Winpup Hijack help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

CaseyWhitche

Thread Starter
Joined
Sep 22, 2003
Messages
5
Hey all..

Is there a place that we can figure out what exactly it is that you all are looking for when you look at these log files to know what you need to get rid of?

It's great that you all are helping out like this, but I'd love to understand it as well.

In the meantime, here is my log file from Hijack if you all can help me out,

THANKS!!!

Logfile of HijackThis v1.97.2
Scan saved at 10:46:25 AM, on 9/22/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Rational\ClearCase\bin\albd_server.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\WINNT\System32\mgabg.exe
C:\OfficeScan NT\ntrtscan.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\NFSClient\expserv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\WINNT\System32\winpup32.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Download\programs\hijackthis\hijackthis\HijackThis.exe
C:\WINNT\system32\notepad.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "C:\Program Files\Rational\ClearCase\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [win32app] C:\WINNT\System32\winpup32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/070f5963cc903c11b322/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37727.753587963
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/cannonballs/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = credit.credco.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = credit.credco.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = credit.credco.net
 
Joined
Jun 19, 2003
Messages
1,241
Hi Casey, and welcome to TSG.. :)

You can ahve a look here, to get an idea, but lots of it is just down to practice.

But by all means have a look through this tutorial, and check out a few bits via Google, and see what you think should be fixed.

I'll have a look at your log in the meantime, and you can see how you did.

Cheers

Liam
 
Joined
Jun 19, 2003
Messages
1,241
Here we go Casey,

Please run a new Hijack log, and check to fix all of the items below. Next close all browser windows and click Fix

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [win32app] C:\WINNT\System32\winpup32.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/070f5963cc903c...ip/RdxIE601.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/...lls/install.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab

O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/tr...oaderSigned.cab


I can't find much on these entries below, so unless you know credco.net to be your ISP, which doesn't look likely, then please include these in the "to fix" list

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = credit.credco.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = credit.credco.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = credit.credco.net


The entry marked in red is the adclicker trojan, so after the above have been fixed, could you now reboot and run this on line scanner and delete all it finds.

Then, if you could reboot and post a new log for a final once over..

Cheers

Liam
 

CaseyWhitche

Thread Starter
Joined
Sep 22, 2003
Messages
5
Thanks alot Liam

Here is the updated log file

Logfile of HijackThis v1.97.2
Scan saved at 12:41:36 PM, on 9/22/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Rational\ClearCase\bin\albd_server.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
C:\WINNT\System32\mgabg.exe
C:\OfficeScan NT\ntrtscan.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Hummingbird\Connectivity\7.00\NFSClient\expserv.exe
C:\WINNT\System32\PDesk\PDesk.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Wacom\TabUserW.exe
E:\Download\programs\hijackthis\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "C:\Program Files\Rational\ClearCase\bin\ccdoctor.exe" /LogonStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37727.753587963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = credit.credco.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = credit.credco.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = credit.credco.net


and yes credco is my ISP it's my company that I work at.

looks like the problem is fixed..

thanks again!~
 
Joined
Jun 19, 2003
Messages
1,241
No problem Casey,

That's a clean log. (y) :)

If you now click Start | Settings | Control Panel | Internet Options, click the Programs tab, then click Reset Web Settings it will reset the home and search pages abck to Microsofts default pages. You can of course then change the home page to any one that you wish.

I don't see an anti-virus program or firewall running. You should really get both, especially if you use cable, DSL etc. Many are available free of charge, and you could do worse than use Zone Alarm's firewall, or Grisoft's AVG anti-virus.

Just click on the above links to go straight to their download pages.

Cheers

Liam
 

CaseyWhitche

Thread Starter
Joined
Sep 22, 2003
Messages
5
Thanks Liam,

I'm actually at my job... So I'm on my companies network / antivirus, and firewall... I know they use Office-Scan, not sure what kind of firewall they have connected, although I'm sure they are doing something significant, I think?
 

CaseyWhitche

Thread Starter
Joined
Sep 22, 2003
Messages
5
coincidentally... probably 5 minutes after I completed the online scan...

I got a pop up from our office scan that it had detected teh WORM_NACHI.A virus on my box.

Our IT guys called me and said they are going to come up to take a look at it?

guess we'll see what happens?

intersting that it came up right after this one cleared??
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top