden files in Windows
Step 8

Run HijackThis, and press Scan . When the scan is complete, place a check mark next to the following entries:

O2 - BHO: IESniffer Class - {B6ADE150-743D-11D4-8141-00E029626F6A} - G:\Program Files\Unreal Ghost\BrowserSniffer.dll

The entry above is suspicious. The CLSID, {B6ADE150-743D-11D4-8141-00E029626F6A}, browsersniffer.dll is a BHO For the SmartKeyLogger monitoring software. Unreal Ghost is an XBox game. Do you know what this is?

These are optional fixes. These programs are not required to start automatically as you can start them manually if you need them. It is advised that you disable these programs so that they do not take up necessary resources. Many users have reported these processes slow their boot time. Please run HijackThis and click Scan. Place checks next to the following entries.

raid_tool.exe process can be removed to free up resources without compromising system performance. raid_tool.exe (VIA_RAID_Tool from VIA Technologies) is the VIA Raid configuration. This program is not required to start automatically as you can start it manually if you need it. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [RaidTool] "C:\Program Files\VIA\RAID\raid_tool.exe"

ATIPtaxx.exe is the tray bar process for your ATI graphics card drivers. It gives you easy access to your graphic card settings. It is the control panel for the ATI series of video cards allowing access to such features as display resolution, color depth, etc. Available via Start -> Settings -> Control Panel -> Display. Some users may need it if they have optimized their settings. This process can be removed to free up system resources. It may be worthwhile to fix it with HijackThis. These are the items to fix in HijackThis:

O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe

PDVDServ.exe process can be removed to free up resources without compromising system performance. PDVDServ.exe is the Remote Control background application for CyberLink's PowerDVD version 5 and above. It enables you to use a remote control with your DVD drive if your drive came with one. Not required if you don't have a remote control, or don't wish to use one. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

You have jusched.exe running at Startup. It checks with Sun's Java updates site to see if newer Java versions are available. This program is not required to start automatically. You can do this manually by visiting http://java.sun.com or just run the Java Plug-In Control Panel. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

You have iTunesHelper.exe running at Startup. iTunesHelper.exe is a process belonging to Itunes MP3 streaming tool by Apple which allows you to play MP3's. This process speeds up iTunes when it starts, and the program also monitors for connected iPod devices. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

You have Adobe Gamma Loader.exe running at Startup. Adobe Gamma Loader.exe is installed alongside Adobe Creative Studio products and allows the color calibration of your video output device. This is a non-essential process. You will still be able to start it manually if you need it. You can fix this with HijackThis. These are the items to fix in HijackThis:

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

osa.exe or Osa9.exe launches common MS Office components to help speed up the launch of Office programs. Some users claim there's no difference with or without it (Osa9.exe is the Office 2000 variant). This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

I see that Viewpoint is installed.

Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware.

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
If you decide to remove Viewpoint Manager, this is the item to fix in HijackThis.

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Using Windows Explorer, search for the following folder, and DELETE it. (Do not worry if it is not there):

C:\Program Files\Viewpoint \Viewpoint Manager\ViewMgr.exe

After checking these items, CLOSE ALL open windows EXCEPT HijackThis and click Fix Checked.

Close HijackThis.

Step 9
  • Open the smitRem folder
  • Double click the RunThis.bat file to start the tool.
  • Follow the prompts on screen.
  • Wait for the tool to complete and disk cleanup to finish.
  • The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
  • Please post that log along with all the others requested in your next reply.
Step 10

Open Ad-aware and do a full scan. Remove all it finds.

Step 11

Scan with AVG Anti-Spyware as follows:
  • Launch AVG Anti-Spyware, click on the Scanner button and choose the Settings tab.
    • Under How to act?, click on Recommended actions and choose Quarantine to set default action for detected malware.
    • Under How to Scan?, check all (default).
    • Under Possibly unwanted software[/b,] check all (default).
    • Under What to Scan?, make sure Scan every file is selected (default).
    • Under Reports, select Automatically generate report after every scan and UNcheck Only if threats were found.
  • Click the Scan tab to return to scanning options.
  • Click Complete System Scan to start.
  • When the scan has finished, you will be presented with a list of infected objects found. Click Apply all actions to place the files in Quarantine.
    IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate No action taken, making it more difficult to interpret the report. So be sure you save it only AFTER clicking the Apply all actions button?.
  • Click on Save Report to view all completed scans.
  • Click on the most recent scan you just performed and select Save report as - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
  • Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware .
Step 12

Go to Control Panel. Click Display > Desktop > Customize Desktop > Web. Uncheck Security Info or Desktop Uninstall if present.

Step 13

Reboot into Windows and click the Panda ActiveScan shortcut. Once you are on the Panda site, click the Scan your PC button
  • A new window will open, click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button.
  • If it wants to install an ActiveX component, allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
** After reboot, it is possible that the system is using the windows classic theme again. To restore this and set it back to XP-theme, right click on your desktop. Click Properties > Appearance tab. Under Windows and buttons, choose Windows XP style. Click Apply and OK.

Step 14

Post the contents of the Panda scan report, along with a new HijackThis Log , the contents of smitfiles.txt and the AVG AS Log by using [b]Post Reply.


Let us know if any problems persist.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:26 PM

Posted 20 October 2006 - 02:32 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users