 |  |  |  |  |  |  |  |
Ureaka!! I found it! Please check this log
 |
Well here i go again I'm sorry about posting this in the other places.
Logfile of HijackThis v1.97.7
Scan saved at 9:31:43 PM, on 1/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\Documents and Settings\Administrator.CRYSTAL-D2JZATV\My Documents\download\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...869.3008333333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
Logfile of HijackThis v1.97.7
Scan saved at 9:31:43 PM, on 1/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\Documents and Settings\Administrator.CRYSTAL-D2JZATV\My Documents\download\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...869.3008333333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
•
•
•
•
Originally Posted by steamwiz
It's a CWS hijacker,
Please Download hijackthis
Unzip, doubleclick HijackThis.exe, and hit "Scan".
After the scan has finished the "scan" button will turn into a "save log" button
save the log file and paste it here
Do not delete anything yet, as most things hijackthis finds are harmless and needed.
steam
(suggestion)Maybe this wildfire could have been stopped by piggybacking threads.
•
•
Join Date: May 2003
Posts: 865
Reputation: 
Solved Threads: 44
Practically a Posting Shark
•
•
•
•
Originally Posted by pisconi
Logfile of HijackThis v1.97.7
O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe
Anytime you have registry keys that look like random character strings that point to executable files that also look like random character strings, that spells t-r-o-u-b-l-e in any language!
-- Michael RudasHow To Ask Questions The Smart Way (article by Eric Raymond).
Dealing with Malware
My Articles page.
My Best-of-Breed Free Software for Windows list
Other Windows- & Microsoft-related links
The Audio Tech's Page
My blog
The Oak Park Computer Club
PenguiCon 4.0 Open Source & Science Fiction convention, April 21-23, 2006.
Knoppix Linux (CD-bootable) download. information, & support.
•
•
Join Date: Aug 2003
Posts: 9,574
Reputation: 
Solved Threads: 493
•
•
•
•
Originally Posted by )BIG"B"Affleck
Looks like steamwiz opened up pandora's box of the hijackthis logs. :lol:
(suggestion)Maybe this wildfire could have been stopped by piggybacking threads.
Linux boot cd http://www.knopper.net/knoppix/index-en.html
Ok The 3 lines:
O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe
I suspected because Symantic found the tlaetittu & udadrb and left alone at first but then quarenteened the next scan.
so now tell me how i completly rid my machine of these offenders?
The iehelper I'm not sure of before i delete it what can i check to make sure it is a bug?
O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe
I suspected because Symantic found the tlaetittu & udadrb and left alone at first but then quarenteened the next scan.
so now tell me how i completly rid my machine of these offenders?
The iehelper I'm not sure of before i delete it what can i check to make sure it is a bug?
•
•
Join Date: Aug 2003
Posts: 9,574
Reputation:
Solved Threads: 493
Not to discredit those here who help with these logs ,I said it before and I'll say it again,the best place for help with hijack logs is the hikackthis fourm ,more people there who know how to completly get rid of spyware ..Click on this link .
http://forums.spywareinfo.com/index.php?showforum=11
http://forums.spywareinfo.com/index.php?showforum=11
Linux boot cd http://www.knopper.net/knoppix/index-en.html
•
•
Join Date: Oct 2003
Posts: 73
Reputation:
Solved Threads: 1
Junior Poster in Training
)BIG"B"Affleck.....Why would you want to stop posting of HJT logs.?..these are necessary if we are to help solve certain problems, and having 2 different logs in the same thread (piggybacking) is very confusing.
pisconi ....
Close all browser windows - run hijackthis and tick to fix :-
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about_:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about_:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Reboot find and delete :-
C:\WINNT\tlaeittu.exe ------- - file
C:\Program Files\syslaunch.exe - file
C:\WINNT\system32\udadrb.exe - file
Actually TallCool1 had it pretty much nailed.
steam
pisconi ....
Close all browser windows - run hijackthis and tick to fix :-
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about_:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about_:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Reboot find and delete :-
C:\WINNT\tlaeittu.exe ------- - file
C:\Program Files\syslaunch.exe - file
C:\WINNT\system32\udadrb.exe - file
Actually TallCool1 had it pretty much nailed.
steam
)BIG"B"Affleck.....Why would you want to stop posting of HJT logs.?..these are necessary if we are to help solve certain problems, and having 2 different logs in the same thread (piggybacking) is very confusing.
I was just making a joke. I thought it would be a good idea to piggyback the same logs over and over again in the same thread that way you wouldnt have to go in every other thread on daniweb. And on top of that if you posted a sticky: where you say post all of the same old logs over and over you would get the longest thread award. You would win that contest see Im looking out for you not trying to stop the help.
PS: SpyBot search and destroy does the same thing without sorting through loggs.
http://www.webattack.com/get/spybot.html
Not to discredit those here who help with these logs ,I said it before and I'll say it again,the best place for help with hijack logs is the hikackthis fourm ,more people there who know how to completly get rid of spyware ..Click on this link .
Yeah that wouldnt be a bad idea
I was just making a joke. I thought it would be a good idea to piggyback the same logs over and over again in the same thread that way you wouldnt have to go in every other thread on daniweb. And on top of that if you posted a sticky: where you say post all of the same old logs over and over you would get the longest thread award. You would win that contest see Im looking out for you not trying to stop the help.
PS: SpyBot search and destroy does the same thing without sorting through loggs.
http://www.webattack.com/get/spybot.html
Not to discredit those here who help with these logs ,I said it before and I'll say it again,the best place for help with hijack logs is the hikackthis fourm ,more people there who know how to completly get rid of spyware ..Click on this link .
Yeah that wouldnt be a bad idea
Last edited by )BIG"B"Affleck; Jan 13th, 2004 at 2:59 pm.
•
•
Join Date: Aug 2003
Posts: 9,574
Reputation:
Solved Threads: 493
Spybot search and destroy only removes part of the problem ,spyware goes deeper than that !CWshreadder and other programs are needed as well .
Linux boot cd http://www.knopper.net/knoppix/index-en.html
|
Similar Threads
- Please check this LOG ... Sys32 window opens on startup (Viruses, Spyware and other Nasties)
Other Threads in the Web Browsers Forum
- Previous Thread: IE takes 30 seconds to load pages, says Done (even though it isn't)
- Next Thread: small fonts
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Web Browsers Posts
- Today's Posts
- Unanswered Threads
aiim2009 andrewlippmann android aol apple awesomebar background britain browser browserproblems browsers browsing budget bug bughunt censorship childabuse china chrome client code compuserve contest crash defect development dns email error eu europe exploit explorer facebook fennec firefox flash google government history ie7 ie8 internet internet.broadband internetexplorer internetexplorer8 internetusage leak linux media memory microsoft mitmedialab mobile mobilebrowsers mosaic mozilla music netscape networking news newspapers newyork offline olympics onlinecommunities opensource opera opera.software patch plugins porn privacy problem safari save seamonkey security server sex silverlight social software teenagers testing thunderbird uk update usenet users video web webbrowser webdevelopment webusage wikipedia windowslivemail worldrecord worldwideweb xp
