Leila Posted April 13, 2009 ID:72878 Share Posted April 13, 2009 My computer was running slow and I ran a quick scan with Malewarebytes, which detected two trojan agents. When I clicked on remove, I was directed to re-boot my computer and the trojans would be removed on re-boot. After re-booting, I ran Malewarebytes again, and it detected the same two trojan agents. I've run Malwarebytes a number of times, re-booting after each scan, and the same two trojans appear:HKey_Local_machine/softwareC:\Windows\oqozugitixezo.dllHere's a scan of Hijack This:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:51:50 AM, on 4/13/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exeC:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Macromedia\Flash Media Server 2\FMSEdge.exeC:\Program Files\Macromedia\Flash Media Server 2\FMSCore.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\ALCXMNTR.EXEC:\Program Files\twc\medicsp2\bin\sprtcmd.exeC:\HP\KBD\KBD.EXEC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\twc\medicsp2\bin\sprtsvc.exeC:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Winamp3\winampa.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\iTunes\iTunesHelper.exeC:\windows\system\hpsysdrv.exeC:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Program Files\America Online 7.0\aoltray.exeC:\Program Files\hp center\137903\Shadow\ShadowBar.exeC:\Program Files\hp center\137903\Program\BackWeb-137903.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://*.windowsupdate.comO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cabO16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Flash Media Server (FMS) (FMS) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exeO23 - Service: Flash Media Administration Server (FMSAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exeO23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXEO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe--End of file - 10641 bytesAnd a scan of Malwarebytes:Malwarebytes' Anti-Malware 1.36Database version: 1975Windows 5.1.2600 Service Pack 34/13/2009 10:10:44 AMmbam-log-2009-04-13 (10-10-44).txtScan type: Quick ScanObjects scanned: 95357Time elapsed: 15 minute(s), 39 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfosugupiditemek (Trojan.Agent) -> Delete on reboot.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\oqozugitixezo.dll (Trojan.Agent) -> Delete on reboot. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 13, 2009 Staff ID:72902 Share Posted April 13, 2009 Hi,Please update malwarebytes once again and scan with it - reboot and post the log in your next reply Also, I see you have Viewpoint installed...Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.ViewpointViewpoint ManagerViewpoint Media Player Link to post Share on other sites More sharing options...
Leila Posted April 13, 2009 Author ID:72924 Share Posted April 13, 2009 Oops.................since my last scan with Malewarebytes earlier today, I now have more trojans. Here's the log file of my just completed scan:Malwarebytes' Anti-Malware 1.36Database version: 1976Windows 5.1.2600 Service Pack 34/13/2009 1:10:57 PMmbam-log-2009-04-13 (13-10-57).txtScan type: Quick ScanObjects scanned: 95548Time elapsed: 35 minute(s), 53 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\mcbyrfi.dll (Trojan.Vundo.VM1) -> Delete on reboot.Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfosugupiditemek (Trojan.Agent) -> Delete on reboot.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\mcbyrfi.dll (Trojan.Vundo.VM1) -> Delete on reboot.C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XY1X04IL\aff_15[1] (Trojan.Vundo.VM1) -> Quarantined and deleted successfully.C:\WINDOWS\iniqucihiciqu.dll (Trojan.Agent) -> Delete on reboot. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 13, 2009 Staff ID:72926 Share Posted April 13, 2009 Hi,Did you reboot? Please also post a new HijackThislog in your next reply Link to post Share on other sites More sharing options...
Leila Posted April 13, 2009 Author ID:72944 Share Posted April 13, 2009 Sorry about taking so long to respond. My computer was in the middle of it's scheduled anti-virus (Avira) scan, and it slowed down everything else. I've re-booted and did a scan with Hijack This. I've removed Viewpoint Manager and Viewpoint Media Player. The other program listed is Viewpoint Toolbar and when I clicked on remove, it gave me two options - permanently remove it, or leave some components to manage bookmarks. Which one should I opt for? Here's the Hijack this scan:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:03:26 PM, on 4/13/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exeC:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Macromedia\Flash Media Server 2\FMSEdge.exeC:\Program Files\Macromedia\Flash Media Server 2\FMSCore.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\twc\medicsp2\bin\sprtsvc.exeC:\WINDOWS\ALCXMNTR.EXEC:\Program Files\twc\medicsp2\bin\sprtcmd.exeC:\WINDOWS\System32\svchost.exeC:\HP\KBD\KBD.EXEC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Winamp3\winampa.exeC:\Program Files\Common Files\Sonic\Update Manager\sgtray.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\iTunes\iTunesHelper.exeC:\windows\system\hpsysdrv.exeC:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\Program Files\America Online 7.0\aoltray.exeC:\Program Files\hp center\137903\Shadow\ShadowBar.exeC:\Program Files\hp center\137903\Program\BackWeb-137903.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://*.windowsupdate.comO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cabO16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Flash Media Server (FMS) (FMS) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exeO23 - Service: Flash Media Administration Server (FMSAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exeO23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXEO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe--End of file - 10426 bytes Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 13, 2009 Staff ID:72953 Share Posted April 13, 2009 Hi,Yes, permanently remove the Viewpoint toolbar.Then, check and fix next leftover in HijackThis:O4 - HKLM\..\Run: [realteczs] "C:\Documents and Settings\Owner\Application Data\Google\pfysw721318.exe" 2Let me know in your next reply how things are now. Link to post Share on other sites More sharing options...
Leila Posted April 13, 2009 Author ID:72966 Share Posted April 13, 2009 I've removed the Viewpoint Toolbar permanently, and removed the item from Hijack This and then ran another Malwarebytes quick scan. It's found no malicious objects!! Did this fix it? I have a couple of questions - my last Java update a few days ago included the Yahoo Toolbar. I don't use it and can't find a way to remove it as it's not on the Add/Remove Programs list. Is there a way to remove it? Secondly, I'm using Avira Anti-Virus, and wonder if I should be using something else?Here's the last Malwarebytes scan:Malwarebytes' Anti-Malware 1.36Database version: 1978Windows 5.1.2600 Service Pack 34/13/2009 3:00:18 PMmbam-log-2009-04-13 (15-00-18).txtScan type: Quick ScanObjects scanned: 95427Time elapsed: 18 minute(s), 41 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 13, 2009 Staff ID:72973 Share Posted April 13, 2009 Hi,I don't even see the Yahoo toolbar installed here though... and if I'm not mistaken, it's unchecked by default during the java install... so not sure if you have installed the Yahoo toolbar after all. Where do you see it? Because it's certainly not in IE.And yes, Avira Antivir is a great Antivirus, so I would keep that one anyway. I also see some AVG parts present here, so since you can only have one Antivirus, please uninstall AVG.Please read my Prevention page with lots of info and tips how to prevent this in the future.And if you want to improve speed/system performance after malware removal, take a look here.Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.Happy Surfing again! Link to post Share on other sites More sharing options...
Leila Posted April 13, 2009 Author ID:72983 Share Posted April 13, 2009 Thanks Mieke for all your help! I really appreciate it very much! I am noticing that my computer is running slower than usual, and will read your recommendations.The Yahoo Toolbar is at the top of my browser (FireFox), and I thought perhaps it was slowing down my computer. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 13, 2009 Staff ID:72985 Share Posted April 13, 2009 Aah, it's in your Firefox? Then look in your Firefox extensions and uninstall it from there.Click "Tools -> Add-ons > extensions and look for Yahoo Toolbar.Please uninstall AVG, because it causes an extra slowdown especially since you already have Avira installed.And you're most welcome Link to post Share on other sites More sharing options...
Leila Posted April 13, 2009 Author ID:73007 Share Posted April 13, 2009 Thanks again Mieke! I removed the AVG from the Add/Remove programs list, and I've been reading your page on speeding up the computer and removing some items from the start-up. It's already moving a little faster. My computer was a demo computer, the last model that was available in the store (Circuit City), and on sale. So there's items on the programs list that were used for demonstration that I don't use.I'm finding you page on prevention and how to improve computer speed very helpful! Again, thank you! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 13, 2009 Staff ID:73012 Share Posted April 13, 2009 You're most welcome Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 16, 2009 Staff ID:73704 Share Posted April 16, 2009 Since this issue appears resolved ... this Topic is closed.If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.Everyone else please begin a New Topic. Link to post Share on other sites More sharing options...
Recommended Posts