Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need help with HiJackthis log

Status
Not open for further replies.
mitchellmj

mitchellmj

MIS
Sep 30, 2003
29
0
0
US
I have a user who's machine seem to taken over with Spyware! I have turned off the restore points, run CWShreddar, Adaware, Spybot S&D and below is HiJackthis log. Each time I clean up new ones seem to pop up! Here are a few that I have already cleaned - dzg0p5.exe, mwjqzk.exe, cydpw.exe, and now there is lpqk3g.exe!!

What else do I need to do?

Thanks in advance,
MJM


Logfile of HijackThis v1.97.7
Scan saved at 2:32:24 PM, on 10/15/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\eds\i-deas10\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\eds\i-deas10\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe
C:\eds\i-deas10\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe
C:\eds\i-deas10\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\Elw273d8.exe
C:\WINDOWS\system32\Lpqk3g.exe
C:\WINDOWS\system32\userinit.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [frymxins] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [FRYHIGHRES] rundll32 "C:\Program Files\ATI Technologies\Fire GL Control Panel\atipmogl.dll",DetectHighResMonitor
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\OfnVO.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Airpax.net
O17 - HKLM\Software\..\Telephony: DomainName = Airpax.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Airpax.net
 
Sort by date Sort by votes
Peper trojan.

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\OfnVO.exe
( 14 characters plus the random files. )

C:\WINDOWS\system32\Elw273d8.exe
C:\WINDOWS\system32\Lpqk3g.exe

#11 for a removal tool.

Instructions I've seen say to disconnect from internet and run it a couple of times.

Then you would want to fix that line in your hjt log and delete the three files shown above and see what it looks like.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
Lenovo isn't the only one with bad certificates 5
Replies
6
Views
123
2ffat
2ffat
DrB0b
  • Locked
  • Question
Crytowall 3.0 and How I dealt with it 2
Replies
7
Views
93
DrB0b
DrB0b
BionicJohn
  • Locked
  • Question
URUASY.A Ransomware Trojan - Help needed with removal
Replies
6
Views
75
BionicJohn
BionicJohn
eightoheight
  • Locked
  • Question
Need help removing virus.
Replies
6
Views
128
goombawaho
goombawaho
waikhu
  • Locked
  • Question
Somebody help me out, when my pc st
Replies
3
Views
58
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top