Free Malware Removal Forum

[leekumkee]

Hey I left my computer on overnight and when I woke up I saw an open Outlook e-mail that looked extremely suspicious. I'm positive that I had not opened it myself the night before and the only reason I think it never sent anything was because I don't have my Outlook account linked to any e-mails. My friend told me about this site and I followed the instructions on the website so here is my hijackthis log. Anyone notice anything suspicious? Any help would be greatly appreciated. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 8:17:52 PM, on 1/9/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bryant0r\Desktop\HijackThis.exe

O1 - Hosts: 202.109.124.19 8008102299.com
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\IEViewBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedow ... in9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

[Kimberly]

Hello leekumkee,

Normally one should click on attachments to get infected, some are triggered from within the HMTL code ... Your hijackthis log doesn't show anything related to an infection, just a couple of items to fix. We'll do an online scan to see if anything else is present on the computer.

That said, I'm very surprised to see that you don't have :

• Any service packs installed so prolly no security updates either.
• no antivirus
• no firewall

And you are running p2p programs ... That is asking for trouble. You really need to do something about that.
______________________________

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://www.malwareremoval.com/forum/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://www.malwareremoval.com/forum/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

Service Pack and updates

1. Download and Install Windows Service Pack 1 from here:
   http://www.microsoft.com/downloads/deta ... 3443e29d78
   If the selected language is not correct, select the language you need from the dropdown box and click on the button labeled "Change".
   Save the file to your disk, disconnect from the Internet and unplug your modem and install SP1. Reboot as requested.
2. Connect to internet, go to http://windowsupdate.microsoft.com/ and install ALL Critical Updates except Service Pack 2

Please may I insist that your perform the above steps, for your own sake.
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

O1 - Hosts: 202.109.124.19 8008102299.com
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedow ... in9USA.cab

Close ALL windows and browsers except HijackThis and click Fix Checked
______________________________

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto‑updating for the Viewpoint Manager ‑‑ the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
4. Do the same for each Viewpoint component.

This is the item to fix in HijackThis.

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\IEViewBar.dll

Start > Run > Type Cmd.exe and hit enter

Type each of the following lines followed by enter

sc stop "Viewpoint Manager Service"
sc delete "Viewpoint Manager Service"

Close the CMD window.
______________________________

Please do an online scan with Kaspersky Online Scanner

Notice!
A new version of Kaspersky Virus Scanner has been released on August 8, 2006. If you have installed a previous version, you must unistall that program first before installing the new version. To uninstall, please go to the computer control panel and select "Add/Remove Programs." Close all Internet Explorer windows before uninstalling the Kaspersky Online Scanner.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  
  • Scan using the following Anti-Virus database:
    
    • Extended (If available otherwise Standard)
  • Scan Options:
    
    • Scan Archives
    • Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save Report As button:
  
  • Save the file to your desktop.
  • File Type: Text file (*.txt).
  • Name: Kav.txt for example
• Copy and paste that information in your next post.

Post the KAV results and a fresh HijackThis log please.

Kim

[NonSuch]

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.