Jump to content


Photo

Cannot get rid of Chinese browser redirect


  • This topic is locked This topic is locked
5 replies to this topic

#1 rhankin

rhankin

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 09 June 2007 - 02:33 PM

I have many computers that have been infected by an unknown virus. It was probably from an ANI exploit. All of the computers had numerous infections with everything from PWStealer.LLA to Threat-HLLIN with a process running with the name 1explore.exe.

We have been able to eliminate the viruses, but now there is an issue we cannot seem to get a handle on. Whether it is Firefox or IE, both get an initial redirect to 6688.89111.cn which attempts to exploit the system with Exploit.Win32.IMG-ANI.gen. It is especially bad on IE if I attempt to do Windows Update. Oddly, most sites still work, especially in FireFox.

I have scanned the systems with everything from ComboFix and HiJackThis to CureIt, Kaspersky, NOD32, AVG, and F-Prot. Nothing sees any current infection.

I have reset TCPIP and Winsock. I have even replaced the tcpip.sys, mswsock.dll, wsock32.dll and wininet.dll files. I have run rootkit detection. I have checked DNS and host files. I have reinstalled servicepack 2 and even attempted to upgrade some of the machines to IE 7 hoping it would overwrite the issue. At this point I am starting to run out of ideas.

Any assistance would be greatly appreciated. I have attached ComboFix and HiJackThis logs below from one of the computers.

Here is the ComboFix log:

"rhankin" - 2007-06-09 10:21:28 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\rhankin\Desktop\"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\regedit.com
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\wpcap.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-09 02:39 <DIR> d-------- C:\I386
2007-06-09 00:31 <DIR> d-------- C:\!KillBox
2007-06-09 00:27 <DIR> d-------- C:\!Submit
2007-06-09 00:05 359,040 --a------ C:\WINDOWS\system32\tcpip.sys
2007-06-09 00:03 359,040 --a------ C:\tcpip.sys
2007-06-09 00:03 22,528 --a------ C:\wsock32.dll
2007-06-06 13:42 <DIR> d-------- C:\Program Files\Microsoft Solutions
2007-06-06 13:42 <DIR> d-------- C:\DOCUME~1\rhankin\APPLIC~1\ORSLN
2007-06-06 11:00 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-06-04 17:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-05-25 11:18 425,984 --a------ C:\WINDOWS\system32\wodKeys.dll
2007-05-25 11:18 385,024 --a------ C:\WINDOWS\system32\wodSFTP.dll
2007-05-25 11:18 1,079,808 --a------ C:\WINDOWS\system32\we.dll
2007-05-25 11:18 <DIR> d-------- C:\Program Files\AceBIT
2007-05-25 11:12 <DIR> d-------- C:\Program Files\1&1
2007-05-17 11:53 <DIR> d-------- C:\DOCUME~1\rhankin\Shared
2007-05-17 11:53 <DIR> d-------- C:\DOCUME~1\rhankin\Incomplete
2007-05-17 11:52 <DIR> d-------- C:\DOCUME~1\rhankin\APPLIC~1\LimeWire
2007-05-17 11:44 <DIR> d-------- C:\DOCUME~1\rhankin\APPLIC~1\Viewpoint
2007-05-16 15:18 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-05-16 15:18 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2007-05-15 11:21 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-05-15 11:20 <DIR> d-------- C:\Program Files\MSBuild
2007-05-15 11:13 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-05-15 11:12 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-05-15 11:11 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-05-15 11:00 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-05-15 11:00 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-05-15 11:00 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-05-15 10:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-15 10:52 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-11 10:50 <DIR> d-------- C:\Program Files\Video Chat ActiveX Control
2007-05-11 10:38 <DIR> d-------- C:\Program Files\Banasoft
2007-05-10 19:10 92,672 --a------ C:\WINDOWS\system32\See32.dll
2007-05-10 19:10 57,856 --a------ C:\WINDOWS\system32\Fce32.dll
2007-05-10 19:10 57,856 --a------ C:\WINDOWS\Fce32.dll
2007-05-10 19:10 45,056 --a------ C:\WINDOWS\system32\offer.exe
2007-05-10 19:10 389,120 --a------ C:\WINDOWS\system32\ImgX4.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 09:42:16 13,312 ----a-w C:\WINDOWS\system32\ntvdmd.dll
2007-06-09 07:02:25 22,528 ----a-w C:\WINDOWS\system32\wsock32.dll
2007-06-09 07:02:01 245,248 ------w C:\WINDOWS\system32\mswsock.dll
2007-06-06 20:46:01 -------- d-----w C:\Program Files\Microsoft SQL Server
2007-05-25 18:18:01 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-11 16:49:10 -------- d-----w C:\Program Files\7-Zip
2007-03-22 16:33:58 186,443 ----a-w C:\WINDOWS\system32\atasnt40.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx [2001-03-02 13:02]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2006-08-14 17:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-15 10:52]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 05:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"Wise-FTP Scheduler"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2003-08-01 08:31]
"C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe"="1&1 EasyLogin HIDE" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewContextMenu"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeStartMenu"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoFileUrl"=1 (0x1)
"NoViewContextMenu"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoStartMenuEjectPC"=1 (0x1)
"NoTaskGrouping"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\rhankin\My Documents\My Pictures\bsg_cylon_1152.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"="C:\Program Files\Common Files\Stardock\MCPCore.dll" [2003-10-20 13:30]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* - NMSCFG

Contents of the 'Scheduled Tasks' folder
2007-06-09 17:00:09 C:\WINDOWS\tasks\rothwallpaper.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 10:33:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\Program Files\\1&1\\1&1 EasyLogin\\EasyLogin.exe"="\"1&1 EasyLogin\" HIDE"

Completion time: 2007-06-09 10:36:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 10:36

--- E O F ---


And here is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:20, on 2007-06-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng7.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Documents and Settings\rhankin\Desktop\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O9 - Extra button: Voyager - {9DA2F545-FDD0-432D-BA9C-5049C4B3C85A} - http://voyager.rothstaffing.com/login (file missing) (HKCU)
O9 - Extra button: Staging - {E8528652-C09D-47E7-9AA2-835A1E65F89A} - http://staging.rothstaffing.com/login (file missing) (HKCU)
O9 - Extra button: Intrepid - {F6957797-7144-4505-88E5-738F8EAD4B48} - http://www.rothstaffing.com/login (file missing) (HKCU)
O15 - Trusted Zone: *.ceridian.com
O15 - Trusted Zone: vcgreport.vcg.net
O15 - Trusted Zone: *.vcgreport
O15 - Trusted Zone: http://*.vcgsoftware.com
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://vcgdemo.vcgso...ca32/wficac.cab
O16 - DPF: {29EF91B9-7120-477C-A5CB-2D67F2FD088C} (TeleControl Class) - https://10.1.1.23/wrc.cab
O16 - DPF: {50580095-16DB-4B28-BCFC-70989E09AA5F} (XTunnelCtrl Class) - https://office.roths...com/XTunnel.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft Terminal Services Client Control (redist)) - http://ts/msrdp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://learncenter....bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rothstaffing.net
O17 - HKLM\Software\..\Telephony: DomainName = rothstaffing.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D45A402-351E-4D97-997E-C8D3DA1CB1C6}: Domain = rothstaffing.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rothstaffing.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rothstaffing.net,rothstaffing.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D45A402-351E-4D97-997E-C8D3DA1CB1C6}: Domain = rothstaffing.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rothstaffing.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rothstaffing.net,rothstaffing.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D45A402-351E-4D97-997E-C8D3DA1CB1C6}: Domain = rothstaffing.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rothstaffing.net,rothstaffing.com
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\rhankin\My Documents\My Pictures\bsg_cylon_1152.jpg

--
End of file - 7192 bytes

Thanks again for your assistance,

Robert

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 12 June 2007 - 06:32 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 15 June 2007 - 10:45 AM

Hi rhankin,

Welcome to SpywareInfo! :wave:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here’s what we do first.

Please delete your current copy of ComboFix and download a new copy. Then, please delete the C:\ComboFix folder. And, then please run a scan with the new copy of ComboFix and post the log that it creates.


NEXT:

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download SDFix by AndyManchesta and save it to your desktop.

Double-click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix).

Please then reboot your computer into Safe Mode by doing the following:
  • Restart your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
  • Instead of Windows loading as normal, a menu with options should appear.
  • Select the first option, to run Windows in "Safe Mode", then press "Enter".
  • Choose your usual account.
Once in Safe Mode, please do the following:
  • Open the extracted C:\SDFix folder and double-click on RunThis.bat to start the script.
  • Type "Y" to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process, then display "Finished", press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally, copy and paste the contents of the results file Report.txt back onto the forum.

NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O15 - Trusted Zone: *.ceridian.com
O15 - Trusted Zone: vcgreport.vcg.net
O15 - Trusted Zone: *.vcgreport
O15 - Trusted Zone: http://*.vcgsoftware.com



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download DelDomains by WinHelp2002:
  • Save the file to the desktop. Then go to the desktop, right-click on DelDomains.inf, and choose Install.
  • You may not see any noticeable changes or prompts; this is normal.
  • Then please restart your computer, and post a new HijackThis log. You will have to re-immunize with SpywareBlaster, IE-SPYAD, and/or Spybot – Search & Destroy after doing this.

NEXT:

Please download ResetProtocolDefaults by WinHelp2002 and save it to your desktop:
  • Locate ResetProtocolDefaults.reg which should be on your desktop.
  • Right-click and select Merge.
  • OK the prompt.

NEXT:

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". This will change from what we know in 2006, read this article: http://www.clickz.co...cle.php/3561546

Additional info: http://vil.nai.com/v...nt/v_137262.htm

I suggest you remove the program now. Go to Start -> Control Panel -> Add/Remove Programs and remove the following programs (if present):

Viewpoint
Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar



If you have problems with Viewpoint regenerating after uninstallation, then please follow these instructions:

Open AOL and go to Help on the toolbar. Select About AOL. Next is the SECRET STEP. You must then press Ctrl + D to access a "secret" panel to disable all of the desktop and IM fancy features that are associated with viewpoint. This is the only way to prevent AOL from re-installing Viewpoint at AOL startup.



NEXT:

For this next step, please ensure that ComboFix.exe is on your desktop:
  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    (start copying from "File::")


    File::
    C:\WINDOWS\system32\See32.dll
    C:\WINDOWS\system32\ImgX4.dll
    
    Folder::
    C:\DOCUME~1\rhankin\APPLIC~1\Viewpoint
    

  • Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Posted Image


  • Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.


NEXT:

Please download AVZ Antiviral Toolkit and save it to your desktop.

(It would be advisable to use a download manager to retrieve the program, as the download can be quite slow. If you do not have a download manager, I would recommend you to choose one of the more reputable programs from HERE.)
  • Unzip the folder you just downloaded (right-click on the folder and select "Extract All") and place it on your desktop.
  • Open the AVZ folder, and double-click on avz.exe to run the tool.
  • You would first need to update the virus definitions of the tool by going to the "File" menu and selecting "On-line automatic update".
  • Once the update has finished, go to the "Search range" tab:
    • Select ALL local drives for scanning.
    • Leave all the other options there at their default settings.
  • In the "Healing method" section:
    • Select "Perform healing".
    • UNSELECT "Heuristic file deletion".
    • Select "Copy deleted files to "Infected" folder".
    • UNSELECT "Copy suspicious files to Quarantine".
    • Leave all the other options there at their default settings.
  • Then go to the "File types" tab:
    • Select "All files".
    • Leave all the other options there at their default settings.
  • Go to the "Search parameters" tab:
    • Ensure that "Heuristic analysis" is set to "Medium heuristics level".
    • Select "Search for TCP/UDP ports used by Trojan horses".
    • Leave all the other options there at their default settings.
  • Now click the "Start" button to begin a scan with AVZ.
  • Once the scanning has started, you will notice a progress meter running on the left, and the number of files scanned and the time remaining to complete the scan in the lower-right corner.
  • Once the scan has completed, go to the "File" menu and select "Save log" (make sure to remember where you saved that file, this is important!).
Close AVZ Antiviral Toolkit and please post the contents of the avz_log.txt file that you saved in your next reply.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the ComboFix scan located at C:\ComboFix.txt and C:\ComboFix2.txt.
  • The log from the SDFix scan.
  • The log from the AVZ Antiviral Toolkit scan.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#4 rhankin

rhankin

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 20 June 2007 - 03:41 PM

Hi, thank you for your reply. We were able to remove it from our computers. It turns out the virus was broadcasting to our various subnets, an iframe, which attempted to exploit the computers.

#5 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 20 June 2007 - 10:29 PM

Hi rhankin, :wave:

You're most welcome, rhankin. :)

I take that the problem is now resolved? If it is, we will be closing this thread in a few days.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#6 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 25 July 2007 - 07:39 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button