• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Salamander

Yet another WinFixer issue

12 posts in this topic

Here is my Hijackthis log, hope that someone can figure something out. Norton catches WinFixer, but will not delete it. Under "Action" on "Threat History" it says "Reboot Processing", but it has been saying so after several reboots anyway...

 

Cut to the chase:

 

Logfile of HijackThis v1.99.1

Scan saved at 9:45:02 AM, on 4/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe

C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe

C:\Program Files\IPSec Client\LucentIKESvc.exe

C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\IPSec Client\LucentIKE.exe

C:\WINDOWS\System32\locator.exe

C:\Program Files\Java\j2re1.4.1_02\bin\javaw.exe

C:\Program Files\Brooks Internet Software\RPMSelect\RPMSrvc.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\updater.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IPSec Client\trayicon.exe

C:\Program Files\Mulberry\bin32\Kstatus.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\AIM6\aim6.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Mozilla Firefox\firefox.exe

c:\program files\aim6\anotify.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Documents and Settings\elc3\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pitt.edu/~wstudies

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Kstatus.lnk = C:\Program Files\Mulberry\bin32\Kstatus.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: IPSecClient Icon.lnk = C:\Program Files\IPSec Client\trayicon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O15 - Trusted Zone: *.sxload.net (HKLM)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138115714656

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -

O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playgames.comcast.net/online2/bejew...aploader_v6.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7FFDE789-4D32-419C-A8B4-5F7328A8E306}: NameServer = 136.142.57.10,136.142.188.76

O17 - HKLM\System\CS1\Services\Tcpip\..\{7FFDE789-4D32-419C-A8B4-5F7328A8E306}: NameServer = 136.142.57.10,136.142.188.76

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: KATRACK.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe

O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe

O23 - Service: LucentIKE - Unknown owner - C:\Program Files\IPSec Client\LucentIKESvc.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: RPM Remote Print Manager (RPM) - Brooks Internet Software, Inc - C:\Program Files\Brooks Internet Software\RPMSelect\RPMSrvc.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

 

Thanks a bunch in advance.

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello,

 

* Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Share this post


Link to post
Share on other sites

Hello,

 

* Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

 

Am doing so right now. Meanwhile, an update: When I get the pop ups, I first disable my connection and then close the explorer window. Once I do so, Norton catches Infostealer (which it deletes) and an unspecified Trojan, which it quarantines.

Share this post


Link to post
Share on other sites

"wstudies" - 07-04-24 10:13:03 Service Pack 2

ComboFix 07-04-24.2V - Running from: "C:\Documents and Settings\elc3\My Documents\Rankin misc\"

 

 

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\vturq.dll

C:\WINDOWS\system32\vturr.dll

C:\WINDOWS\system32\wfkvvmcx.dll

C:\WINDOWS\system32\khfffdc.dll

C:\WINDOWS\system32\qommnlj.dll

C:\WINDOWS\system32\qrutv.ini

C:\WINDOWS\system32\hgjlm.bak1

C:\WINDOWS\system32\hgjlm.bak2

C:\WINDOWS\system32\hgjlm.ini

C:\WINDOWS\system32\hgjlm.ini2

C:\WINDOWS\system32\hgjlm.tmp

C:\WINDOWS\system32\rrutv.ini

C:\WINDOWS\system32\mljgh.dll

C:\WINDOWS\system32\efcyaaw.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe

C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe

C:\DOCUME~1\elc3\Desktop.\internet explorer.lnk

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-03-24 to 2007-04-24 ))))))))))))))))))))))))))))))))))

 

 

2007-04-24 10:26 <DIR> d-------- C:\Program Files\DivX

2007-04-20 09:07 <DIR> d-------- C:\VundoFix Backups

2007-04-19 15:40 444 --a------ C:\WINDOWS\system32\d3d8caps.dat

2007-04-19 15:06 <DIR> d-------- C:\WINDOWS\pss

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-04-24 10:32 -------- d-------- C:\Program Files\symantec antivirus

2007-04-24 10:27 15622 --a------ C:\WINDOWS\mozver.dat

2007-04-23 14:55 -------- d-------- C:\Program Files\fastnet

2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll

2007-03-08 12:55 -------- d--h----- C:\Program Files\installshield installation information

2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll

2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll

2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll

2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys

2007-03-07 10:17 -------- d-------- C:\Program Files\msn messenger

2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll

2007-01-18 14:24 22252 --a------ C:\DOCUME~1\elc3\APPLIC~1\microsoft excel.adr

2007-01-18 14:20 22311 --a------ C:\DOCUME~1\elc3\APPLIC~1\tab separated values (windows).adr

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{09E25BD0-FCF6-4829-B0D9-BCCE59F3AD64} C:\WINDOWS\system32\vtutt.dll [x]

{1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\system32\wfkvvmcx.dll [x]

{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"

"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"

"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\""

"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

"Aim6"=""

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source REG_SZ file:///C:/DOCUME~1/elc3/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"appinit_dlls"="KATRACK.DLL"

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0\0

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKLM"

"command"=""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

 

 

********************************************************************

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 10:39, on 07-04-24

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe

C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe

C:\Program Files\IPSec Client\LucentIKESvc.exe

C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe

C:\Program Files\IPSec Client\LucentIKE.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Java\j2re1.4.1_02\bin\javaw.exe

C:\Program Files\Brooks Internet Software\RPMSelect\RPMSrvc.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe

C:\Program Files\IPSec Client\trayicon.exe

C:\Program Files\Mulberry\bin32\Kstatus.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\ComboFix\11081.cfexe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\elc3\Desktop\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pitt.edu/~wstudies

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {09E25BD0-FCF6-4829-B0D9-BCCE59F3AD64} - C:\WINDOWS\system32\vtutt.dll (file missing)

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\wfkvvmcx.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Kstatus.lnk = C:\Program Files\Mulberry\bin32\Kstatus.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: IPSecClient Icon.lnk = C:\Program Files\IPSec Client\trayicon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138115714656

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -

O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playgames.comcast.net/online2/bejew...aploader_v6.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7FFDE789-4D32-419C-A8B4-5F7328A8E306}: NameServer = 136.142.57.10,136.142.188.76

O17 - HKLM\System\CS1\Services\Tcpip\..\{7FFDE789-4D32-419C-A8B4-5F7328A8E306}: NameServer = 136.142.57.10,136.142.188.76

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: KATRACK.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe

O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe

O23 - Service: LucentIKE - Unknown owner - C:\Program Files\IPSec Client\LucentIKESvc.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: RPM Remote Print Manager (RPM) - Brooks Internet Software, Inc - C:\Program Files\Brooks Internet Software\RPMSelect\RPMSrvc.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Share this post


Link to post
Share on other sites

Hi,

 

Don't count too much on your Norton Antivirus at this moment - it will flag, but won't remove, so Norton is useless here.

Anyway, Combofox was able to remove though, so let's deal with the leftovers now..

 

First of all.. I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Then,

 

 

 

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

 

O2 - BHO: (no name) - {09E25BD0-FCF6-4829-B0D9-BCCE59F3AD64} - C:\WINDOWS\system32\vtutt.dll (file missing)

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\wfkvvmcx.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -

O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -

 

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

Let me know in your next reply how things are now.

Share this post


Link to post
Share on other sites

So, (I am printing some stuff to work offline as I type this since this is my work computer), the JInitiator files are infected? I cannot remove them as they are necessary for some applications I am using. Please clarify.

 

Thanks very much for your help!

Share this post


Link to post
Share on other sites

No, they are not infected. They just show in your Hijackthislog as orphaned leftovers.. this means, the related file is gone, but the reference in the registry remains - so when a file is gone, the reference in the registry is useless too.

The JInitiator will get installed again anyway when you visit a page where it is required.

Share this post


Link to post
Share on other sites

No, they are not infected. They just show in your Hijackthislog as orphaned leftovers.. this means, the related file is gone, but the reference in the registry remains - so when a file is gone, the reference in the registry is useless too.

The JInitiator will get installed again anyway when you visit a page where it is required.

 

Great. I followed all the instructions and we'll see what happens during the rest of the day. I will assume that the problem is gone if I won't see anything by 5 pm. After that, I pretty much think that we're done.

 

I also reinstalled JInitiator as my workplace offers it on its own server for download.

 

Thanks a bunch. I owe you cookies (of the baked kind) ;)

Share this post


Link to post
Share on other sites

Glad I could help. :)

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here

This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0