|
Internet / Browsers Use this board for problem solving and the discussion of Internet and Browser issues |
|
Topic Tools |
#16
|
|||
|
|||
I did as instructed and here is the new log:
Logfile of HijackThis v1.97.7 Scan saved at 6:39:31 PM, on 2/5/04 Platform: Windows NT 4 SP6 (WinNT 4.00.1381) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\RpcSs.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolss.exe C:\WINNT\system32\LEXPPS.EXE C:\Program Files\Network Associates\VirusScan\avsynmgr.exe C:\WINNT\System32\esserver.exe F:\WS_FTP\ftpsched.exe c:\winnt\system32\pstores.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\SENS.EXE C:\WINNT\system32\tapisrv.exe C:\WINNT\system32\rasman.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe C:\WINNT\System32\nddeagnt.exe C:\WINNT\Explorer.exe C:\WINNT\System32\loadwc.exe F:\WS_FTP\ftpqueue.exe F:\realplay.exe C:\Program Files\Voyetra\TBS Montego\vtray.exe C:\Program Files\CyberMedia\CMAgent.exe C:\WINNT\System32\LXSUPMON.EXE F:\nero\InCD.exe C:\WINNT\System32\qttask.exe F:\Office\1033\OLFSNT40.EXE F:\PROGRA~1\WinZip\winzip32.exe C:\TEMP\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - f:\WebBug.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe O4 - HKLM\..\Run: [ftpqueue] F:\WS_FTP\ftpqueue.exe -tray O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon O4 - HKLM\..\Run: [RealTray] F:\realplay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [asp4tray] asp4tray.exe O4 - HKLM\..\Run: [VoyetraTray] C:\Program Files\Voyetra\TBS Montego\vtray.exe /s O4 - HKLM\..\Run: [CyberMedia Agent] "C:\Program Files\CyberMedia\CMAgent.exe" /SU O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray. exe O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [InCD] F:\nero\InCD.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime O4 - Global Startup: RealDownload.lnk = F:\RealDownload\Realdownload.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = F:\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = F:\Office\1033\OLFSNT40.EXE O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Bugnosis (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O13 - WWW. Prefix: http:// O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://epancic.org/WFPlayer/tdserver.cab O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - https://livesupport.americancentury....cts/emagic.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatte...load/appdl.cab O16 - DPF: {6EBE5A5B-2621-11D1-905C-00A0244D4224} (ReadHTML.GetHTML) - file://C:\DELL\IE4SI\ReadHTML.CAB O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...mmapi_0727.dll O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.walmartphotocenter.com/ph...ad/XUpload.ocx the pop up vanished BEFORE the hijack this procedure... I think due to deleting temp files???? But other anoying error messages during boot up have been eliminated... THANKS. Tell me what the new log says. And also, can you lead me to information about what is going on as in parasites and spy software....? |
#17
|
||||
|
||||
Your log looks fine now lajaulavira. Some information for you here What are Parasites. You were infected with Xupiter, Alexa, Money Tree/DyFuCa, DyFuCa/Internet Optimizer and Smartbrowser.
|
#18
|
|||
|
|||
Thanks SO MUCH for the help and the didactic part here... it helps to understand a little bit what is going on. I also found a Hijack This tutorial which might be useful to others at: http://hjt.wizardsofwebsites.com/
|
#19
|
||||
|
||||
You are welcome lajaulavira
|
#20
|
|||
|
|||
Cleaning parasites using Hijackthis
I am trying to check for parasites again and this is the log I got using hijackthis.
Would you please advise me how to clean it up? Thanks, lajaulavira ----------------------------------------------------------------------- Logfile of HijackThis v1.97.7 Scan saved at 4:38:27 PM, on 7/9/04 Platform: Windows NT 4 SP6 (WinNT 4.00.1381) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\RpcSs.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolss.exe C:\WINNT\system32\LEXPPS.EXE C:\Program Files\Network Associates\VirusScan\avsynmgr.exe C:\WINNT\System32\esserver.exe F:\WS_FTP\ftpsched.exe c:\winnt\system32\pstores.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\SENS.EXE C:\WINNT\system32\tapisrv.exe C:\WINNT\system32\rasman.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe C:\WINNT\Explorer.exe C:\WINNT\System32\loadwc.exe F:\WS_FTP\ftpqueue.exe F:\realplay.exe C:\Program Files\Voyetra\TBS Montego\vtray.exe C:\Program Files\CyberMedia\CMAgent.exe C:\WINNT\System32\LXSUPMON.EXE F:\nero\InCD.exe C:\WINNT\System32\qttask.exe C:\WINNT\System32\wupdaated.exe F:\Office\1033\OLFSNT40.EXE C:\WINNT\System32\ddhelp.exe D:\Program Files\Yahoo!\Messenger\YPager.exe C:\Program Files\Outlook Express\msimn.exe C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe F:\PROGRA~1\WinZip\winzip32.exe C:\TEMP\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://moodle.ntjcpa.edu.tw/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Progra~1\Lycos\IEagent\CSIE.DLL O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - f:\WebBug.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe O4 - HKLM\..\Run: [ftpqueue] F:\WS_FTP\ftpqueue.exe -tray O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon O4 - HKLM\..\Run: [RealTray] F:\realplay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [asp4tray] asp4tray.exe O4 - HKLM\..\Run: [VoyetraTray] C:\Program Files\Voyetra\TBS Montego\vtray.exe /s O4 - HKLM\..\Run: [CyberMedia Agent] "C:\Program Files\CyberMedia\CMAgent.exe" /SU O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray. exe O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [InCD] F:\nero\InCD.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe O4 - HKLM\..\Run: [Configuration Loaded] wupdaated.exe O4 - HKLM\..\RunServices: [Microsoft Login Program] wiaacmgr32.exe O4 - HKLM\..\RunServices: [Configuration Loaded] wupdaated.exe O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup O4 - Global Startup: RealDownload.lnk = F:\RealDownload\Realdownload.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = F:\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = F:\Office\1033\OLFSNT40.EXE O4 - Global Startup: Documentation.lnk = ? O4 - Global Startup: readme.lnk = ? O4 - Global Startup: copying.lnk = ? O4 - Global Startup: history.txt.lnk = ? O4 - Global Startup: license.txt.lnk = ? O4 - Global Startup: greetings.txt.lnk = ? O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Bugnosis (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O13 - WWW. Prefix: http:// O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...367/wmavax.CAB O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://epancic.org/WFPlayer/tdserver.cab O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - https://livesupport.americancentury....cts/emagic.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...mmapi_0727.dll O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/downlo...-US/msorun.cab O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2} (iVocalize Internet Conference 3 Setup) - http://www.talkingcommunities.com/client3/ivsetup3.cab O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.walmartphotocenter.com/ph...ad/XUpload.ocx |
#21
|
||||
|
||||
Hi lajaulavira, I see that IE6 has not been updated. It would be a good idea to take a trip to Windows Update and install any critical updates available.
Before we start, please create a dedicated folder for Hijack This on your drive and copy it across. If you leave it where it is, backups will not be created. Close IE and all open windows and run Hijack This again. Check the below entries and click on Fix Checked. R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Progra~1\Lycos\IEagent\CSIE.DLL O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - f:\WebBug.dll (file missing) O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe O4 - HKLM\..\Run: [Configuration Loaded] wupdaated.exe O4 - HKLM\..\RunServices: [Microsoft Login Program] wiaacmgr32.exe O4 - HKLM\..\RunServices: [Configuration Loaded] wupdaated.exe I dont kniow what the below startups in bold are. Fix them too if you do not know either. O4 - Global Startup: Documentation.lnk = ? O4 - Global Startup: readme.lnk = ? O4 - Global Startup: copying.lnk = ? O4 - Global Startup: history.txt.lnk = ? O4 - Global Startup: license.txt.lnk = ? O4 - Global Startup: greetings.txt.lnk = ? O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://epancic.org/WFPlayer/tdserver.cab When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts), make sure that you can view hidden files and folders and run a search for and delete the below folders/files in bold. (Dont know which drive) \Progra~1\Lycos\IEagent wupdaated.exe wiaacmgr32.exe Reboot and post a new log. |
Bookmarks |
«
Previous Topic
|
Next Topic
»
Topic Tools | |
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
Eliminate one thing from existence... | The Dude | Open Discussion | 0 | March 8th, 2021 05:35 AM |
Can't eliminate PB Virus Until | Old Croc | Jokes Forum | 0 | December 7th, 2007 04:13 PM |
How do I eliminate the need for a password in XP? | jcchev | Windows XP | 9 | August 31st, 2006 04:03 PM |
Need Help to eliminate Trojan Virus | Rocky169 | Malware Removal | 7 | March 25th, 2005 09:03 PM |
How do I eliminate a macro | marco | Applications | 0 | January 20th, 2005 05:56 PM |
All times are GMT +1. The time now is 08:54 AM.