Vile_DR Posted March 16, 2005 Report Share Posted March 16, 2005 I need some reassurace that my AV did it's job and my Reg is clean with no infections. I was hit 2 days ago and after downloading the Update for my AV (CA E-Trust AV) i was able to remove the worm(?) supposibly. Any Help is appreciated Thanks... Logfile of HijackThis v1.99.1Scan saved at 11:31:06 AM, on 3/16/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\CA\eTrust Antivirus\InoRpc.exeC:\Program Files\CA\eTrust Antivirus\InoRT.exeC:\Program Files\CA\eTrust Antivirus\InoTask.exeC:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\ViewPoint2\MSDE\Program\MSSQL$SNWL\Binn\sqlservr.exeC:\ViewPoint2\viewpoint\sgmsvp1.exeC:\ViewPoint2\viewpoint\sgmsvp2.exeC:\ViewPoint2\Tomcat\bin\service.exeC:\WINDOWS\System32\svchost.exeC:\ViewPoint2\viewpoint\syslogd.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\CA\ETRUST~1\realmon.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Google\Gmail Notifier\gnotify.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\System32\WISPTIS.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\dwade\Desktop\Procedures\Stuff\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.aspR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost/sgms/loginR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = It's The Internet BiatchR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dllO3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dllO4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exeO4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -sO4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=121704 serial=WS12WTX-9999998-UYR lang=ENO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startguiO4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CABO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cabO16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://tsac.webdox.cc/msrdp.cabO16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static...h/weblaunch.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = flightstarjax.comO17 - HKLM\Software\..\Telephony: DomainName = flightstarjax.comO17 - HKLM\System\CCS\Services\Tcpip\..\{452C0E16-519F-4CF4-B956-7E0033721049}: NameServer = 192.168.100.20O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = flightstarjax.comO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = flightstarjax.comO23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exeO23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exeO23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exeO23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exeO23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exeO23 - Service: SNWL ViewPoint Scheduler - Unknown owner - C:\ViewPoint2\viewpoint\sgmsvp1.exeO23 - Service: SNWL ViewPoint Summarizer - Unknown owner - C:\ViewPoint2\viewpoint\sgmsvp2.exeO23 - Service: SNWL ViewPoint WebServer - Alexandria Software Consulting - C:\ViewPoint2\Tomcat\bin\service.exeO23 - Service: SNWL ViewPoint Syslog Collector (syslogd) - Unknown owner - C:\ViewPoint2\viewpoint\syslogd.exe Link to post Share on other sites
Vile_DR Posted March 17, 2005 Author Report Share Posted March 17, 2005 Any one able to decipher whether i have infections still or anything else i can remove...Thanks Link to post Share on other sites
Dragon Posted March 17, 2005 Report Share Posted March 17, 2005 hiyour log is pretty much clean but you still have some malware on your system.First please disable your Microsoft anti-spyware toolplease go to start>control panel> add/remove programs and remove all aspects of Viewpoint from your system.next, open Hijack this and check the following entries, then making sure all windows, including this one, are closed click on fix checked.O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dllO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO23 - Service: SNWL ViewPoint Scheduler - Unknown owner - C:\ViewPoint2\viewpoint\sgmsvp1.exeO23 - Service: SNWL ViewPoint Summarizer - Unknown owner - C:\ViewPoint2\viewpoint\sgmsvp2.exeO23 - Service: SNWL ViewPoint WebServer - Alexandria Software Consulting - C:\ViewPoint2\Tomcat\bin\service.exeO23 - Service: SNWL ViewPoint Syslog Collector (syslogd) - Unknown owner - C:\ViewPoint2\viewpoint\syslogd.exethen reboot into safemode, you can do that by tapping F8 while your machine reboots, and delete the following files/folders if they are present.C:\Program Files\Viewpoint\then post a fresh Hijack this for final review Link to post Share on other sites
Vile_DR Posted March 17, 2005 Author Report Share Posted March 17, 2005 The Viewpoint application is my direct connection to my firewall reports. I understand that they may not be the safest things to keep running, but will there be any costly mishaps if i continue to keep the SonicWALL viewpoint and run it frequently. I am glad to hear that the rest of my log is clear...thanks for your helpedit: It is the SonicWALL remote admin report application Link to post Share on other sites
Dragon Posted March 18, 2005 Report Share Posted March 18, 2005 if you knowingly installed that program, then I can not make you remove it. since that is conncted to your sonicWall system, it would make it a legit entry adn you do not have to remove it.For Future ProtectionDownload and install:SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.htmlIE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYADBoth are very small free programs that you run once, and then just occasionally to check for updates.And also see So how did I get infected in the first place? Link to post Share on other sites
Vile_DR Posted March 18, 2005 Author Report Share Posted March 18, 2005 Thanks Again Efwis Link to post Share on other sites
Recommended Posts