0

Well here i go again I'm sorry about posting this in the other places.
Logfile of HijackThis v1.97.7
Scan saved at 9:31:43 PM, on 1/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\Documents and Settings\Administrator.CRYSTAL-D2JZATV\My Documents\download\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.3008333333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

5
Contributors
8
Replies
9
Views
13 Years
Discussion Span
Last Post by caperjack
0

It's a CWS hijacker,

Please Download hijackthis

Unzip, doubleclick HijackThis.exe, and hit "Scan".

After the scan has finished the "scan" button will turn into a "save log" button

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

steam

Looks like steamwiz opened up pandora's box of the hijackthis logs. :lol:
(suggestion)Maybe this wildfire could have been stopped by piggybacking threads.

0

Logfile of HijackThis v1.97.7

These are strongly suspect, though I have not found much detail:

O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe

O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe

O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe

Anytime you have registry keys that look like random character strings that point to executable files that also look like random character strings, that spells t-r-o-u-b-l-e in any language!

0

Looks like steamwiz opened up pandora's box of the hijackthis logs. :lol:
(suggestion)Maybe this wildfire could have been stopped by piggybacking threads.

The need for hijackthis/spyware help is growing ,i would suggest a new catagory called hijack Logs ,to keep them in one place

0

Ok The 3 lines:

O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe

O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe

O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe

I suspected because Symantic found the tlaetittu & udadrb and left alone at first but then quarenteened the next scan.
so now tell me how i completly rid my machine of these offenders?

The iehelper I'm not sure of before i delete it what can i check to make sure it is a bug?

0

)BIG"B"Affleck.....Why would you want to stop posting of HJT logs.?..these are necessary if we are to help solve certain problems, and having 2 different logs in the same thread (piggybacking) is very confusing.


pisconi ....

Close all browser windows - run hijackthis and tick to fix :-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about_:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about_:blank

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [vujemxhk] C:\WINNT\tlaeittu.exe

O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe

O4 - HKLM\..\Run: [] C:\WINNT\system32\udadrb.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Reboot find and delete :-

C:\WINNT\tlaeittu.exe ------- - file
C:\Program Files\syslaunch.exe - file
C:\WINNT\system32\udadrb.exe - file

Actually TallCool1 had it pretty much nailed.

steam

0

)BIG"B"Affleck.....Why would you want to stop posting of HJT logs.?..these are necessary if we are to help solve certain problems, and having 2 different logs in the same thread (piggybacking) is very confusing.

I was just making a joke. I thought it would be a good idea to piggyback the same logs over and over again in the same thread that way you wouldnt have to go in every other thread on daniweb. And on top of that if you posted a sticky: where you say post all of the same old logs over and over you would get the longest thread award. You would win that contest see Im looking out for you not trying to stop the help.
PS: SpyBot search and destroy does the same thing without sorting through loggs.
http://www.webattack.com/get/spybot.html


Not to discredit those here who help with these logs ,I said it before and I'll say it again,the best place for help with hijack logs is the hikackthis fourm ,more people there who know how to completly get rid of spyware ..Click on this link .

Yeah that wouldnt be a bad idea

0

Spybot search and destroy only removes part of the problem ,spyware goes deeper than that !CWshreadder and other programs are needed as well .

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.