Solved

HijackThis Log File needing to be Disected. Multiple Virus problems With Fire wall and NAT enabled.

Posted on 2004-04-09
3
793 Views
Last Modified: 2010-04-11
As you can see by the below log I am running this particular PC on a LAN.  My WAN and LAN are running off of 2 different NIC's inside the WIN 03 Server Box. The Serveris the DHCP.  I have A T1 line that is NAT inabled with zero pinholes.  Nothing has been found at the server level..YET

I found This Link in the Log.  http / /   www2.flingstone.   c o m /   {dont go to the link it tries to install crap on your pc}
and removed it.  MY Virus Scan ASaP from mcafee has found 4 of the following.  Does anyone see any other weird things. Thanks in advance.


Local Settings\Temporary Internet Files\Content.IE5\896H0N63\bridge 1 .exe Downloader-ER     4/2/2004 8:16:51 PM Deleted


Local Settings\Temp\bridge.exe Downloader-ER                               4/2/2004 8:16:52 PM Deleted
C WINDOWS\Downloaded Program Files\bridge.dll Keylog-Briss         4/7/2004 4:18:07 PM Deleted

C RECYCLER\S-1-5-21-725345543-2139871995-682003330-1006\Dc2.htm HTML/Ebscam    4/7/2004 4:49:32 PM Deleted


Logfile of HijackThis v1.97.7
Scan saved at 9:03:58 PM, on 4/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\myCIO\Agent\myagttry.exe  ????????????????????????????????????????????????????????????????  Not sure !
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Outlook\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://sbs2003/connectcomputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/079ce97c269d3c379e03/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://sbs2003/Remote/msrdp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38044.2426967593
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.98004150390625&file=stamps.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WebPublishing.local
O17 - HKLM\Software\..\Telephony: DomainName = WebPublishing.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WebPublishing.local
0
Comment
Question by:wildewebpublishing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 2

Expert Comment

by:Thunder_scream
ID: 10795715
Hi wildewebpublishing,


[myagttry.exe] =System tray notification for McAfee VirusScan ASaP on-line scanner.
CompanyName : Network Associates, Inc.
FileDescription : myAgtTry Module
InternalName : myAgtTry
OriginalFilename : myAgtTry.exe

///thus nothing to worry about..


I cant see anything strange..but I think best thing you can do ..is to download these softwares and run them in this order

i: make sure you have the lastest update of below tools and for your antivirus prog

ii: Ad-aware- Spyware/Adware removal tools
   http://www.webattack.com/download/dladaware.shtml

iii:SpyBot
  http://www.webattack.com/download/dlspybot.shtml 

Once above is done..
1. Click Start, and then right-click My Computer.
2. Click Properties.
3. Click the System Restore tab.
4. Check Turn off System Restore.
5. Click Apply, and then click OK.
6. Restart the computer.
7. Repeat steps 1 through 6, except in step 4, uncheck Turn Off System Restore.


3: install a firewall if you dont have one(forget about winxp's internal :)  ).

This way you get rid of any spyware and other annoyences..
make sure your win has the latest update to close all your security holes..

good luck

Cheers!
0
 

Author Comment

by:wildewebpublishing
ID: 10795743
Thanks I should have been a little more detailed on what I have allready done.

Did and Do Adaware and Spybot.

Did disable System Restore

I have an external hardware firewall.

Have Internal Firewall

After original Post I noticed I missed this one srting
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll  - Possible Adobe Key But I doubt it at this point.  I deleted it and rebooted.  I m here to tell about it so I guess it was ok.

I am still puzzled where they are coming from....

Thanks

I will wait to see if anone else has ideas befor I close.
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 500 total points
ID: 10815446
Hi!

Took a quick look and did not find anything that jumps out as being bad.
myagttry.exe is part of McAffee.
I would check System Restore files, temp files, etc. for anything related to bridge.dll, or anything else suspicious.
Also, download and run CWShredder:

http://www.spywareinfo.com/~merijn/downloads.html

Good luck!
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Part One of the two-part Q&A series with MalwareTech.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month9 days, 23 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question