Hello. I read some other topics hoping some people had my same viruses (not saying it's a good thing, just hoping I could remove it too). I got 4 Spyware from nowhere, I haven't visited any dangerous site I know of. I'm not quite sure if they're System32 start up spyware, or they're just from an internet link.

The malwares were something that starated with like a D, I don't know, it was 2 words.

The second malware was MediaLex, it wasn't Lex, but something like that, there was one word before the L.

The 3rd malware/spyware Spybot S&D found was BlackCore which I remember completely. Then I can't remember the 4th one. :(

My HJT Log from Trend Micro, I use it because I also have their firewall.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오후 2:27:09, on 2007-07-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccVScan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183440985606
O16 - DPF: {77538FC7-CE52-4704-9865-494FE92BC320} (LaunchUBO.Ulit) - http://www.ultimatebaseballonline.com/myubo/launchubo.OCX
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 5813 bytes


I've bookmarked this thread. Thanks Spyboy S&D Staff!

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Since you are new member, I suggest you review the information pinned to the top of the forum. This is the malware forum, questions about Spybot S&D should be posted here:
http://forums.spybot.info/forumdisplay.php?f=4 you can read about false positives in Spybot S&D here:
http://forums.spybot.info/forumdisplay.php?f=16
Like this one: BlackCore
http://forums.spybot.info/showthread.php?p=101198#post101198 (Yodama)

I can't express how important accuracy is, statements like:

The malwares were something that starated with like a D, I don't know, it was 2 words.

The second malware was MediaLex, it wasn't Lex, but something like that, there was one word before the L.
The 3rd malware/spyware Spybot S&D found was BlackCore which I remember completely. Then I can't remember the 4th one. :(
Do not help us at all and that sure won't help you.

Let me say I see nothing in your HJT log that looks like malware, your HJT log looks good. I must say HJT can not show everything, but I would be hesitant to proceed without more information, as you have provided none but the HJT log.

Thanks

My apologies. :(

I am currently doing a scan...and have started to eat lunch. When I come back, the scan should be done, and then I will submit this post.

I have read the BlackCore thread, and does that mean I do not have to worry about BlackCore?


hello,

the tracking cookie which had been falsely named as BlackCore will be renamed as CPXinteractive with the next update. It is a tracking cookie placed by an advertising server and is not a part of a trojan horse.
thanks for reporting.

I can understand it's not part of a Trojan Horse, and that it will be renamed, but what is a tracking cookie?

Scan Finished...

The 3 spyware/malware it found were:

MediaPlex
Advertising.com
CPXinteractive

My assumption on the 4th one from yesterday would be

DoubleClick

Since it started with a D.

The information Spybot S&D gives:

MediaPlex: Tracking cookie (Firefox: default)
Firefox (default): .mediaplex.com/ (svid)

CPXinteractive
Tracking cookie (Firefox: default)
Firefox (default): adserving.cpxinteractive.com/ (rmCookiesChecked)

Advertising.com: Tracking cookie (Firefox: default)
Firefox (default): .advertising.com/ (C2)

Hope this helps more than my first post.

From the looks of the information you provided, those look like tracking cookies. Here are tutorials for using SpybotS&D:
http://spyware-free.us/tutorials/spybot/
http://www.bleepingcomputer.com/forums/tutorial43.html
http://www.safer-networking.org/en/tutorial/index.html

I have read the BlackCore thread, and does that mean I do not have to worry about BlackCore?
That is exactly what Yodama, Member of Team Spybot said, keep your Spybot S&D version updated and immunized and the item will be fixed with the next update.

I can understand it's not part of a Trojan Horse, and that it will be renamed, but what is a tracking cookie?
Do you know what Google is? http://www.google.com/
http://www.google.com/search?hl=en&q=what+is+a+tracking+cookie&btnG=Google+Search

Thanks

Thanks!

There's one sentence I don't completely understand as an immigrant.


You could decide on ignoring all usage tracks. In that case you could open the File sets page on the Settings section of the program, and disable the Usage tracks entries.

Does this mean the usage tracks would stay but my computer would be like

"I don't care about them" or

does it mean my computer/Spybot S&D says "Usage Tracks? Get out of here!"

Oh, and where can I find the File sets page? I also couldn't find the Settings section of Spybot S&D.

I posted this for you earlier:

This is the malware forum, questions about Spybot S&D should be posted here:
http://forums.spybot.info/forumdisplay.php?f=4
It would be best if you ask your Spybot S&D questions there. While I use a know a bit about Spybot, I am not an expert.

Thanks...Phil

Thank you pskelly, I'll go there immediately.

As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks...pskelley