Members bholder Posted October 6, 2007 Members Share Posted October 6, 2007 So I got fooled into trying to apply a new DivX codec, which seems to have loaded up this damned "SystemDefender" malware on my home laptop. Pain in the ass, keeps telling me I'm infected and hijacking me off to their site to try to get me to buy their "cleaner". I started up Symantec, it found it and quarantined it, but the damned thing's got itself wormed into Windows system restore. Anyone know how to get rid of it? I imagine it left something in the registry, but how do I find it? Link to comment Share on other sites More sharing options...
Members bholder Posted October 6, 2007 Author Members Share Posted October 6, 2007 Crap,it looks like SystemDefender is gone, but there's something else left behind that Symantec isn't picking up so far. If I ever get my hands on one of the little bastards that writes this crap, the results will not be pretty. Link to comment Share on other sites More sharing options...
Members HackedByChinese! Posted October 6, 2007 Members Share Posted October 6, 2007 Grab this, run it, and post the logfile it will create: http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis Then, get rid of Norton and install the trial version of NOD32 from ESET: http://www.eset.com/download/index.php and run it. If you're going to be paying for an AV solution, NOD32 is probably the best there is, and it's not a resource hog like Norton. Link to comment Share on other sites More sharing options...
Members bholder Posted October 6, 2007 Author Members Share Posted October 6, 2007 It's not a choice, unfortunately, I have to stick with Symantec for work reasons. Link to comment Share on other sites More sharing options...
Members HackedByChinese! Posted October 6, 2007 Members Share Posted October 6, 2007 It's not a choice, unfortunately, I have to stick with Symantec for work reasons. That sucks. Go ahead and run the first program, anyway-if there are any lasting changes that this stuff made, it should turn them up. Link to comment Share on other sites More sharing options...
Members bholder Posted October 6, 2007 Author Members Share Posted October 6, 2007 Ok, here's the logfile: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:29:04 AM, on 10/6/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: Normal Running processes:C:WINDOWSSystem32smss.exeC:WINDOWSsystem32winlogon.exeC:WINDOWSsystem32services.exeC:WINDOWSsystem32lsass.exeC:Program FilesCommon FilesVirtual Tokenvtserver.exeC:WINDOWSsystem32ibmpmsvc.exeC:WINDOWSsystem32svchost.exeC:WINDOWSSystem32svchost.exeC:Program FilesIntelWirelessBinEvtEng.exeC:Program FilesIntelWirelessBinS24EvMon.exeC:Program FilesCommon FilesSymantec SharedccSetMgr.exeC:Program FilesCommon FilesSymantec SharedccEvtMgr.exeC:Program FilesCommon FilesSymantec SharedccProxy.exeC:Program FilesSymantec Client SecuritySymantec Client FirewallISSVC.exeC:Program FilesCommon FilesSymantec SharedSNDSrvc.exeC:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exeC:WINDOWSsystem32LEXBCES.EXEC:WINDOWSsystem32spoolsv.exeC:WINDOWSsystem32LEXPPS.EXEC:WINDOWSsystem32Drivers rcboot.exeC:Program FilesIBMPersonal CommunicationsPCS_AGNT.EXEC:Program FilesSymantec Client SecuritySymantec AntiVirusDefWatch.exeC:WINDOWSSystem32svchost.exeC:Program FilesIBMIBM Rapid Restore Ultrarpcsb.exec:sdworkissimsvc.exeC:PROGRA~1AT&TNE~1NetCfgSv.EXEC:WINDOWSSystem32QCONSVC.EXEC:Program FilesIntelWirelessBinRegSrvc.exec:Program FilesSymantec Client SecuritySymantec AntiVirusSavRoam.exeC:Program FilesAnalog DevicesSoundMAXSMAgent.exeC:WINDOWSsystem32svchost.exeC:Program FilesSymantec Client SecuritySymantec AntiVirusRtvscan.exeC:Program FilesSymantec Client SecuritySymantec Client FirewallSymSPort.exeC:WINDOWSSystem32TPHDEXLG.EXEC:WINDOWSsystem32TpKmpSVC.exeC:Program FilesViewpointCommonViewpointService.exeC:WINDOWSsystem32Driversldlcserv.exeC:Program FilesViewpointViewpoint ManagerViewMgr.exeC:Program FilesSynapticsSynTPSynTPLpr.exeC:Program FilesSynapticsSynTPSynTPEnh.exeC:WINDOWSsystem32igfxtray.exeC:Program FilesThinkPadUltraNav WizardUNavTray.EXEC:WINDOWSsystem32hkcmd.exeC:WINDOWSsystem32TpShocks.exeC:PROGRA~1ThinkPadPkgMgrHOTKEYTPHKMGR.exeC:PROGRA~1ThinkPadUTILIT~1EzEjMnAp.ExeC:Program FilesThinkPadPkgMgrHOTKEYTPONSCR.exeC:Program FilesThinkPadPkgMgrHOTKEY_1TpScrex.exeC:Program FilesAnalog DevicesSoundMAXSMax4PNP.exeC:WINDOWSsystem32dla fswctrl.exeC:Program FilesIBMMessages By IBMibmmessages.exeC:IBMTOOLSUTILSibmprc.exeC:Program FilesThinkPadConnectUtilitiesQCTRAY.EXEC:Program FilesThinkPadConnectUtilitiesQCWLICON.EXEC:WINDOWSsystem32undll32.exeC:Program FilesJavajre1.5.0_06injusched.exeC:Program FilesIBMPersonal Communications pam.exeC:Program FilesLexmark X6100 Serieslxbfbmgr.exeC:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exeC:Program FilesCommon FilesSymantec SharedccApp.exeC:PROGRA~1SYMANT~1SYMANT~2VPTray.exeC:PROGRA~1ThinkPadUTILIT~1NPDTray.exeC:Program FilesQuickTimeqttask.exeC:Program FilesMegaSoundRecorderMega Sound Recorder.exeC:Program FilesGoogleGoogle Desktop SearchGoogleDesktopIndex.exeC:Program FilesLexmark X6100 Serieslxbfbmon.exeC:Program FilesYahoo!MessengerYahooMessenger.exeC:WINDOWSsystem32ctfmon.exeC:Program FilesCNN PipelineCNN.VideoNet.App.exeC:Program FilesWindows Media PlayerWMPNSCFG.exeC:WINDOWSsystem32 askmgr.exeC:Program FilesClipomaticClipomatic.exeC:Program FilesDigital Line DetectDLG.exeC:Program FilesYahoo!Yahoo! Music Jukeboxymetray.exeC:Program FilesyProxyyProxy.exeC:Program FilesGoogleGoogle Desktop SearchGoogleDesktopCrawl.exeC:Program FilesSymantec Client SecuritySymantec AntiVirusVPC32.exeC:Program FilesJavajre1.5.0_06injucheck.exeC:Program FilesMozilla Firefoxfirefox.exeC:WINDOWSExplorer.exeC:Program FilesTrend MicroHijackThisHijackThis.exe R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmlR1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.comR0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.yahoo.comR1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.comR1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmlR1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.comR0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.comR1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.comR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0yt.dllO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpn0yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dllO2 - BHO: MSVPS System - {3ADCBC16-19FA-4C59-9C22-E17C71B5FD7A} - C:WINDOWSndsronw.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:Program FilesYahoo!Commonyiesrvc.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:WINDOWSsystem32dla fswshx.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.5.0_06inssv.dllO2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:Program FilesViewpointViewpoint Toolbar3.8.0ViewBarBHO.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0yt.dllO3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:Program FilesCommon FilesViewpointToolbar Runtime3.8.0IEViewBar.dllO3 - Toolbar: The netadv - {ABF529BE-6245-465A-BBD4-238C4EAB0F0A} - C:WINDOWSetadv.dllO4 - HKLM..Run: [synTPLpr] C:Program FilesSynapticsSynTPSynTPLpr.exeO4 - HKLM..Run: [synTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exeO4 - HKLM..Run: [igfxTray] C:WINDOWSsystem32igfxtray.exeO4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exeO4 - HKLM..Run: [TPKMAPHELPER] C:Program FilesThinkPadUtilitiesTpKmapAp.exe -helperO4 - HKLM..Run: [TpShocks] TpShocks.exeO4 - HKLM..Run: [TPHOTKEY] C:PROGRA~1ThinkPadPkgMgrHOTKEYTPHKMGR.exeO4 - HKLM..Run: [ControlCenter] "C:Program FilesIBM fingerprint softwarectlcntr.exe" /startupO4 - HKLM..Run: [TP4EX] tp4ex.exeO4 - HKLM..Run: [EZEJMNAP] C:PROGRA~1ThinkPadUTILIT~1EzEjMnAp.ExeO4 - HKLM..Run: [soundMAXPnP] C:Program FilesAnalog DevicesSoundMAXSMax4PNP.exeO4 - HKLM..Run: [soundMAX] C:Program FilesAnalog DevicesSoundMAXSmax4.exe /trayO4 - HKLM..Run: [updateManager] "C:Program FilesCommon FilesSonicUpdate Managersgtray.exe" /rO4 - HKLM..Run: [dla] C:WINDOWSsystem32dla fswctrl.exeO4 - HKLM..Run: [ibmmessages] C:Program FilesIBMMessages By IBM\ibmmessages.exeO4 - HKLM..Run: [iBMPRC] C:IBMTOOLSUTILSibmprc.exeO4 - HKLM..Run: [QCTRAY] C:Program FilesThinkPadConnectUtilitiesQCTRAY.EXEO4 - HKLM..Run: [QCWLICON] C:Program Link to comment Share on other sites More sharing options...
Members bholder Posted October 6, 2007 Author Members Share Posted October 6, 2007 FilesThinkPadConnectUtilitiesQCWLICON.EXEO4 - HKLM..Run: [PWRMGRTR] rundll32 C:PROGRA~1ThinkPadUTILIT~1PWRMGRTR.DLL,PwrMgrBkGndMonitorO4 - HKLM..Run: [bLOG] rundll32 C:PROGRA~1ThinkPadUTILIT~1BatLogEx.DLL,StartBattLogO4 - HKLM..Run: [sunJavaUpdateSched] C:Program FilesJavajre1.5.0_06injusched.exeO4 - HKLM..Run: [Tpam.exe] "C:Program FilesIBMPersonal Communications pam.exe"O4 - HKLM..Run: [iSSI EZUpdate Service] "c:sdworkissimsvc.exe"O4 - HKLM..Run: [C4EBReg] "C:Program FilesC4ebregc4ebreg.exe" /qO4 - HKLM..Run: [stgclean] c:sdworkw32main2.exe /cleanupO4 - HKLM..Run: [Lexmark X6100 Series] "C:Program FilesLexmark X6100 Serieslxbfbmgr.exe"O4 - HKLM..Run: [Google Desktop Search] "C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe" /startupO4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"O4 - HKLM..Run: [vptray] C:PROGRA~1SYMANT~1SYMANT~2VPTray.exeO4 - HKLM..Run: [symantec NetDriver Monitor] C:PROGRA~1SYMNET~1SNDMon.exe /EnterpriseO4 - HKLM..Run: [NPDTRAY] C:PROGRA~1ThinkPadUTILIT~1NPDTray.exeO4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottimeO4 - HKLM..Run: [PATHPILOT] C:Program FilesMegaSoundRecorderMega Sound Recorder.exeO4 - HKCU..Run: [ibmmessages] C:Program FilesIBMMessages By IBMibmmessages.exeO4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /backgroundO4 - HKCU..Run: [Yahoo! Pager] "C:Program FilesYahoo!MessengerYahooMessenger.exe" -quietO4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exeO4 - HKCU..Run: [CNN.Pipeline.Alerter] "C:Program FilesCNN PipelineCNN.VideoNet.App.exe" /cnndriver:startapp alerterO4 - HKCU..Run: [Mega Sound Recorder] C:Program FilesMegaSoundRecorderMega Sound Recorder.exeO4 - HKCU..Run: [WMPNSCFG] C:Program FilesWindows Media PlayerWMPNSCFG.exeO4 - Startup: Mozilla Firefox.lnk = C:Program FilesMozilla Firefoxfirefox.exeO4 - Startup: Mozilla Thunderbird.lnk = C:Program FilesMozilla Thunderbird hunderbird.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readereader_sl.exeO4 - Global Startup: Clipomatic.lnk = C:Program FilesClipomaticClipomatic.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: ymetray.lnk = C:Program FilesYahoo!Yahoo! Music Jukeboxymetray.exeO4 - Global Startup: yProxy.lnk = C:Program FilesyProxyyProxy.exeO8 - Extra context menu item: &Yahoo! Search - file:///C:Program FilesYahoo!Common/ycsrch.htmO8 - Extra context menu item: Open Link Target in Firefox - file://C:Documents and SettingsAdministratorApplication DataMozillaFirefoxProfilesom89zjw7.defaultextensions{5D558C43-550F-4b12-84AB-0D8ABDA9F975}firefoxviewlink.htmlO8 - Extra context menu item: View This Page in Firefox - file://C:Documents and SettingsAdministratorApplication DataMozillaFirefoxProfilesom89zjw7.defaultextensions{5D558C43-550F-4b12-84AB-0D8ABDA9F975}firefoxviewpage.htmlO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:Program FilesYahoo!Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:Program FilesYahoo!Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:Program FilesYahoo!Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_06inssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_06inssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:Program FilesYahoo!Commonyiesrvc.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:PROGRA~1AIMaim.exeO9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:Program FilesLenovoPkgMgr\PkgMgr.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exeO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:Program FilesYahoo!MessengerYahooMessenger.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:Program FilesYahoo!MessengerYahooMessenger.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exeO10 - Broken Internet access because of LSP provider 'c:program filesewdotnetewdotnet6_38.dll' missingO11 - Options group: [JAVA_IBM] Java (IBM)O17 - HKLMSystemCS1ServicesTcpipParameters: SearchList = ibm.comO17 - HKLMSystemCCSServicesTcpipParameters: SearchList = ibm.comO20 - AppInit_DLLs: C:PROGRA~1GoogleGOOGLE~1GOEC62~1.DLLO21 - SSODL: msvb - {0837F1F8-E35A-4A4A-8AA6-8881992FC6B6} - C:WINDOWSmsvb.dllO21 - SSODL: sysdx - {F6F6727C-04D8-4AED-A928-A7CF73503F5D} - C:WINDOWSsysdx.dllO23 - Service: AppnNode - IBM Corporation - C:WINDOWSsystem32Driversappnnode.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccEvtMgr.exeO23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccProxy.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:Program FilesSymantec Client SecuritySymantec AntiVirusDefWatch.exeO23 - Service: EvtEng - Intel Corporation - C:Program FilesIntelWirelessBinEvtEng.exeO23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:Program FilesIBMIBM Rapid Restore Ultrarpcsb.exeO23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:WINDOWSsystem32ibmpmsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exeO23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:sdworkissimsvc.exeO23 - Service: IS Service (ISSVC) - Symantec Corporation - C:Program FilesSymantec Client SecuritySymantec Client FirewallISSVC.exeO23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:WINDOWSsystem32Driversldlcserv.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:WINDOWSsystem32LEXBCES.EXEO23 - Service: LiveUpdate - Symantec Corporation - C:PROGRA~1SymantecLIVEUP~1LUCOMS~1.EXEO23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:PROGRA~1AT&TNE~1NetCfgSv.EXEO23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:WINDOWSsystem32PsaSrv.exe (file missing)O23 - Service: QCONSVC - IBM Corp. - C:WINDOWSSystem32QCONSVC.EXEO23 - Service: RegSrvc - Intel Corporation - C:Program FilesIntelWirelessBinRegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:Program FilesIntelWirelessBinS24EvMon.exeO23 - Service: SAVRoam (SavRoam) - symantec - c:Program FilesSymantec Client SecuritySymantec AntiVirusSavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:Program FilesAnalog DevicesSoundMAXSMAgent.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:Program FilesSymantec Client SecuritySymantec AntiVirusRtvscan.exeO23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:Program FilesSymantec Client SecuritySymantec Client FirewallSymSPort.exeO23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:WINDOWSSystem32TPHDEXLG.EXEO23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:WINDOWSsystem32TpKmpSVC.exeO23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:WINDOWSsystem32Drivers rcboot.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:Program FilesViewpointCommonViewpointService.exeO23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:Program FilesCommon FilesVirtual Tokenvtserver.exe --End of file - 16889 bytes Link to comment Share on other sites More sharing options...
Members bholder Posted October 6, 2007 Author Members Share Posted October 6, 2007 (had to split it in two pieces to post) Link to comment Share on other sites More sharing options...
Members HackedByChinese! Posted October 6, 2007 Members Share Posted October 6, 2007 What was the site this was from? On first glance, the log is large, but seems OK. Link to comment Share on other sites More sharing options...
Members bholder Posted October 6, 2007 Author Members Share Posted October 6, 2007 I have no idea where I picked this crap up from. The logfile was generated by that HijackThis program, as you suggested. I ran the free version of SpyHunter, which claims to be able to find and remove this crap, and sure found lots of suspicious stuff, but of course, they want you to pay for the version that'll actually do the removal. For all I know, they could be scammers too. I'll have some choice feedback to Symantec for not finding and handling this better. They're getting paid big bucks to make sure this doesn't happen. Link to comment Share on other sites More sharing options...
Members DevilRaysFan Posted October 6, 2007 Members Share Posted October 6, 2007 So I was downloading porn and looking for some whack lotion , which seems to have loaded up this damned "SystemDefender" malware on my home laptop. ..... The truth shall set you free Link to comment Share on other sites More sharing options...
Members bholder Posted October 6, 2007 Author Members Share Posted October 6, 2007 The truth shall set you free Coulda been something like that, yeah, or a bunch of other things. Link to comment Share on other sites More sharing options...
Members HackedByChinese! Posted October 6, 2007 Members Share Posted October 6, 2007 I have no idea where I picked this crap up from. The logfile was generated by that HijackThis program, as you suggested. I ran the free version of SpyHunter, which claims to be able to find and remove this crap, and sure found lots of suspicious stuff, but of course, they want you to pay for the version that'll actually do the removal. For all I know, they could be scammers too. I'll have some choice feedback to Symantec for not finding and handling this better. They're getting paid big bucks to make sure this doesn't happen. They won't give a {censored}. You can try, though. Another free, good spyware scanner that you won't have to pay to use is Lavasoft's Ad-Aware. Run that and see if it's of any help. SpyHunter appears to be an absolutely terrible piece of software, and I wouldn't give them a cent. Link to comment Share on other sites More sharing options...
Members ranjaman Posted October 6, 2007 Members Share Posted October 6, 2007 You've got a bunch of crap installed, nasty crap too, adaware and spybot can't remove these (yet). O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:Program FilesViewpointViewpoint Toolbar3.8.0ViewBarBHO.dll O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:Program FilesCommon FilesViewpointToolbar Runtime3.8.0IEViewBar.dll O3 - Toolbar: The netadv - {ABF529BE-6245-465A-BBD4-238C4EAB0F0A} - C:WINDOWSetadv.dll Viewpoint is spyware and netadv.dll is probably causing the mediadefender popups. Removing these completely is gonna take some work. Viewpoint: 1) Kill the C:Program FilesViewpointViewpoint ManagerViewMgr.exe process with the taskmanager 2) Unregister these DLL's with regsvr32.exe ViewBar.dll ViewBarBHO.dll SWFView.dll AxMetaStream.dll Then reboot. 3) Now the fun part, start regedit.exe and search for any of these items ViewpointSearchBar Viewpoint Viewpoint Manager ViewpointSearchBar Viewpoint Viewpoint ViewBarBHO.BHO ViewBarBHO.BHO.1 ViewBar.ViewBar ViewBar.ViewBar.1 AxMetaStream.MetaStreamCtl AxMetaStream.MetaStreamCtl.1 AxMetaStream.MetaStreamCtlSecondary AxMetaStream.MetaStreamCtlSecondary.1 Viewpoint ViewBarBHO.BHO ViewBarBHO.BHO.1 ViewBar.ViewBar ViewBar.ViewBar.1 AxMetaStream.MetaStreamCtl AxMetaStream.MetaStreamCtl.1 AxMetaStream.MetaStreamCtlSecondary AxMetaStream.MetaStreamCtlSecondary.1 @viewpoint.com/VMP ViewpointPermissionChecker2 &Viewpoint Search ViewpointSearchBar Viewpoint Manager ViewpointMediaPlayer {A7327C09-B521-4EDB-8509-7D2660C9EC98} MetaStream3 MetaStream {1B00725B-C455-4DE6-BFB6-AD540AD427CD} {A7327C09-B521-4EDB-8509-7D2660C9EC98} {F8AD5AA5-D966-4667-9DAF-2561D68B2012} {03F998B2-0E00-11D3-A498-00104B6EB52E} {1B00725B-C455-4DE6-BFB6-AD540AD427CD} {F0ED1949-59F9-447D-A8B9-FBDCEBC85198} {E060D9D9-E979-4C2F-A840-BE5150F84AC5} {9DBB28C1-1925-11D3-A498-00104B6EB52E} {A7327C09-B521-4EDB-8509-7D2660C9EC98} {F8AD5AA5-D966-4667-9DAF-2561D68B2012} {03F998B2-0E00-11D3-A498-00104B6EB52E} {1B00725B-C455-4DE6-BFB6-AD540AD427CD} {F0ED1949-59F9-447D-A8B9-FBDCEBC85198} {E060D9D9-E979-4C2F-A840-BE5150F84AC5} {9DBB28C1-1925-11D3-A498-00104B6EB52E} If you find any of them, delete. 4)Delete C:Program FilesViewpoint and C:Program FilesCommon FilesViewpoint directories It might be a good idea to search your harddrive for other AxMetastream and Viewpoint files and directories and delete them. (just uses the windows file search) Link to comment Share on other sites More sharing options...
Members King Kashue Posted October 6, 2007 Members Share Posted October 6, 2007 Another free, good spyware scanner that you won't have to pay to use is Lavasoft's Ad-Aware. Run that and see if it's of any help. SpyHunter appears to be an absolutely terrible piece of software, and I wouldn't give them a cent. Spybot search and destroy is good as well, AVG has an anti-spyware, and surprisingly, Microsoft's antispyware is solid. I run all four. Go for the scattergun approach Link to comment Share on other sites More sharing options...
Members ranjaman Posted October 6, 2007 Members Share Posted October 6, 2007 You might want to copy this to a txt file or print it, because you can't use your internetconnection in Safe Mode. Netadv.dll: 1) Download SmitFraudFix 2) Reboot into Safe Mode 3) Run Hijackthis and check: O3 - Toolbar: The netadv - {ABF529BE-6245-465A-BBD4-238C4EAB0F0A} - C:WINDOWSetadv.dll Then click Fix checked. 4) Delete the file C:WINDOWSetadv.dll 5) Run SmitFraudFix, select option 2, this will probably replace wininet.dll. 6) Reboot into normal mode if SmitFraudFix doesn't do it for you. 7) Go to Control Panel > Display properties > Desktop > Customize Desktop > Web tab Select "Privacy Protection" if you it find in there and delete it. 8) Start SmitFraudFix again, select the 3rd option and let it restore the trusted zone by pressing y after that. It should be fixed now, but just to make sure, post a new Hijackthis log here and also the SmitFraudFix log (c:apport.txt). Link to comment Share on other sites More sharing options...
Members Perfessor Posted October 6, 2007 Members Share Posted October 6, 2007 bholder I use Spybot search and destroy. It finds things the Symantec misses. It was a free download, too, at the recomendation of an AT&T Yahoo tech. It works. Supposedly now the spies can act like viruses and the viruses can act like spies, something which happened in the last year. Spybot gets rid of them. Link to comment Share on other sites More sharing options...
Members bholder Posted October 6, 2007 Author Members Share Posted October 6, 2007 Things are looking better, thanks. I thought I had AdAware installed already, but I guess not. Not sure which one of the above did the trick, but the popups have stopped for now. FWIW, Spybot search and destroy and Spywarebot search and destroy are two very different things - if you do a google for the former, the latter shows up at the top of the list, but beware, the latter is just another one of these malware programs that takes you to their site to get a paid license for their product. {censored}ing scammers need to die painfully. Link to comment Share on other sites More sharing options...
Members bholder Posted October 6, 2007 Author Members Share Posted October 6, 2007 After a reboot, all seems happy and normal again (and a bit faster than even before this latest round). Thanks for the help, guys. KK, is Microsoft's antispyware something built-in I just have to turn on, or is that a separate download (and fee?)?? Link to comment Share on other sites More sharing options...
Members Mudbass Posted October 6, 2007 Members Share Posted October 6, 2007 That's what you get for shopping for DivX codecs at Mal-Mart. Link to comment Share on other sites More sharing options...
Members King Kashue Posted October 6, 2007 Members Share Posted October 6, 2007 After a reboot, all seems happy and normal again (and a bit faster than even before this latest round). Thanks for the help, guys. KK, is Microsoft's antispyware something built-in I just have to turn on, or is that a separate download (and fee?)?? Free, separate download (though depending on your windows update settings it may automatically install). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.