Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.toolbar888, Virtumonde, And Win32.agent.at


  • Please log in to reply
3 replies to this topic

#1 sayn1

sayn1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 08 April 2007 - 05:45 PM

Hi

We ran vundofix and fixed most of the symptoms. Spybot finds and removes smitfraud, virtumonde, and win32.agent. Panda found one registry trace of virtumonde (before spybot) and two dll files (now removed), one from myway and one was a hidden system file in Temp folder. Adaware only finds cookies now and stinger found nothing.

I wonder about searchhook and no name and DriveLetterAccess o2 entries.

Scan below. Thanks

Dorothy


Incident Status Location

Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.centrport.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.go.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.xiti.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[server.iad.liveperson.net/hc/LPneimanmarcus]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[server.iad.liveperson.net/hc/LPneimanmarcus]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[server.iad.liveperson.net/hc/41378398]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\dorothy saynisch\Application Data\Mozilla\Firefox\Profiles\0ucsqxgu.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@112.2o7[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@adrevolver[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@atwola[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@bravenet[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@bs.serving-sys[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@casalemedia[2].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@citi.bridgetrack[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@data.coremetrics[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@did-it[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@fastclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@hitbox[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@media.adrevolver[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@mediaplex[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@realmedia[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@serving-sys[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@statcounter[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@statse.webtrendslive[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@tribalfusion[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@www.errorsafe[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\dorothy saynisch\Cookies\dorothy__saynisch@zedo[2].txt
Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\dorothy saynisch\Local Settings\Temp\mcxffpkl.dll
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll

********************************

Logfile of HijackThis v1.99.1
Scan saved at 6:39:36 PM, on 4/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1170364176\ee\AOLSoftware.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ScriptInocUI Class - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {795E4571-C1F6-4E32-ACFA-21342C375E59} - C:\WINDOWS\msagent\tuilldl.dll (file missing)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1170364176\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.aim.com
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imageservr.com
O15 - Trusted Zone: http://*.purevolume.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O15 - Trusted IP range: http://85.12.25.95
O15 - Trusted IP range: http://202.67.220.227
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136685630046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: pmkjg - pmkjg.dll (file missing)
O20 - Winlogon Notify: vturo - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 09 April 2007 - 05:22 AM

Welcome to the BleepingComputer HijackThis forum sayn1 :thumbsup:

Please disable Spybot S&Dís protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

**************************

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player


Then reboot.

**************************

Download DelDomains.zip and extract/unzip it to your desktop:
Now right click on Deldomains.inf then click on 'Install'.
After right clicking on Deldomains.inf 'Install' it will have appeared nothing happened,this is normal.

**************************

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
* Also post a new Hijackthis log please.

Edited by RichieUK, 09 April 2007 - 05:22 AM.

Posted Image
Posted Image

#3 sayn1

sayn1
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 13 April 2007 - 09:46 PM

Hi, Not sure if I am responding correctly, since this is my first solo posting. I followed instructions as suggested by RichieUK and succesfully ran the drweb scan, finding four problems, all of which were able to be deleted. I also removed viewpoint media player as suggested. Thanks for the help.

Dorothy

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 14 April 2007 - 06:48 AM

Could you post the DrWeb.csv report,and a new Hijackthis log into your next reply please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users