Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Help Removing Troj_generic

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Unread postby vicdotcom » October 15th, 2006, 9:48 pm

Hi TD!

WOW things are already running so much better! Thank you so much. Here are the logs that you requested. So far I havent had a pop-up yet from the usual sites. There were two files I could not find. the first one is the C:\windows\systems32\iti.dll The second was C:\windows\systems32\2236_28.dll

Also while using hijackthis to clean the checked files, I got an error message #5 or something along those lines. Other than that things are working well.

Here are the logs and let me know if there is anything else that I should do.

Vicdotcom

AVG LOG

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:15:58 PM 10/15/2006

+ Scan result:



C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned.
C:\WINDOWS\wintasks32.exe -> Backdoor.SdBot.xd : Cleaned.
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe -> Downloader.Agent.awf : Cleaned.
C:\WINDOWS\system32:lzx32.sys -> Hijacker.Costrat.l : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Lisa\Cookies\lisa@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end






PANDA SCAN RESULTS



Incident Status Location

Virus:Trj/Lowzones.SY Disinfected Operating system


HJT LOG
Logfile of HijackThis v1.99.1
Scan saved at 9:44:20 PM, on 10/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://channels.netscape.com/wrap/linke ... s/index.pl
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140734295\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoopService.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
vicdotcom
Active Member
 
Posts: 9
Joined: October 10th, 2006, 5:36 pm
Top
Advertisement
Register to Remove

Unread postby turtledove » October 16th, 2006, 4:57 am

Hello vicdotcom,
You've done a great job :thumbleft:

You may remove through Add/Remove Programs the AVG Program, as you have Trndmicro. You can delete smitfraud fix as well and it's folder.
Please go to The AVG Program folder-->> Open it's quarantine folder:
    Right click in open area of right window and select all
    Right click again and choose delete
    Close window

EMPTY RECYCLE BIN

I see that Viewpoint is installed.

Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware.

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
If AOL is present, to prevent it from being recreated every time you run the AOL software:
  • Open AOL
  • Go to Help on the toolbar
  • Select About AOL
  • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.
Another way to prevent Viewpoint from being recreated every time you run the AOL software is:
  • Click C:\Program Files\AOL 9.0\Jiti (a hidden folder).
  • Rename viewpoint.exe to viewpoint.old.
This is the item to fix in HijackThis.

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe



Below is my All Clear Message for Securing your system:

**Please post back that you've read this and are clear to close this topic; or if there are any remaining issues.**


Reset hidden settings
    * Double-click on the "My Computer" icon.
    * Select the "Tools" menu and click "Folder Options".
    * After the new window appears select the "View" tab.
    * Uncheckmark in the checkbox labeled "Display the contents of system folders".
    * Under the "Hidden files and folders" section deselect the radio button labeled "Show hidden files and folders".
    * Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
    * Recheck the checkbox labeled "Hide protected operating system files".
    * Press the "Apply" button and then the "OK" button and exit My Computer.

**Turn off System Restore.**
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

Restart your computer

Turn ON System Restore
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Un-Check Turn off System Restore.
    Click Apply, and then click OK.



Before Surfing UPDATE XP
You can help the fight, report it at Malware Complaints
Stand Up and be Counted!

Some of your legitimate programs will leave .tmp files as they run. Clean these out regularly. Before running a scan is a good time.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit
XP Updates

Use the following and KEEP UPDATED atleast WEEKLY
Ad-AwareSE
Spybot S&D
CCleaner *Use With Caution* Do Not Use the Issues Catagory without Guidance*

Needed Firewall: Monitors traffic In and OUT Bound. Very Important. * Use Only One*
Zone Alarm
Kerio

Java Updates:
Java Update

Antivirus: *Use only one*
AVG FREE
AntiVir

Test open Ports:
SheildsUp (follow the links to Shield's-Up!)

Other Protection:
IE-Spyad
SpywareBlaster
SpywareGuard
WinPatrol

*How on earth did I get infected in the first place?
Read Here

Also use online scanners as well; as some spyware/virus can disable your software. Check out these:

Housecall
ActiveScan by Panda
Kaspersky Online Scanner



**Keep IE Secure:
Make your Internet Explorer more secure - This can be done by following these simple instructions:
    From within Internet Explorer click on the Tools menu and then click on Options.
    Click once on the Security tab
    Click once on the Internet icon so it becomes highlighted.
    Click once on the Custom Level button.
    Change the Download signed ActiveX controls to Prompt
    Change the Download unsigned ActiveX controls to Disable
    Change the Initialise and script ActiveX controls not marked as safe to Disable
    Change the Installation of desktop items to Prompt
    Change the Launching programs and files in an IFRAME to Prompt
    Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Thank You
Safe and Happy Surfing :)
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California
Top

Unread postby NonSuch » October 22nd, 2006, 11:41 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Top
Previous
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 520 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index