1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Winpup Hijack help

Discussion in 'Virus & Other Malware Removal' started by CaseyWhitche, Sep 22, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. CaseyWhitche

    CaseyWhitche Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    5
    Hey all..

    Is there a place that we can figure out what exactly it is that you all are looking for when you look at these log files to know what you need to get rid of?

    It's great that you all are helping out like this, but I'd love to understand it as well.

    In the meantime, here is my log file from Hijack if you all can help me out,

    THANKS!!!

    Logfile of HijackThis v1.97.2
    Scan saved at 10:46:25 AM, on 9/22/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Rational\ClearCase\bin\albd_server.exe
    C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
    C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
    C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
    C:\WINNT\System32\mgabg.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\Tablet.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe
    C:\WINNT\System32\Hummingbird\Connectivity\7.00\NFSClient\expserv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\PDesk\PDesk.exe
    C:\OfficeScan NT\pccntmon.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\wt\updater\wcmdmgr.exe
    C:\WINNT\System32\winpup32.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\Wacom\TabUserW.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    E:\Download\programs\hijackthis\hijackthis\HijackThis.exe
    C:\WINNT\system32\notepad.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CCDoctorLogonTesting] "C:\Program Files\Rational\ClearCase\bin\ccdoctor.exe" /LogonStartup
    O4 - HKLM\..\Run: [win32app] C:\WINNT\System32\winpup32.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/070f5963cc903c11b322/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37727.753587963
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/cannonballs/install.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = credit.credco.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = credit.credco.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = credit.credco.net
     
  2. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi Casey, and welcome to TSG.. :)

    You can ahve a look here, to get an idea, but lots of it is just down to practice.

    But by all means have a look through this tutorial, and check out a few bits via Google, and see what you think should be fixed.

    I'll have a look at your log in the meantime, and you can see how you did.

    Cheers

    Liam
     
  3. CaseyWhitche

    CaseyWhitche Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    5
  4. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Here we go Casey,

    Please run a new Hijack log, and check to fix all of the items below. Next close all browser windows and click Fix

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [win32app] C:\WINNT\System32\winpup32.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/070f5963cc903c...ip/RdxIE601.cab

    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/...lls/install.cab

    O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab

    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/tr...oaderSigned.cab


    I can't find much on these entries below, so unless you know credco.net to be your ISP, which doesn't look likely, then please include these in the "to fix" list

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = credit.credco.net

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = credit.credco.net

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = credit.credco.net


    The entry marked in red is the adclicker trojan, so after the above have been fixed, could you now reboot and run this on line scanner and delete all it finds.

    Then, if you could reboot and post a new log for a final once over..

    Cheers

    Liam
     
  5. CaseyWhitche

    CaseyWhitche Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    5
    Thanks alot Liam

    Here is the updated log file

    Logfile of HijackThis v1.97.2
    Scan saved at 12:41:36 PM, on 9/22/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Rational\ClearCase\bin\albd_server.exe
    C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
    C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
    C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
    C:\WINNT\System32\mgabg.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\Tablet.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\Hummingbird\Connectivity\7.00\NFSClient\expserv.exe
    C:\WINNT\System32\PDesk\PDesk.exe
    C:\OfficeScan NT\pccntmon.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\Wacom\TabUserW.exe
    E:\Download\programs\hijackthis\hijackthis\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [CCDoctorLogonTesting] "C:\Program Files\Rational\ClearCase\bin\ccdoctor.exe" /LogonStartup
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37727.753587963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = credit.credco.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = credit.credco.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = credit.credco.net


    and yes credco is my ISP it's my company that I work at.

    looks like the problem is fixed..

    thanks again!~
     
  6. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    No problem Casey,

    That's a clean log. (y) :)

    If you now click Start | Settings | Control Panel | Internet Options, click the Programs tab, then click Reset Web Settings it will reset the home and search pages abck to Microsofts default pages. You can of course then change the home page to any one that you wish.

    I don't see an anti-virus program or firewall running. You should really get both, especially if you use cable, DSL etc. Many are available free of charge, and you could do worse than use Zone Alarm's firewall, or Grisoft's AVG anti-virus.

    Just click on the above links to go straight to their download pages.

    Cheers

    Liam
     
  7. CaseyWhitche

    CaseyWhitche Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    5
    Thanks Liam,

    I'm actually at my job... So I'm on my companies network / antivirus, and firewall... I know they use Office-Scan, not sure what kind of firewall they have connected, although I'm sure they are doing something significant, I think?
     
  8. CaseyWhitche

    CaseyWhitche Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    5
    coincidentally... probably 5 minutes after I completed the online scan...

    I got a pop up from our office scan that it had detected teh WORM_NACHI.A virus on my box.

    Our IT guys called me and said they are going to come up to take a look at it?

    guess we'll see what happens?

    intersting that it came up right after this one cleared??
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166623

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice