[SciFi]

I've recently installed Norton Internet Security 2007/Norton Anti-Virus. Being the paranoid person that I am, I started to check the logs on my Network Connections under the Statistics. I kept seeing the same name pop up... ATDMT. I did a little research on it, and learned that it's a cookie that tracks your browser history. Most people that had the cookie complained that when they opened their web browser, they saw "view.atdmt" or something similiar to it[/size] at their Status Bar. I've never seen anything like that, to my knowledge, but I would like to know if it's dangerous for it to be connected to my computer at any time?

I've also seen something called "atwola", which I believe is an advertisement company... same with Doubleclick. I also get one called "adsdk". Could any computer guru check my logfile for me and see if there's anything I need to worry about?

I've run Spybot, Spyhunter, Norton and Ad-Aware, and none of them have picked up on anything (connected to these particular ones). Any help would be appreciated. Thanks again!

Edited by SciFi, 04 December 2006 - 09:20 PM.

[Advertisements]

Hello and welcome to Geeks to Go

I have just checked your HJT log and all looks fine, but you could do with updating your Java.

Updating Java and Clearing Cache

• Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
• It will say "Java Plug-in" under the icon.
  Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
• If you are unable to update you can manually update by going here:
  • http://www.java.com/en/download/manual.jsp
• After the reboot, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
  Downloaded Applications
  Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

On the subject of tracking cookies, you should install MVPS Hosts which should take care of most of them. The hosts file is updated about every two weeks, so bookmark it and return once a month to renew it.

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

[Crustyoldbloke]

Hello and welcome to Geeks to Go

I have just checked your HJT log and all looks fine, but you could do with updating your Java.

Updating Java and Clearing Cache

• Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
• It will say "Java Plug-in" under the icon.
  Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
• If you are unable to update you can manually update by going here:
  • http://www.java.com/en/download/manual.jsp
• After the reboot, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
  Downloaded Applications
  Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

On the subject of tracking cookies, you should install MVPS Hosts which should take care of most of them. The hosts file is updated about every two weeks, so bookmark it and return once a month to renew it.

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

[SciFi]

Hello and welcome to Geeks to Go

I have just checked your HJT log and all looks fine, but you could do with updating your Java.

Updating Java and Clearing Cache

• Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
• It will say "Java Plug-in" under the icon.
  Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
• If you are unable to update you can manually update by going here:
  • http://www.java.com/en/download/manual.jsp
• After the reboot, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
  Downloaded Applications
  Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

On the subject of tracking cookies, you should install MVPS Hosts which should take care of most of them. The hosts file is updated about every two weeks, so bookmark it and return once a month to renew it.

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

Thanks so much. I'm updating my Java now, as well as downloading MVPS Hosts.

Real quick, should I be concerned about ATDMT/Atwola/adsdk.com? Are they dangerous to my computer (as in collecting personal information), or are they just adware? The sites I visit don't usually show ads, so I'm wondering if they are installed somewhere and tracking my history

[Crustyoldbloke]

If you work as an FBI agent, MI5, Mossad or KGB, then you should be concerned, otherwise no, they are not malicious.

You can stop cookies downloading to your PC, but you'll find that surfing becomes quite difficult as so many sites rely upon them. I suppose you could also download Spyware Blaster; it doesn't conflict with anything and it's a little more security.

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.

[SciFi]

If you work as an FBI agent, MI5, Mossad or KGB, then you should be concerned, otherwise no, they are not malicious.

You can stop cookies downloading to your PC, but you'll find that surfing becomes quite difficult as so many sites rely upon them. I suppose you could also download Spyware Blaster; it doesn't conflict with anything and it's a little more security.

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.

It's entirely possible. The only reason it concerns me is because I wouldn't want information logged or anything.

Thanks again! You've been a great help.

Edited by SciFi, 04 December 2006 - 04:07 PM.

[Crustyoldbloke]

You are welcome.

I will leave this thread open for a few days.

[SciFi]

You are welcome.

I will leave this thread open for a few days.

Just to verify, these cookies don't actually log any of my information, correct? Such as... credit cards, etc?

[SciFi]

On Network Connections (Norton Internet Security/Anti-virus), I keep seeing the same IP pop up.

212.7.7.148

When I do a search for it, it brings up this:
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 212.0.0.0 - 212.255.255.255
CIDR: 212.0.0.0/8
NetName: RIPE-NCC-212
NetHandle: NET-212-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1997-11-14
Updated: 2005-08-03

Should I be worried that they're showing up in the logs? I haven't gone to any websites connected to them, and I've seen them show up on more than one occasion... I've looked it up on Google and a lot of people have said they had hacker attempts coming from that IP.

I went to http://www.ripe.net/perl/whois and checked the IP. This came up, as well.

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/...l-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '212.7.7.128 - 212.7.7.191'

inetnum: 212.7.7.128 - 212.7.7.191
netname: COLOCATION-POOL7-3
descr: AS INFONET
country: EE
admin-c: AL81-RIPE
tech-c: KB193-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: INFONET-MNT
source: RIPE # Filtered

person: Andrei Leshkin
address: INFONET AS
address: 8 Suurtuki str
address: Tallinn EE0004
address: Estonia
phone: +372-640-0000
fax-no: +372-640-0064
e-mail: [email protected]
nic-hdl: AL81-RIPE
source: RIPE # Filtered

person: Konstantin Barinov
address: AS INFONET
address: 8 Suurtuki str
address: Tallinn EE0004
address: Estonia
phone: +372 640-0000
fax-no: +372 640-0064
e-mail: [email protected]
nic-hdl: KB193-RIPE
source: RIPE # Filtered

% Information related to '212.7.0.0/19AS8728'

route: 212.7.0.0/19
descr: AS INFONET
descr: 8 Suurtuki str
descr: Tallinn EE0004
descr: Estonia
origin: AS8728
mnt-by: INFONET-MNT
source: RIPE # Filtered


Here is my log file.

Logfile of HijackThis v1.99.1
Scan saved at 2:49:01 AM, on 12/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDll32.exe
C:\techbox\techbox.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Lexmark P910 Series\lxbymon.exe
C:\Program Files\Lexmark P910 Series\ezprint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\lxbycoms.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mortons-PC\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O1 - Hosts: [Win32/Adware.180Solutions]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [LXBYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbymon.exe] "C:\Program Files\Lexmark P910 Series\lxbymon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark P910 Series\ezprint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEB317FB-A52E-4CE7-9ECD-5CCCDAA9B9CE}: NameServer = 12.20.136.2,12.20.136.3
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Edited by SciFi, 05 December 2006 - 02:24 AM.

[Crustyoldbloke]

Correct, coolies are simple text files that merely tell a site that you have been there before. I scanned your HJT log for "keyloggers" which are the common cause for password stealing, and found none.

[SciFi]

Correct, coolies are simple text files that merely tell a site that you have been there before. I scanned your HJT log for "keyloggers" which are the common cause for password stealing, and found none.

Could you possibly help me with another problem? I've put another post up... it's kind of urgent. :S

[Crustyoldbloke]

The job of a firewall is to stop any attempts by other sites getting access to your PC. If you start checking every attempt, you will end up worrying yourself sick.

Here's my suggestion to you.

Install MVPS Hosts file.

Install Spyware Blaster.

Check your firewall.

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.

Shields-Up: Go to http://www.grc.com/default.htm and follow the links for Shields Up. When you get to the test page, choose ALL SERVICE PORTS.

Let's hope you are completely stealthed.

Edited by Crustyoldbloke, 05 December 2006 - 02:54 AM.

[SciFi]

The job of a firewall is to stop any attempts by other sites getting access to your PC. If you start checking every attempt, you will end up worrying yourself sick.

Here's my suggestion to you.

Install MVPS Hosts file.

Install Spyware Blaster.

Check your firewall.

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.

Shields-Up: Go to http://www.grc.com/default.htm and follow the links for Shieds Up. When you get to the test page, choose ALL SERVICE PORTS.

Let's hope you are completely stealthed.

Have you ever seen this IP or heard of this before? I'm getting a bit frantic.

[Crustyoldbloke]

No I can't say I recognise this one in particular, but there are literally thousands of them attempting to find unprotected PC's to gain them entry. There is no evidence in your HJT log that they have achieved that. Check your 017 entry.

[SciFi]

No I can't say I recognise this one in particular, but there are literally thousands of them attempting to find unprotected PC's to gain them entry. There is no evidence in your HJT log that they have achieved that. Check your 017 entry.

When I ran the scan earlier to check my computer, it said my HTTP and another were open... is there a way to fix that?

[Crustyoldbloke]

Sorry, but I don't understand your last post.

Have you carried out my recommendations yet?

What did Shields Up tell you?

This is a malware forum, you may be better served by using a different forum.