Recommended Posts

I need some reassurace that my AV did it's job and my Reg is clean with no infections. I was hit 2 days ago and after downloading the Update for my AV (CA E-Trust AV) i was able to remove the worm(?) supposibly. Any Help is appreciated Thanks... ;)

Logfile of HijackThis v1.99.1

Scan saved at 11:31:06 AM, on 3/16/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\eTrust Antivirus\InoRpc.exe

C:\Program Files\CA\eTrust Antivirus\InoRT.exe

C:\Program Files\CA\eTrust Antivirus\InoTask.exe

C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\ViewPoint2\MSDE\Program\MSSQL$SNWL\Binn\sqlservr.exe

C:\ViewPoint2\viewpoint\sgmsvp1.exe

C:\ViewPoint2\viewpoint\sgmsvp2.exe

C:\ViewPoint2\Tomcat\bin\service.exe

C:\WINDOWS\System32\svchost.exe

C:\ViewPoint2\viewpoint\syslogd.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\CA\ETRUST~1\realmon.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\WISPTIS.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\dwade\Desktop\Procedures\Stuff\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost/sgms/login

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = It's The Internet Biatch

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s

O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=121704 serial=WS12WTX-9999998-UYR lang=EN

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://tsac.webdox.cc/msrdp.cab

O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static...h/weblaunch.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = flightstarjax.com

O17 - HKLM\Software\..\Telephony: DomainName = flightstarjax.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{452C0E16-519F-4CF4-B956-7E0033721049}: NameServer = 192.168.100.20

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = flightstarjax.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = flightstarjax.com

O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe

O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe

O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe

O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe

O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: SNWL ViewPoint Scheduler - Unknown owner - C:\ViewPoint2\viewpoint\sgmsvp1.exe

O23 - Service: SNWL ViewPoint Summarizer - Unknown owner - C:\ViewPoint2\viewpoint\sgmsvp2.exe

O23 - Service: SNWL ViewPoint WebServer - Alexandria Software Consulting - C:\ViewPoint2\Tomcat\bin\service.exe

O23 - Service: SNWL ViewPoint Syslog Collector (syslogd) - Unknown owner - C:\ViewPoint2\viewpoint\syslogd.exe

Link to post
Share on other sites

hi

your log is pretty much clean but you still have some malware on your system.

First please disable your Microsoft anti-spyware tool

please go to start>control panel> add/remove programs and remove all aspects of Viewpoint from your system.

next, open Hijack this and check the following entries, then making sure all windows, including this one, are closed click on fix checked.

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O23 - Service: SNWL ViewPoint Scheduler - Unknown owner - C:\ViewPoint2\viewpoint\sgmsvp1.exe

O23 - Service: SNWL ViewPoint Summarizer - Unknown owner - C:\ViewPoint2\viewpoint\sgmsvp2.exe

O23 - Service: SNWL ViewPoint WebServer - Alexandria Software Consulting - C:\ViewPoint2\Tomcat\bin\service.exe

O23 - Service: SNWL ViewPoint Syslog Collector (syslogd) - Unknown owner - C:\ViewPoint2\viewpoint\syslogd.exe

then reboot into safemode, you can do that by tapping F8 while your machine reboots, and delete the following files/folders if they are present.

C:\Program Files\Viewpoint\

then post a fresh Hijack this for final review

Link to post
Share on other sites

The Viewpoint application is my direct connection to my firewall reports. I understand that they may not be the safest things to keep running, but will there be any costly mishaps if i continue to keep the SonicWALL viewpoint and run it frequently.

I am glad to hear that the rest of my log is clear...thanks for your help

edit: It is the SonicWALL remote admin report application

Link to post
Share on other sites

if you knowingly installed that program, then I can not make you remove it. since that is conncted to your sonicWall system, it would make it a legit entry adn you do not have to remove it.

For Future Protection

Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see

So how did I get infected in the first place?

Link to post
Share on other sites
Guest
This topic is now closed to further replies.