PDA

View Full Version : Zlob.VideoActiveXAccess, DNSChanger etc.



jeanfilioux
2007-09-06, 04:42
Hello,

The thing that's bugging me is that the Zlob.VideoActiveXAccess won't go away with Spybot, I keep getting the message:

"Some problems couldn't be fixed, the reason could be that the assosiated files are still in use (in memory). This could be fixed after a restart. May Spybot-S&D run on your next system startup?".

I have tried rebooting in safemode and doing a scan immediately, but no luck obviously.

Also, Zlob.DNSChanger is supposedly fixed, but keeps reocurring everytime I do a scan.

So now I have this flashing "shield" in my taskbar prompting me to install "an up-to-date antispyware solution". Yeah right :mad:

I tried to do a Kaspersky online anti-virus scan, but was not successful, as I received this message:

The file 002E08D9.key on (Unknown) is needed
Type the path where the file is located, and then click OK.

Therefore I couldn't run the Kaspersky online scan.

Hope you can still help me, thanks :red:

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:35:16, on 06.09.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\DLink\Bluetooth Software\BTTray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\DLink\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Protection Bar - {F06E2ABE-3A50-4079-BE25-FC100D9EAA25} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SSP] SSPSupport.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay112.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133767956578
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F4A85EC-1434-4703-978F-837D498E2C99}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{26868488-4725-4A69-8BE1-A8EF8B7B6068}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7529B1FC-2375-4D14-BB83-3BE7A0BA5A0F}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AF17145-0B34-4942-B07A-321CAC3AFB45}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B74F0DFE-1079-4826-9E00-B567D4453C83}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCE9F677-52AA-47D6-AEAA-39D1B6C10E2A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF996073-7AEB-4144-B065-B2D9E7016099}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9B8873C-57FF-448D-B0A3-056D37F21F11}: NameServer = 85.255.114.37,85.255.112.19
O22 - SharedTaskScheduler: aht - {46f5a8b0-0b73-48c5-9e40-3c443a43c161} - C:\WINDOWS\system32\muvdjo.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9882 bytes

ken545
2007-09-06, 14:14
jeanfilioux,

Welcome to Safer Networking We need to run some special programs to remove that infection. Lets do this to start.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.


Download and install the 30 day trial of AVG Anti-Spyware 7.5 (http://www.ewido.net/en/download/) to your desktop.


Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run Ewido and update the definition files.
On the main screen select the icon Update then select the Update now link.
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this Under Reports
Select Automatically generate report after every scan
Un-Select Only if threats were found
Close AVG Anti-Spyware 7.5 <-- Do not run the scan yet.



Boot your computer into Safemode

Go to Start> Shut Off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
This will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to SAFEMODE
Then press the Enter on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)





Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt





Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start> Control Panel and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete Offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button.
Click Apply then OK.









Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
make sure to remember where you saved that file, this is important
Close AVG Anti-Spyware 7.5
IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process:


Reboot normally.



Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the log from Smitfraud fix, the AVG Spyware log and a New HJT log please

jeanfilioux
2007-09-10, 03:31
Hello ken545

First of all I want to thank you for helping me, your help is very much appreciated!

Now, I tried to follow your instructions to the letter. I did, however, run into a few problems:

When running SmitfraudFix the program tried to run Disc Cleanup, but the message "... encountered a problem and needs to close. We're sorry for the inconvenience etc." After that I was prompted to clean the registery, and then the program rebooted the computer.

When I tried to clean my Temporary Internet Files in the Control Panel the procedure wasn't exactly as described. I deleted the Temporary Internet Files and Cookies, but there was no Delete Offline Content check box to be found. Also, under the Programs tab there was no Reset Web Settings button.

Next I ran the AVG program. When scanning was completed I selected Apply all actions. I recieved this message:

Warning:
The file C:\Documents and Settings\user\Local Settings\Temp\asmfiles.cab/asmexe cannot be removed because it is embedded in the arcive C:\Documents and Settings\user\Local Settings\Temp\asmfiles.cab/
Do you want to remove the whole arcive?

I clicked no because I was afraid to delete a critical file or something.

When I selected the Reports icon there was no reports saved (yes I selected the Automatically generate report... box earlier), so I am unable to post an AVG report.

The rest went pretty smooth I guess, and the blinking shield in the taskbar is gone now :)

Here's the Smitfraud log:

SmitFraudFix v2.221

Scan done at 23:44:15,96, 09.09.2007
Run from C:\Documents and Settings\Erling\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{46f5a8b0-0b73-48c5-9e40-3c443a43c161}"="aht"

[HKEY_CLASSES_ROOT\CLSID\{46f5a8b0-0b73-48c5-9e40-3c443a43c161}\InProcServer32]
@="C:\WINDOWS\system32\muvdjo.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{46f5a8b0-0b73-48c5-9e40-3c443a43c161}\InProcServer32]
@="C:\WINDOWS\system32\muvdjo.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\muvdjo.dll -> Hoax.Win32.Renos.gen.o
C:\WINDOWS\system32\muvdjo.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\Video ActiveX Access\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1F4A85EC-1434-4703-978F-837D498E2C99}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1F4A85EC-1434-4703-978F-837D498E2C99}: NameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{26868488-4725-4A69-8BE1-A8EF8B7B6068}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{26868488-4725-4A69-8BE1-A8EF8B7B6068}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7529B1FC-2375-4D14-BB83-3BE7A0BA5A0F}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7529B1FC-2375-4D14-BB83-3BE7A0BA5A0F}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{97CE7681-BC5A-4FFB-855F-66D89AF97DBA}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9AF17145-0B34-4942-B07A-321CAC3AFB45}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9AF17145-0B34-4942-B07A-321CAC3AFB45}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B74F0DFE-1079-4826-9E00-B567D4453C83}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B74F0DFE-1079-4826-9E00-B567D4453C83}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CCE9F677-52AA-47D6-AEAA-39D1B6C10E2A}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CCE9F677-52AA-47D6-AEAA-39D1B6C10E2A}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CF996073-7AEB-4144-B065-B2D9E7016099}: DhcpNameServer=85.255.114.37,85.255.112.19
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CF996073-7AEB-4144-B065-B2D9E7016099}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D9B8873C-57FF-448D-B0A3-056D37F21F11}: DhcpNameServer=85.255.114.37,85.255.112.19
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D9B8873C-57FF-448D-B0A3-056D37F21F11}: NameServer=85.255.114.37,85.255.112.19
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1F4A85EC-1434-4703-978F-837D498E2C99}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1F4A85EC-1434-4703-978F-837D498E2C99}: NameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{26868488-4725-4A69-8BE1-A8EF8B7B6068}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{26868488-4725-4A69-8BE1-A8EF8B7B6068}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7529B1FC-2375-4D14-BB83-3BE7A0BA5A0F}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7529B1FC-2375-4D14-BB83-3BE7A0BA5A0F}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{97CE7681-BC5A-4FFB-855F-66D89AF97DBA}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9AF17145-0B34-4942-B07A-321CAC3AFB45}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9AF17145-0B34-4942-B07A-321CAC3AFB45}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B74F0DFE-1079-4826-9E00-B567D4453C83}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B74F0DFE-1079-4826-9E00-B567D4453C83}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CCE9F677-52AA-47D6-AEAA-39D1B6C10E2A}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CCE9F677-52AA-47D6-AEAA-39D1B6C10E2A}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CF996073-7AEB-4144-B065-B2D9E7016099}: DhcpNameServer=85.255.114.37,85.255.112.19
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CF996073-7AEB-4144-B065-B2D9E7016099}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D9B8873C-57FF-448D-B0A3-056D37F21F11}: DhcpNameServer=85.255.114.37,85.255.112.19
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D9B8873C-57FF-448D-B0A3-056D37F21F11}: NameServer=85.255.114.37,85.255.112.19
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F4A85EC-1434-4703-978F-837D498E2C99}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F4A85EC-1434-4703-978F-837D498E2C99}: NameServer=207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{26868488-4725-4A69-8BE1-A8EF8B7B6068}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{26868488-4725-4A69-8BE1-A8EF8B7B6068}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7529B1FC-2375-4D14-BB83-3BE7A0BA5A0F}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7529B1FC-2375-4D14-BB83-3BE7A0BA5A0F}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{97CE7681-BC5A-4FFB-855F-66D89AF97DBA}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9AF17145-0B34-4942-B07A-321CAC3AFB45}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9AF17145-0B34-4942-B07A-321CAC3AFB45}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B74F0DFE-1079-4826-9E00-B567D4453C83}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B74F0DFE-1079-4826-9E00-B567D4453C83}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CCE9F677-52AA-47D6-AEAA-39D1B6C10E2A}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CCE9F677-52AA-47D6-AEAA-39D1B6C10E2A}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CF996073-7AEB-4144-B065-B2D9E7016099}: DhcpNameServer=85.255.114.37,85.255.112.19
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CF996073-7AEB-4144-B065-B2D9E7016099}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D9B8873C-57FF-448D-B0A3-056D37F21F11}: DhcpNameServer=85.255.114.37,85.255.112.19
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D9B8873C-57FF-448D-B0A3-056D37F21F11}: NameServer=85.255.114.37,85.255.112.19
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdpiu.exe"

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\kdpiu.exe Deleted

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» End

jeanfilioux
2007-09-10, 03:32
Fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:45:29, on 10.09.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\DLink\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\DLink\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SSP] SSPSupport.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay112.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133767956578
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F4A85EC-1434-4703-978F-837D498E2C99}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{26868488-4725-4A69-8BE1-A8EF8B7B6068}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7529B1FC-2375-4D14-BB83-3BE7A0BA5A0F}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AF17145-0B34-4942-B07A-321CAC3AFB45}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B74F0DFE-1079-4826-9E00-B567D4453C83}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCE9F677-52AA-47D6-AEAA-39D1B6C10E2A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF996073-7AEB-4144-B065-B2D9E7016099}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9B8873C-57FF-448D-B0A3-056D37F21F11}: NameServer = 85.255.114.37,85.255.112.19
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8996 bytes

ken545
2007-09-10, 04:43
:oops:When I tried to clean my Temporary Internet Files in the Control Panel the procedure wasn't exactly as described. That was for IE6 not IE7. So we can do it another way.

Lets do a few things.

Go to your Add Remove Programs in the Control Panel and unless you use it uninstall Viewpoint Manager Service, its not malicious but installs without your knowledge or consent.

Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)




This will take care of the DNS Changer

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
FixWareout Subratam (http://downloads.subratam.org/Fixwareout.exe)
FixWareout Lonny (http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe)

Save it to your desktop and run it.
Click Next, then Install,
Then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.

Save the contents of the logfile C:\fixwareout\report.txt and post it into your next reply.



Now lets check some settings on your system. For (2000/XP) Only)


Go to Start > control panel.
If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Then right click on your default connection, usually local area connection for cable and dsl.
Left click on properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available on some systems





Next Go start> Run type cmd and hit OK
Type in ipconfig /flushdns then hit enter
(that space between g and / is needed)
Type exit hit enter



Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up


I need to see the Wareout log and a New HJT log please.

jeanfilioux
2007-09-10, 06:29
Here is the Wareout log:

Username "..." - 10.09.2007 4:53:02 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D9B8873C-57FF-448D-B0A3-056D37F21F11}
"nameserver"="85.255.114.37,85.255.112.19" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CF996073-7AEB-4144-B065-B2D9E7016099}
"DhcpNameServer"="85.255.114.37,85.255.112.19" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D9B8873C-57FF-448D-B0A3-056D37F21F11}
"DhcpNameServer"="85.255.114.37,85.255.112.19" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe /r"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"SSP"="SSPSupport.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:21:12, on 10.09.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\DLink\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\DLink\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SSP] SSPSupport.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay112.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133767956578
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F4A85EC-1434-4703-978F-837D498E2C99}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{26868488-4725-4A69-8BE1-A8EF8B7B6068}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AF17145-0B34-4942-B07A-321CAC3AFB45}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B74F0DFE-1079-4826-9E00-B567D4453C83}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCE9F677-52AA-47D6-AEAA-39D1B6C10E2A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF996073-7AEB-4144-B065-B2D9E7016099}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8596 bytes

ken545
2007-09-10, 14:01
Things are looking good :bigthumb: The only thing I would do and this is your call is to go to the Add Remove Programs in the Control Panel and uninstall Viewpoint Manager Service unless this is something that you know about and use. It most times installs without your knowledge and consent and although its not malicious it does use up system resources.

How are things running now??

jeanfilioux
2007-09-11, 02:51
Things seem to be running fine now, thank you very much :D: Computer is fast and responsive :bigthumb:

I did uninstall the Viewpoint Manager Service, the only thing left is the Viewpoint Toolbar and Media Player. Should I uninstall these too? I cannot recall using any of these items, nor do I now how they got there in the first place...

Do you have any suggestions to what I can do to protect my computer in the future? Programs I should install and run regularly etc.? I'm currently using Firefox2 as my webbrowser, with Adblock and NoScript, and Ad-Aware SE and of course Spybot as antispyware. And what should I do with the programs installed in the cleaning prosess, just leave them?

Oh BTW, I had a problem with my Mcafee anti-virus turning off before, but now it's working fine!

Again, I thank you for your time and your help!

ken545
2007-09-11, 03:10
Glad things are better :bigthumb:



Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Here are some free programs to install, these are must haves to help keep you secure

Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.

IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.



Glad we could help

Safe Surfn
Ken