Go Back   Cyber Tech Help Support Forums > Software > Internet / Browsers

Notices

Reply
 
Topic Tools
  #16  
Old February 6th, 2004, 12:45 AM
lajaulavira lajaulavira is offline
Member
 
Join Date: Jan 2004
Posts: 47
I did as instructed and here is the new log:


Logfile of HijackThis v1.97.7
Scan saved at 6:39:31 PM, on 2/5/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolss.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\esserver.exe
F:\WS_FTP\ftpsched.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\SENS.EXE
C:\WINNT\system32\tapisrv.exe
C:\WINNT\system32\rasman.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\loadwc.exe
F:\WS_FTP\ftpqueue.exe
F:\realplay.exe
C:\Program Files\Voyetra\TBS Montego\vtray.exe
C:\Program Files\CyberMedia\CMAgent.exe
C:\WINNT\System32\LXSUPMON.EXE
F:\nero\InCD.exe
C:\WINNT\System32\qttask.exe
F:\Office\1033\OLFSNT40.EXE
F:\PROGRA~1\WinZip\winzip32.exe
C:\TEMP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - f:\WebBug.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [ftpqueue] F:\WS_FTP\ftpqueue.exe -tray
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [RealTray] F:\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [VoyetraTray] C:\Program Files\Voyetra\TBS Montego\vtray.exe /s
O4 - HKLM\..\Run: [CyberMedia Agent] "C:\Program Files\CyberMedia\CMAgent.exe" /SU
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray. exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [InCD] F:\nero\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime
O4 - Global Startup: RealDownload.lnk = F:\RealDownload\Realdownload.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = F:\Office\1033\OLFSNT40.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Bugnosis (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O13 - WWW. Prefix: http://
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://epancic.org/WFPlayer/tdserver.cab
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - https://livesupport.americancentury....cts/emagic.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatte...load/appdl.cab
O16 - DPF: {6EBE5A5B-2621-11D1-905C-00A0244D4224} (ReadHTML.GetHTML) - file://C:\DELL\IE4SI\ReadHTML.CAB
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...mmapi_0727.dll
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.walmartphotocenter.com/ph...ad/XUpload.ocx





the pop up vanished BEFORE the hijack this procedure... I think due to deleting temp files????

But other anoying error messages during boot up have been eliminated... THANKS.

Tell me what the new log says. And also, can you lead me to information about what is going on as in parasites and spy software....?
Reply With Quote


  #17  
Old February 6th, 2004, 12:55 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,812
Your log looks fine now lajaulavira. Some information for you here What are Parasites. You were infected with Xupiter, Alexa, Money Tree/DyFuCa, DyFuCa/Internet Optimizer and Smartbrowser.
Reply With Quote
  #18  
Old February 6th, 2004, 08:26 PM
lajaulavira lajaulavira is offline
Member
 
Join Date: Jan 2004
Posts: 47
Thanks SO MUCH for the help and the didactic part here... it helps to understand a little bit what is going on. I also found a Hijack This tutorial which might be useful to others at: http://hjt.wizardsofwebsites.com/
Reply With Quote
  #19  
Old February 7th, 2004, 04:43 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,812
You are welcome lajaulavira
Reply With Quote
  #20  
Old July 9th, 2004, 09:39 PM
lajaulavira lajaulavira is offline
Member
 
Join Date: Jan 2004
Posts: 47
Cleaning parasites using Hijackthis

I am trying to check for parasites again and this is the log I got using hijackthis.

Would you please advise me how to clean it up?

Thanks,

lajaulavira

-----------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 4:38:27 PM, on 7/9/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolss.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\esserver.exe
F:\WS_FTP\ftpsched.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\SENS.EXE
C:\WINNT\system32\tapisrv.exe
C:\WINNT\system32\rasman.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\loadwc.exe
F:\WS_FTP\ftpqueue.exe
F:\realplay.exe
C:\Program Files\Voyetra\TBS Montego\vtray.exe
C:\Program Files\CyberMedia\CMAgent.exe
C:\WINNT\System32\LXSUPMON.EXE
F:\nero\InCD.exe
C:\WINNT\System32\qttask.exe
C:\WINNT\System32\wupdaated.exe
F:\Office\1033\OLFSNT40.EXE
C:\WINNT\System32\ddhelp.exe
D:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
F:\PROGRA~1\WinZip\winzip32.exe
C:\TEMP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://moodle.ntjcpa.edu.tw/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Progra~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - f:\WebBug.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [ftpqueue] F:\WS_FTP\ftpqueue.exe -tray
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [RealTray] F:\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [VoyetraTray] C:\Program Files\Voyetra\TBS Montego\vtray.exe /s
O4 - HKLM\..\Run: [CyberMedia Agent] "C:\Program Files\CyberMedia\CMAgent.exe" /SU
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray. exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [InCD] F:\nero\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [Configuration Loaded] wupdaated.exe
O4 - HKLM\..\RunServices: [Microsoft Login Program] wiaacmgr32.exe
O4 - HKLM\..\RunServices: [Configuration Loaded] wupdaated.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - Global Startup: RealDownload.lnk = F:\RealDownload\Realdownload.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = F:\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Documentation.lnk = ?
O4 - Global Startup: readme.lnk = ?
O4 - Global Startup: copying.lnk = ?
O4 - Global Startup: history.txt.lnk = ?
O4 - Global Startup: license.txt.lnk = ?
O4 - Global Startup: greetings.txt.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Bugnosis (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O13 - WWW. Prefix: http://
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...367/wmavax.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://epancic.org/WFPlayer/tdserver.cab
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - https://livesupport.americancentury....cts/emagic.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...mmapi_0727.dll
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/downlo...-US/msorun.cab
O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2} (iVocalize Internet Conference 3 Setup) - http://www.talkingcommunities.com/client3/ivsetup3.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.walmartphotocenter.com/ph...ad/XUpload.ocx
Reply With Quote
  #21  
Old July 10th, 2004, 03:44 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,812
Hi lajaulavira, I see that IE6 has not been updated. It would be a good idea to take a trip to Windows Update and install any critical updates available.

Before we start, please create a dedicated folder for Hijack This on your drive and copy it across. If you leave it where it is, backups will not be created.

Close IE and all open windows and run Hijack This again. Check the below entries and click on Fix Checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - F:\Progra~1\Lycos\IEagent\CSIE.DLL

O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - f:\WebBug.dll (file missing)

O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe

O4 - HKLM\..\Run: [Configuration Loaded] wupdaated.exe

O4 - HKLM\..\RunServices: [Microsoft Login Program] wiaacmgr32.exe

O4 - HKLM\..\RunServices: [Configuration Loaded] wupdaated.exe

I dont kniow what the below startups in bold are. Fix them too if you do not know either.

O4 - Global Startup: Documentation.lnk = ?
O4 - Global Startup: readme.lnk = ?
O4 - Global Startup: copying.lnk = ?
O4 - Global Startup: history.txt.lnk = ?
O4 - Global Startup: license.txt.lnk = ?
O4 - Global Startup: greetings.txt.lnk = ?


O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://epancic.org/WFPlayer/tdserver.cab

When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts), make sure that you can view hidden files and folders and run a search for and delete the below folders/files in bold.

(Dont know which drive) \Progra~1\Lycos\IEagent
wupdaated.exe
wiaacmgr32.exe

Reboot and post a new log.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 02:01 PM.