Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

HijackThis Log File needing to be Disected. Multiple Virus problems With Fire wall and NAT enabled.

Posted on 2004-04-09
Last Modified: 2010-04-11
As you can see by the below log I am running this particular PC on a LAN.  My WAN and LAN are running off of 2 different NIC's inside the WIN 03 Server Box. The Serveris the DHCP.  I have A T1 line that is NAT inabled with zero pinholes.  Nothing has been found at the server level..YET

I found This Link in the Log.  http / /   www2.flingstone.   c o m /   {dont go to the link it tries to install crap on your pc}
and removed it.  MY Virus Scan ASaP from mcafee has found 4 of the following.  Does anyone see any other weird things. Thanks in advance.

Local Settings\Temporary Internet Files\Content.IE5\896H0N63\bridge 1 .exe Downloader-ER     4/2/2004 8:16:51 PM Deleted

Local Settings\Temp\bridge.exe Downloader-ER                               4/2/2004 8:16:52 PM Deleted
C WINDOWS\Downloaded Program Files\bridge.dll Keylog-Briss         4/7/2004 4:18:07 PM Deleted

C RECYCLER\S-1-5-21-725345543-2139871995-682003330-1006\Dc2.htm HTML/Ebscam    4/7/2004 4:49:32 PM Deleted

Logfile of HijackThis v1.97.7
Scan saved at 9:03:58 PM, on 4/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\myCIO\Agent\myagttry.exe  ????????????????????????????????????????????????????????????????  Not sure !
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Microsoft Outlook\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://sbs2003/connectcomputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/079ce97c269d3c379e03/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://sbs2003/Remote/msrdp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38044.2426967593
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.98004150390625&file=stamps.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WebPublishing.local
O17 - HKLM\Software\..\Telephony: DomainName = WebPublishing.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WebPublishing.local
Question by:wildewebpublishing

Expert Comment

ID: 10795715
Hi wildewebpublishing,

[myagttry.exe] =System tray notification for McAfee VirusScan ASaP on-line scanner.
CompanyName : Network Associates, Inc.
FileDescription : myAgtTry Module
InternalName : myAgtTry
OriginalFilename : myAgtTry.exe

///thus nothing to worry about..

I cant see anything strange..but I think best thing you can do ..is to download these softwares and run them in this order

i: make sure you have the lastest update of below tools and for your antivirus prog

ii: Ad-aware- Spyware/Adware removal tools


Once above is done..
1. Click Start, and then right-click My Computer.
2. Click Properties.
3. Click the System Restore tab.
4. Check Turn off System Restore.
5. Click Apply, and then click OK.
6. Restart the computer.
7. Repeat steps 1 through 6, except in step 4, uncheck Turn Off System Restore.

3: install a firewall if you dont have one(forget about winxp's internal :)  ).

This way you get rid of any spyware and other annoyences..
make sure your win has the latest update to close all your security holes..

good luck


Author Comment

ID: 10795743
Thanks I should have been a little more detailed on what I have allready done.

Did and Do Adaware and Spybot.

Did disable System Restore

I have an external hardware firewall.

Have Internal Firewall

After original Post I noticed I missed this one srting
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll  - Possible Adobe Key But I doubt it at this point.  I deleted it and rebooted.  I m here to tell about it so I guess it was ok.

I am still puzzled where they are coming from....


I will wait to see if anone else has ideas befor I close.
LVL 12

Accepted Solution

rossfingal earned 500 total points
ID: 10815446

Took a quick look and did not find anything that jumps out as being bad.
myagttry.exe is part of McAffee.
I would check System Restore files, temp files, etc. for anything related to bridge.dll, or anything else suspicious.
Also, download and run CWShredder:


Good luck!

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question