954,176 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
8 Years Ago
0

Ureaka!! I found it! Please check this log

Well here i go again I'm sorry about posting this in the other places.
Logfile of HijackThis v1.97.7
Scan saved at 9:31:43 PM, on 1/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\Documents and Settings\Administrator.CRYSTAL-D2JZATV\My Documents\download\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.3008333333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

pisconi
Newbie Poster
4 posts since Jan 2004
Reputation Points: 10
Solved Threads: 0
 
8 Years Ago
0

It's a CWS hijacker,

Please Download hijackthis

Unzip, doubleclick HijackThis.exe, and hit "Scan".

After the scan has finished the "scan" button will turn into a "save log" button

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

steam


Looks like steamwiz opened up pandora's box of the hijackthis logs. :lol:
(suggestion)Maybe this wildfire could have been stopped by piggybacking threads.

)BIG"B"Affleck
Master Poster
Banned
766 posts since Oct 2003
Reputation Points: 25
Solved Threads: 8
 
8 Years Ago
0
Logfile of HijackThis v1.97.7

These are strongly suspect, though I have not found much detail:O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe

O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe

O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe

Anytime you have registry keys that look like random character strings that point to executable files that also look like random character strings, that spells t-r-o-u-b-l-e in any language!

TallCool1
Practically a Posting Shark
Team Colleague
865 posts since May 2003
Reputation Points: 149
Solved Threads: 45
 
8 Years Ago
0
Looks like steamwiz opened up pandora's box of the hijackthis logs. :lol: (suggestion)Maybe this wildfire could have been stopped by piggybacking threads.


The need for hijackthis/spyware help is growing ,i would suggest a new catagory called hijack Logs ,to keep them in one place

caperjack
I hate 20 Questions
Team Colleague
13,069 posts since Aug 2003
Reputation Points: 1,064
Solved Threads: 812
 
8 Years Ago
0

Ok The 3 lines:

O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe

O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe

O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe

I suspected because Symantic found the tlaetittu & udadrb and left alone at first but then quarenteened the next scan.
so now tell me how i completly rid my machine of these offenders?

The iehelper I'm not sure of before i delete it what can i check to make sure it is a bug?

pisconi
Newbie Poster
4 posts since Jan 2004
Reputation Points: 10
Solved Threads: 0
 
8 Years Ago
0

Not to discredit those here who help with these logs ,I said it before and I'll say it again,the best place for help with hijack logs is the hikackthis fourm ,more people there who know how to completly get rid of spyware ..Click on this link .
http://forums.spywareinfo.com/index.php?showforum=11

caperjack
I hate 20 Questions
Team Colleague
13,069 posts since Aug 2003
Reputation Points: 1,064
Solved Threads: 812
 
8 Years Ago
0

)BIG"B"Affleck.....Why would you want to stop posting of HJT logs.?..these are necessary if we are to help solve certain problems, and having 2 different logs in the same thread (piggybacking) is very confusing.


pisconi ....

Close all browser windows - run hijackthis and tick to fix :-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about_:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about_:blank

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe

O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe

O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Reboot find and delete :-

C:\WINNT\tlaeittu.exe ------- - file
C:\Program Files\syslaunch.exe - file
C:\WINNT\system32\udadrb.exe - file

Actually TallCool1 had it pretty much nailed.

steam

steamwiz
Junior Poster in Training
73 posts since Oct 2003
Reputation Points: 40
Solved Threads: 1
 
8 Years Ago
0

)BIG"B"Affleck.....Why would you want to stop posting of HJT logs.?..these are necessary if we are to help solve certain problems, and having 2 different logs in the same thread (piggybacking) is very confusing.

I was just making a joke. I thought it would be a good idea to piggyback the same logs over and over again in the same thread that way you wouldnt have to go in every other thread on daniweb. And on top of that if you posted a sticky: where you say post all of the same old logs over and over you would get the longest thread award. You would win that contest see Im looking out for you not trying to stop the help.
PS: SpyBot search and destroy does the same thing without sorting through loggs.
http://www.webattack.com/get/spybot.html


Not to discredit those here who help with these logs ,I said it before and I'll say it again,the best place for help with hijack logs is the hikackthis fourm ,more people there who know how to completly get rid of spyware ..Click on this link .

Yeah that wouldnt be a bad idea

)BIG"B"Affleck
Master Poster
Banned
766 posts since Oct 2003
Reputation Points: 25
Solved Threads: 8
 
8 Years Ago
0

Spybot search and destroy only removes part of the problem ,spyware goes deeper than that !CWshreadder and other programs are needed as well .

caperjack
I hate 20 Questions
Team Colleague
13,069 posts since Aug 2003
Reputation Points: 1,064
Solved Threads: 812
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
View similar articles that have also been tagged:
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed