Author Topic: Malware? (Read 4371 times)

Ryugata · « **Reply #20 on:** May 26, 2006, 11:06:51 PM »

Ok the report from Panda:
Incident Status Location

Adware:adware/commad Not disinfected c:\windows\system32\atmtd.dll
Adware:adware/swimsuitnetwork Not disinfected c:\windows\system32\MYDLL.dll
Adware:adware/spywareno Not disinfected c:\windows\system32\sysmon.exe
Adware:adware/portalscan Not disinfected c:\program files\common files\Slmss
Adware:adware/novo Not disinfected c:\program files\cdmagent
Adware:adware/sidesearch Not disinfected c:\program files\Lycos
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:Adware/Deskwizz Not disinfected C:\bintheredunthat\VSL02.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\cookies.txt[.www.myaffiliateprogram.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\cookies.txt[.fastclick.net/]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[²èÇ]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[exdl.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[exul.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[ahadp.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[ahadp.exe][angelex.exe]
Hacktool:HackTool/SRunner.B Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[ahadp.exe][instsrv.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[ahadp.exe][msexreg.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[adp8035_NPS.exe][bargains.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[adp8035_NPS.exe][adv.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[adp8035_NPS.exe][adx.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[adp8035_NPS.exe][²èÇ]
Adware:Adware/Exact.SearchBar Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[exclean.exe]
Virus:JS/Clicker.JS Disinfected C:\Program Files\cdmagent\knerdlxewb.log
Virus:Trj/Clicker.QE Disinfected C:\Program Files\Common Files\simtest\sysstall.exe
Adware:Adware/PurityScan Not disinfected C:\Trelew.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\bmdv\vAxS.vbs
Virus:Trj/Downloader.HPZ Not disinfected C:\WINDOWS\pf78.exe[pms111x.exe]
Virus:Trj/VB.MC Not disinfected C:\WINDOWS\pf78.exe[SYSC00.exe]
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\drsmartload815a.exe
Virus:Trj/Downloader.IUB Disinfected C:\WINDOWS\system32\msvbvm50.exe
Virus:Trj/Downloader.IUB Disinfected C:\WINDOWS\system32\ntvdmd.exe
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\system32\VSL03.exe[VSL.dl_]

And a new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:02:53 PM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\InterVideo\DVD5R\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #21 on:** May 26, 2006, 11:32:11 PM »

Find and delete the following files or folders in bold
Exact file or folder names in the correct locations please

FILES
C:\Trelew.exe
C:\WINDOWS\pf78.exe
c:\windows\system32\atmtd.dll
c:\windows\system32\MYDLL.dll
c:\windows\system32\sysmon.exe
C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe
C:\Program Files\Common Files\simtest\sysstall.exe
C:\WINDOWS\system32\drsmartload815a.exe
C:\WINDOWS\system32\VSL03.exe

FOLDERS
c:\program files\common files\Slmss
C:\WINDOWS\bmdv
C:\bintheredunthat
c:\program files\Lycos

Reboot the computer
Come back here and let me know how things are running and if you were able to remove all of the above

Did you manually add these entries to your trusted zones, or do you trust the sites?
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr

Ryugata · « **Reply #22 on:** May 27, 2006, 02:01:44 AM »

My computer is running like normal now

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> thank you so much for your help! Oh, and there were 2 things I din't see:
C:\Program Files\Common Files\simtest\sysstall.exe
and
C:\WINDOWS\bmdv

About those sites, I addded just these:
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
I don't know where the others came from but I deleted them all in the "Trusted Sites" in IE. Are they harmful or something?

guestolo · « **Reply #23 on:** May 27, 2006, 11:11:43 AM »

Quote

I don't know where the others came from but I deleted them all in the "Trusted Sites" in IE. Are they harmful or something?

Not sure, that's why I asked if you recognized them or added manually, if not, you did the right thing and removed them
If I knew them as bad, I would of had you fix them right away

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Look for that folder and files and remove if found
Folder
C:\WINDOWS\bmdv
Files
C:\Program Files\Common Files\simtest\sysstall.exe
C:\WINDOWS\system32\test.exe
C:\WINDOWS\system32\test1.exe

You can then go back and rehide hidden files and folders
I would leave Hide Extensions for known file types unchecked however

If everything is running better
We should flush all your restore points to ensure you don't restore any nasties that may be sitting idle

msconfig
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point

[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install SpywareBlaster 3.5.1 by JavaCool

After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

*Make sure your Anti-Virus software is always kept up to date and actively running in the background
You don't want to run more than one AV on your computer
But getting a second opinion from an Online scanner every couple months is not a bad idea
You can use Panda's or any of the others in my signature below

Update and do scan's with your Anti-Spyware programs on a regular basis
In addition: Open Spybot 1.4
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Immunize after every update

+I would opt to hold onto CleanUp! and Ewido
Ewido will become a limited free version after a couple of weeks
Still, a great scanner to update and run on a monthly basis

If you haven't ran the Disk Defragmenter on your computer in some time, now would be a good time
START>>All Programs>>Accessories>>System Tools>>Disk Defragmenter
Let it run uninterrupted
I find it best ran in safe mode

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Ryugata · « **Reply #24 on:** May 27, 2006, 04:20:22 PM »

THANK YOU VERY MUCH FOR YOUR HELP!!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> I'm so glad I found this forum. You're very good at this ^^

Thank you for everything, I'll try to keep my computer safe now

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #25 on:** May 27, 2006, 04:24:39 PM »

Your welcome

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
If your version of Symantec's doesn't have a Firewall
Can you
Access your Windows control panel and double check to make sure the Windows built in Firewall is running please

I'll lock this topic as your problems appear resolved
Take care

TheTechGuide Forum

News:

Author Topic: Malware? (Read 4371 times)

Ryugata

Malware?

guestolo

Malware?

Ryugata

Malware?

guestolo

Malware?

Ryugata

Malware?

guestolo

Malware?