Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 807
  • Last Modified:

HijackThis Log File needing to be Disected. Multiple Virus problems With Fire wall and NAT enabled.

As you can see by the below log I am running this particular PC on a LAN.  My WAN and LAN are running off of 2 different NIC's inside the WIN 03 Server Box. The Serveris the DHCP.  I have A T1 line that is NAT inabled with zero pinholes.  Nothing has been found at the server level..YET

I found This Link in the Log.  http / /   www2.flingstone.   c o m /   {dont go to the link it tries to install crap on your pc}
and removed it.  MY Virus Scan ASaP from mcafee has found 4 of the following.  Does anyone see any other weird things. Thanks in advance.


Local Settings\Temporary Internet Files\Content.IE5\896H0N63\bridge 1 .exe Downloader-ER     4/2/2004 8:16:51 PM Deleted


Local Settings\Temp\bridge.exe Downloader-ER                               4/2/2004 8:16:52 PM Deleted
C WINDOWS\Downloaded Program Files\bridge.dll Keylog-Briss         4/7/2004 4:18:07 PM Deleted

C RECYCLER\S-1-5-21-725345543-2139871995-682003330-1006\Dc2.htm HTML/Ebscam    4/7/2004 4:49:32 PM Deleted


Logfile of HijackThis v1.97.7
Scan saved at 9:03:58 PM, on 4/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\myCIO\Agent\myagttry.exe  ????????????????????????????????????????????????????????????????  Not sure !
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Outlook\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://sbs2003/connectcomputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/079ce97c269d3c379e03/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://sbs2003/Remote/msrdp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38044.2426967593
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.98004150390625&file=stamps.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WebPublishing.local
O17 - HKLM\Software\..\Telephony: DomainName = WebPublishing.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WebPublishing.local
0
wildewebpublishing
Asked:
wildewebpublishing
1 Solution
 
Thunder_screamCommented:
Hi wildewebpublishing,


[myagttry.exe] =System tray notification for McAfee VirusScan ASaP on-line scanner.
CompanyName : Network Associates, Inc.
FileDescription : myAgtTry Module
InternalName : myAgtTry
OriginalFilename : myAgtTry.exe

///thus nothing to worry about..


I cant see anything strange..but I think best thing you can do ..is to download these softwares and run them in this order

i: make sure you have the lastest update of below tools and for your antivirus prog

ii: Ad-aware- Spyware/Adware removal tools
   http://www.webattack.com/download/dladaware.shtml

iii:SpyBot
  http://www.webattack.com/download/dlspybot.shtml 

Once above is done..
1. Click Start, and then right-click My Computer.
2. Click Properties.
3. Click the System Restore tab.
4. Check Turn off System Restore.
5. Click Apply, and then click OK.
6. Restart the computer.
7. Repeat steps 1 through 6, except in step 4, uncheck Turn Off System Restore.


3: install a firewall if you dont have one(forget about winxp's internal :)  ).

This way you get rid of any spyware and other annoyences..
make sure your win has the latest update to close all your security holes..

good luck

Cheers!
0
 
wildewebpublishingAuthor Commented:
Thanks I should have been a little more detailed on what I have allready done.

Did and Do Adaware and Spybot.

Did disable System Restore

I have an external hardware firewall.

Have Internal Firewall

After original Post I noticed I missed this one srting
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll  - Possible Adobe Key But I doubt it at this point.  I deleted it and rebooted.  I m here to tell about it so I guess it was ok.

I am still puzzled where they are coming from....

Thanks

I will wait to see if anone else has ideas befor I close.
0
 
rossfingalCommented:
Hi!

Took a quick look and did not find anything that jumps out as being bad.
myagttry.exe is part of McAffee.
I would check System Restore files, temp files, etc. for anything related to bridge.dll, or anything else suspicious.
Also, download and run CWShredder:

http://www.spywareinfo.com/~merijn/downloads.html

Good luck!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now