Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Removing Remnants Of Trojan Infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 mcgtron

mcgtron

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 27 July 2008 - 09:27 AM

below i have posted my hijackthis log, as instructed by boopme.

if anyone can help me remove the last of this infection, i would appreciate it.

thanks,

-matt


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:45 AM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Michael Brown\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1350WStatusDisplay] C:\WINDOWS\system32\MSTMON_Q.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4347 bytes

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 AM

Posted 28 July 2008 - 02:59 AM

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mcgtron

mcgtron
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 28 July 2008 - 11:13 PM

miekiemoes,

thanks for helping me. i uninstalled viewpopint manager, the only viewpoint entry in add/remove programs.

here is the combofix log you requested:

ComboFix 08-07-28.4 - Michael Brown 2008-07-28 23:46:48.2 - NTFSx86
Running from: C:\Documents and Settings\Michael Brown\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Michael Brown\Application Data\macromedia\Flash Player\#SharedObjects\BXCP29P8\interclick.com
C:\Documents and Settings\Michael Brown\Application Data\macromedia\Flash Player\#SharedObjects\BXCP29P8\interclick.com\ud.sol
C:\Documents and Settings\Michael Brown\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Michael Brown\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-21 23:38 . 2008-07-21 23:38 <DIR> d-------- C:\WINDOWS\Sun
2008-07-21 23:35 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-21 23:32 . 2008-07-21 23:32 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-21 21:47 . 2008-07-21 21:47 1,800 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-21 21:46 . 2008-07-21 16:26 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-21 21:46 . 2008-07-21 16:26 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-21 21:46 . 2008-07-21 16:26 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-21 21:46 . 2008-07-21 16:26 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-21 21:46 . 2008-07-21 16:26 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-21 21:46 . 2008-07-21 16:26 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-21 21:46 . 2008-07-21 16:26 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-21 21:46 . 2008-07-21 16:26 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-21 21:46 . 2008-07-21 16:26 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-21 21:23 . 2008-07-21 21:23 <DIR> d-------- C:\Documents and Settings\Michael Brown\Application Data\Malwarebytes
2008-07-21 21:23 . 2008-07-21 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 21:23 . 2008-07-20 20:25 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-21 21:22 . 2008-07-21 21:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-21 21:22 . 2008-07-20 20:25 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-21 16:44 . 2008-07-21 16:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-21 16:37 . 2008-07-21 17:22 <DIR> d-------- C:\SDFix
2008-07-20 02:34 . 2004-08-04 03:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-07-20 02:34 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-07-20 02:34 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-07-20 02:34 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-07-20 02:33 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-07-20 02:30 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-07-20 02:30 . 2002-08-29 08:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-07-20 02:30 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-07-20 02:28 . 2004-08-04 02:10 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2008-07-20 02:28 . 2004-08-04 03:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-07-20 02:25 . 2002-08-29 01:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-07-20 02:25 . 2004-08-04 02:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-07-20 02:24 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-07-20 02:22 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-07-20 02:22 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-07-20 02:22 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2008-07-20 02:21 . 2001-08-17 13:28 701,386 --a--c--- C:\WINDOWS\system32\dllcache\wdhaalba.sys
2008-07-20 02:20 . 2001-08-17 12:10 35,871 --a--c--- C:\WINDOWS\system32\dllcache\wbfirdma.sys
2008-07-20 02:20 . 2004-08-04 02:08 31,744 --a--c--- C:\WINDOWS\system32\dllcache\wceusbsh.sys
2008-07-20 02:19 . 2001-08-17 12:13 19,016 --a--c--- C:\WINDOWS\system32\dllcache\w926nd.sys
2008-07-20 02:19 . 2001-08-17 12:13 16,925 --a--c--- C:\WINDOWS\system32\dllcache\w940nd.sys
2008-07-20 02:18 . 2001-08-17 12:13 19,528 --a--c--- C:\WINDOWS\system32\dllcache\w840nd.sys
2008-07-20 02:17 . 2001-08-17 13:28 397,502 --a--c--- C:\WINDOWS\system32\dllcache\vpctcom.sys
2008-07-20 02:17 . 2001-08-17 13:28 64,605 --a--c--- C:\WINDOWS\system32\dllcache\vvoice.sys
2008-07-20 02:16 . 2001-08-17 13:28 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2008-07-20 02:16 . 2001-08-17 12:14 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2008-07-20 02:16 . 2001-08-17 13:49 24,576 --a--c--- C:\WINDOWS\system32\dllcache\viairda.sys
2008-07-20 02:16 . 2004-08-04 01:59 5,376 --a--c--- C:\WINDOWS\system32\dllcache\viaide.sys
2008-07-20 02:15 . 2001-08-17 13:28 687,999 --a--c--- C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2008-07-20 02:15 . 2004-08-04 03:56 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-07-20 02:14 . 2001-08-17 13:28 794,399 --a--c--- C:\WINDOWS\system32\dllcache\usr1806v.sys
2008-07-20 02:14 . 2001-08-17 13:28 793,598 --a--c--- C:\WINDOWS\system32\dllcache\usr1806.sys
2008-07-20 02:14 . 2001-08-17 13:28 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2008-07-20 02:14 . 2001-08-17 13:28 224,802 --a--c--- C:\WINDOWS\system32\dllcache\usr1807a.sys
2008-07-20 02:14 . 2001-08-17 13:28 113,762 --a--c--- C:\WINDOWS\system32\dllcache\usrpda.sys
2008-07-20 02:14 . 2001-08-17 13:28 7,556 --a--c--- C:\WINDOWS\system32\dllcache\usroslba.sys
2008-07-20 02:13 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-07-20 02:13 . 2004-08-04 02:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-07-20 02:13 . 2004-08-04 01:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-20 02:12 . 2004-08-04 02:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-07-20 02:12 . 2002-08-29 01:59 32,384 --a--c--- C:\WINDOWS\system32\dllcache\usb101et.sys
2008-07-20 02:12 . 2004-08-04 02:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-20 02:12 . 2004-08-04 02:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-07-20 02:11 . 2001-08-17 22:36 94,720 --a--c--- C:\WINDOWS\system32\dllcache\umaxud32.dll
2008-07-20 02:11 . 2001-08-17 22:36 28,160 --a--c--- C:\WINDOWS\system32\dllcache\umaxu40.dll
2008-07-20 02:11 . 2001-08-17 22:36 26,624 --a--c--- C:\WINDOWS\system32\dllcache\umaxu22.dll
2008-07-20 02:10 . 2001-08-17 22:36 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2008-07-20 02:10 . 2001-08-17 22:36 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2008-07-20 02:10 . 2001-08-17 22:36 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2008-07-20 02:10 . 2001-08-17 22:36 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2008-07-20 02:10 . 2001-08-17 22:36 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2008-07-20 02:10 . 2001-08-17 22:36 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2008-07-20 02:10 . 2001-08-17 13:52 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2008-07-20 02:10 . 2001-08-17 13:58 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2008-07-20 02:09 . 2001-08-17 13:48 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2008-07-20 02:08 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-07-20 02:08 . 2001-08-17 14:56 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2008-07-20 02:08 . 2001-08-17 14:56 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2008-07-20 02:08 . 2001-08-17 12:51 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2008-07-20 02:08 . 2001-08-17 12:51 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2008-07-20 02:08 . 2001-08-17 12:51 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2008-07-20 02:07 . 2001-08-17 14:01 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-07-20 02:07 . 2001-08-17 14:02 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2008-07-20 02:07 . 2004-08-04 03:56 82,432 --a--c--- C:\WINDOWS\system32\dllcache\tp4mon.exe
2008-07-20 02:07 . 2001-08-17 22:35 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2008-07-20 02:07 . 2001-08-17 12:12 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2008-07-20 02:07 . 2001-08-17 22:36 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2008-07-20 02:07 . 2001-08-17 13:51 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2008-07-20 02:06 . 2001-08-17 12:14 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2008-07-20 02:06 . 2001-08-17 12:10 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2008-07-20 02:05 . 2004-08-04 02:00 149,376 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys
2008-07-20 02:05 . 2001-08-17 12:51 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2008-07-20 02:05 . 2001-08-17 14:56 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2008-07-20 02:04 . 2001-08-17 12:13 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2008-07-20 02:04 . 2001-08-17 12:13 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2008-07-20 02:03 . 2001-08-17 14:56 172,768 --a--c--- C:\WINDOWS\system32\dllcache\t2r4disp.dll
2008-07-20 02:03 . 2001-08-17 12:50 36,640 --a--c--- C:\WINDOWS\system32\dllcache\t2r4mini.sys
2008-07-20 02:03 . 2001-08-17 13:49 30,464 --a--c--- C:\WINDOWS\system32\dllcache\tbatm155.sys
2008-07-20 02:03 . 2001-08-17 13:52 7,040 --a--c--- C:\WINDOWS\system32\dllcache\tandqic.sys
2008-07-20 02:02 . 2001-08-17 14:07 32,640 --a--c--- C:\WINDOWS\system32\dllcache\symc8xx.sys
2008-07-20 02:02 . 2001-08-17 14:07 30,688 --a--c--- C:\WINDOWS\system32\dllcache\sym_u3.sys
2008-07-20 02:02 . 2001-08-17 14:07 16,256 --a--c--- C:\WINDOWS\system32\dllcache\symc810.sys
2008-07-20 02:01 . 2001-08-17 13:50 103,936 --a--c--- C:\WINDOWS\system32\dllcache\sx.sys
2008-07-20 02:01 . 2001-08-17 22:36 94,293 --a--c--- C:\WINDOWS\system32\dllcache\sxports.dll
2008-07-20 02:01 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\sw_wheel.dll
2008-07-20 02:01 . 2001-08-17 14:07 28,384 --a--c--- C:\WINDOWS\system32\dllcache\sym_hi.sys
2008-07-20 02:01 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpidflt.dll
2008-07-20 02:01 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpdflt2.dll
2008-07-20 02:01 . 2001-08-17 14:02 3,968 --a--c--- C:\WINDOWS\system32\dllcache\swusbflt.sys
2008-07-20 02:00 . 2001-08-17 22:36 155,648 --a--c--- C:\WINDOWS\system32\dllcache\stlnprop.dll
2008-07-20 02:00 . 2001-08-17 22:36 53,248 --a--c--- C:\WINDOWS\system32\dllcache\stlncoin.dll
2008-07-20 02:00 . 2001-08-17 22:36 41,472 --a--c--- C:\WINDOWS\system32\dllcache\sw_effct.dll
2008-07-20 02:00 . 2004-08-04 02:10 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys
2008-07-20 01:59 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-07-20 01:59 . 2001-08-17 13:51 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2008-07-20 01:58 . 2001-08-17 22:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-07-20 01:58 . 2001-08-17 12:11 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2008-07-20 01:57 . 2001-08-17 22:36 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2008-07-20 01:56 . 2001-08-17 22:36 106,584 --a--c--- C:\WINDOWS\system32\dllcache\spdports.dll
2008-07-20 01:56 . 2001-08-17 13:51 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
2008-07-20 01:56 . 2001-08-17 12:51 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2008-07-20 01:56 . 2001-08-17 14:07 19,072 --a--c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2008-07-20 01:56 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-07-20 01:55 . 2001-08-17 22:36 114,688 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2008-07-20 01:55 . 2001-08-17 12:51 20,752 --a--c--- C:\WINDOWS\system32\dllcache\sonync.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 03:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-22 03:35 --------- d-----w C:\Program Files\Java
2008-07-20 02:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-20 02:30 --------- d-----w C:\Program Files\Java Web Start
2008-07-20 02:30 --------- d-----w C:\Program Files\Google
2008-07-12 02:15 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2005-02-03 04:28 71,752 -c--a-w C:\Documents and Settings\Michael Brown\Application Data\GDIPFONTCACHEV1.DAT
2000-06-27 13:48 271 -csh--w C:\Program Files\DESKTOP.INI
2000-06-27 13:48 23,357 -c-ha-w C:\Program Files\FOLDER.HTT
.

((((((((((((((((((((((((((((( snapshot@2008-07-21_21.16.17.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-07-26 04:39:46 425,472 -c--a-w C:\WINDOWS\system32\dllcache\msdtcprx.dll
+ 2006-03-01 19:42:42 426,496 -c--a-w C:\WINDOWS\system32\dllcache\msdtcprx.dll
- 2005-07-26 04:39:47 945,152 -c--a-w C:\WINDOWS\system32\dllcache\msdtctm.dll
+ 2006-03-01 19:42:42 956,416 -c--a-w C:\WINDOWS\system32\dllcache\msdtctm.dll
- 2005-07-26 04:39:47 161,280 -c--a-w C:\WINDOWS\system32\dllcache\msdtcuiu.dll
+ 2006-03-01 19:42:42 161,280 -c--a-w C:\WINDOWS\system32\dllcache\msdtcuiu.dll
- 2005-07-26 04:39:47 66,560 -c--a-w C:\WINDOWS\system32\dllcache\mtxclu.dll
+ 2006-03-01 19:42:42 66,560 -c--a-w C:\WINDOWS\system32\dllcache\mtxclu.dll
- 2005-07-26 04:39:47 91,136 -c--a-w C:\WINDOWS\system32\dllcache\mtxoci.dll
+ 2006-03-01 19:42:42 91,136 -c--a-w C:\WINDOWS\system32\dllcache\mtxoci.dll
- 2004-08-04 07:56:46 49,152 -c--a-w C:\WINDOWS\system32\dllcache\wdigest.dll
+ 2006-03-24 04:37:50 49,152 -c--a-w C:\WINDOWS\system32\dllcache\wdigest.dll
- 2005-07-26 04:39:49 11,776 -c--a-w C:\WINDOWS\system32\dllcache\xolehlp.dll
+ 2006-03-01 19:42:42 11,776 -c--a-w C:\WINDOWS\system32\dllcache\xolehlp.dll
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-20 22:06:36 1,480,232 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
+ 2008-07-22 02:01:07 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-06-25 13:15:48 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
- 2005-07-26 04:39:46 425,472 ----a-w C:\WINDOWS\system32\msdtcprx.dll
+ 2006-03-01 19:42:42 426,496 ----a-w C:\WINDOWS\system32\msdtcprx.dll
- 2005-07-26 04:39:47 945,152 ----a-w C:\WINDOWS\system32\msdtctm.dll
+ 2006-03-01 19:42:42 956,416 ----a-w C:\WINDOWS\system32\msdtctm.dll
- 2005-07-26 04:39:47 161,280 ----a-w C:\WINDOWS\system32\msdtcuiu.dll
+ 2006-03-01 19:42:42 161,280 ----a-w C:\WINDOWS\system32\msdtcuiu.dll
- 2005-07-26 04:39:47 66,560 ----a-w C:\WINDOWS\system32\mtxclu.dll
+ 2006-03-01 19:42:42 66,560 ----a-w C:\WINDOWS\system32\mtxclu.dll
- 2005-07-26 04:39:47 91,136 ----a-w C:\WINDOWS\system32\mtxoci.dll
+ 2006-03-01 19:42:42 91,136 ----a-w C:\WINDOWS\system32\mtxoci.dll
- 2004-08-04 07:56:46 49,152 ----a-w C:\WINDOWS\system32\wdigest.dll
+ 2006-03-24 04:37:50 49,152 ----a-w C:\WINDOWS\system32\wdigest.dll
- 2005-07-26 04:39:49 11,776 ----a-w C:\WINDOWS\system32\xolehlp.dll
+ 2006-03-01 19:42:42 11,776 ----a-w C:\WINDOWS\system32\xolehlp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59 73728]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 01:20 278528]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-22 12:07 180269]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26 368706]
"KONICA MINOLTA PagePro 1350WStatusDisplay"="C:\WINDOWS\system32\MSTMON_Q.EXE" [2004-11-21 22:42 163840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Palm\hotsync.exe [2001-01-02 17:25:09 262656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= IR41_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2002-04-15 04:03 995328 C:\Program Files\ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2000-08-08 16:00 311350 C:\Program Files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2000-08-08 16:00 28739 C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 04:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-12-04 13:31 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2000-08-08 16:00 24576 C:\Program Files\Microsoft Works\wkfud.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Maple 7\\BIN.WNT\\mserver.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-04-14 12:03]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-04-15 04:05]
R2 devdpl;devdpl;C:\WINDOWS\system32\DRIVERS\devdpl.sys [2003-09-13 14:49]
R2 litdpl;litdpl;C:\WINDOWS\system32\DRIVERS\litdpl.sys [2003-09-13 14:49]
R2 MLPTDR_Q;MLPTDR_Q;C:\WINDOWS\system32\MLPTDR_Q.SYS [2004-11-18 22:13]
R3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 08:12]

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 23:53:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-07-29 0:00:10
ComboFix-quarantined-files.txt 2008-07-29 04:00:01
ComboFix2.txt 2008-07-22 01:18:43

Pre-Run: 10,009,069,568 bytes free
Post-Run: 10,011,248,640 bytes free

273 --- E O F --- 2008-07-10 01:00:25




and here is the new hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:12 AM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Michael Brown\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1350WStatusDisplay] C:\WINDOWS\system32\MSTMON_Q.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)

--
End of file - 4094 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 AM

Posted 29 July 2008 - 02:35 AM

Hi,

Your logs look clean.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 mcgtron

mcgtron
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 29 July 2008 - 11:21 AM

miekiemoes,

:thumbsup: well, you are right! it looks like new Norton AV definitions removed the last of the infection some time between now and when i first posted here at bleeping computer.

thanks for your time - it looks like this was an easy project for you!

be well, and keep fighting the good fight!

-matt

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 AM

Posted 29 July 2008 - 01:20 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 AM

Posted 30 July 2008 - 04:22 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users