Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Please analyze Hijack This log

Status
Not open for further replies.
zoeythecat

zoeythecat

Technical User
May 2, 2002
1,666
US
Hi All,

I have a workstation that has been having serious pop problems. I ran virus scan, Spybot, Adaware, CWSHREDDER. All programs (Virus scan ran clean) detects several entries then removes them but then the popups repopulate. So i'm at a loss. Could someone analyze this log and tell me what I need to remove?

Many thanks.
__________________________________________________________
Logfile of HijackThis v1.97.7
Scan saved at 1:12:29 PM, on 6/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\cisvc.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SxgTkBar.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\documents and settings\security\local settings\temp\gP3RKG.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\WINNT\System32\EwnnW4.exe
C:\WINNT\System32\IoleBv3.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINNT\system32\hpoipm07.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSJPW] C:\WINNT\MSJPW.exe
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\System32\OqxNq.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [frsk] C:\WINNT\frsk.exe
O4 - HKLM\..\Run: [BIOVBIPVF] C:\WINNT\BIOVBIPVF.exe
O4 - HKLM\..\Run: [HCJ] C:\WINNT\HCJ.exe
O4 - HKLM\..\Run: [FMTZDJQWA] C:\WINNT\FMTZDJQWA.exe
O4 - HKLM\..\Run: [OUHOVBLSY] C:\WINNT\OUHOVBLSY.exe
O4 - HKLM\..\Run: [GMTAGNTE] C:\WINNT\GMTAGNTE.exe
O4 - HKLM\..\Run: [JPWDJNT] C:\WINNT\JPWDJNT.exe
O4 - HKLM\..\Run: [DKQXBH] C:\WINNT\DKQXBH.exe
O4 - HKLM\..\Run: [GMTWDK] C:\WINNT\GMTWDK.exe
O4 - HKLM\..\Run: [ELR] C:\WINNT\ELR.exe
O4 - HKLM\..\Run: [CJPWAGNT] C:\WINNT\CJPWAGNT.exe
O4 - HKLM\..\Run: [GMTZDJ] C:\WINNT\GMTZDJ.exe
O4 - HKLM\..\Run: [HQXEO] C:\WINNT\HQXEO.exe
O4 - HKLM\..\Run: [ELRVFLS] C:\WINNT\ELRVFLS.exe
O4 - HKLM\..\Run: [UBHLRYBW] C:\WINNT\UBHLRYBW.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\system32\idctup20.exe
O4 - HKLM\..\Run: [qxofmpad] C:\WINNT\qxofmpad.exe
O4 - HKLM\..\Run: [rudsz] C:\WINNT\rudsz.exe
O4 - HKLM\..\Run: [xyneb] C:\WINNT\xyneb.exe
O4 - HKLM\..\Run: [mlofkroj] C:\WINNT\mlofkroj.exe
O4 - HKLM\..\Run: [gP3RKG] C:\documents and settings\security\local settings\temp\gP3RKG.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\security\Client\HelpExp.exe
O4 - HKCU\..\Run: [BIOVBIPVY] C:\WINNT\BIOVBIPVY.exe
O4 - HKCU\..\RunOnce: [RemoveHX.bat] C:\Program Files\Alset\HelpExpress\RemoveHX.bat
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {4F96CE92-09EA-49D3-B478-F1892F6DCB6D} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {8699D723-6DC6-47D3-B55C-489BA006B917} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = brooksschool.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = brooksschool.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = brooksschool.org
 
Sort by date Sort by votes
A quick look as I'm cooking (lol, really) - it does look horrible, this log :s

I don't trust:
C:\WINNT\system32\SxgTkBar.exe
C:\documents and settings\security\local settings\temp\gP3RKG.exe
C:\WINNT\System32\EwnnW4.exe
C:\WINNT\System32\IoleBv3.exe

Does HP really use so much .exe files?
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINNT\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

This is your homepage hijacked
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
Get rid of:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

Not sure of:
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe

Again: I don't know about HP Printer processes
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

O4 - HKLM\..\Run: [MSJPW] C:\WINNT\MSJPW.exe
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\System32\OqxNq.exe

This is a trojan if you didn't install it yourself!
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper

Ahum... this looks bad
O4 - HKLM\..\Run: [frsk] C:\WINNT\frsk.exe
O4 - HKLM\..\Run: [BIOVBIPVF] C:\WINNT\BIOVBIPVF.exe
O4 - HKLM\..\Run: [HCJ] C:\WINNT\HCJ.exe
O4 - HKLM\..\Run: [FMTZDJQWA] C:\WINNT\FMTZDJQWA.exe
O4 - HKLM\..\Run: [OUHOVBLSY] C:\WINNT\OUHOVBLSY.exe
O4 - HKLM\..\Run: [GMTAGNTE] C:\WINNT\GMTAGNTE.exe
O4 - HKLM\..\Run: [JPWDJNT] C:\WINNT\JPWDJNT.exe
O4 - HKLM\..\Run: [DKQXBH] C:\WINNT\DKQXBH.exe
O4 - HKLM\..\Run: [GMTWDK] C:\WINNT\GMTWDK.exe
O4 - HKLM\..\Run: [ELR] C:\WINNT\ELR.exe
O4 - HKLM\..\Run: [CJPWAGNT] C:\WINNT\CJPWAGNT.exe
O4 - HKLM\..\Run: [GMTZDJ] C:\WINNT\GMTZDJ.exe
O4 - HKLM\..\Run: [HQXEO] C:\WINNT\HQXEO.exe
O4 - HKLM\..\Run: [ELRVFLS] C:\WINNT\ELRVFLS.exe
O4 - HKLM\..\Run: [UBHLRYBW] C:\WINNT\UBHLRYBW.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\system32\idctup20.exe
O4 - HKLM\..\Run: [qxofmpad] C:\WINNT\qxofmpad.exe
O4 - HKLM\..\Run: [rudsz] C:\WINNT\rudsz.exe
O4 - HKLM\..\Run: [xyneb] C:\WINNT\xyneb.exe
O4 - HKLM\..\Run: [mlofkroj] C:\WINNT\mlofkroj.exe
O4 - HKLM\..\Run: [gP3RKG] C:\documents and settings\security\local settings\temp\gP3RKG.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKCU\..\Run: [BIOVBIPVY] C:\WINNT\BIOVBIPVY.exe

I see this quite a lot in hijack logs, but I don't know how reliable the software is
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm

Plain spyware
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\security\Client\HelpExp.exe
O4 - HKCU\..\RunOnce: [RemoveHX.bat] C:\Program Files\Alset\HelpExpress\RemoveHX.bat

Delete...
O16 - DPF: {4F96CE92-09EA-49D3-B478-F1892F6DCB6D} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {8699D723-6DC6-47D3-B55C-489BA006B917} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) -
Peace,

Yellow
 
Upvote 0 Downvote
Thanks.

I see where you say delete. What about the section where you say, "Ahum this looks bad"? Are you saying delete these entries?
 
Upvote 0 Downvote
Yes, most look like if they are randomly generated. I am not sure on every file though, like e.g. idctup20.exe.



Peace,

Yellow
 
Upvote 0 Downvote
O4 - HKLM\..\Run: [MSJPW] C:\WINNT\MSJPW.exe" and "O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\System32\OqxNq.exe" should be under the "ahum..." title and not under the printing title...


Peace,

Yellow
 
Upvote 0 Downvote
What if these files are needed? Are you certain they can be removed?

Thanks again.
 
Upvote 0 Downvote
I am pretty certain, but I don't know every existing file and liberary of course, so I just don't exclude the possibility something wrong gets deleted.

Peace,

Yellow
 
Upvote 0 Downvote
Ok. I will just delete the sections you noted I could remove and hope this removes the popups.

Thanks for your help.
 
Upvote 0 Downvote
Oops, that was a line I overlooked before posting.
No need to remove that line of course. Sorry.
As I said: I did it in a quicky... I was mostly paying attention to a larded piece of goat cheese baking in the pan.

Peace,

Yellow
 
Upvote 0 Downvote
LOL....I appreciate you sticking with me on this. Just one more question. Are you confident the entries under the "Ahum this looks bad" can be deleted or should I just look at them as suspicious items but not delete?
 
Upvote 0 Downvote
Yellow,
You should not use a pan to bake larded goat cheese. A small casserole is preferred to prevent too much heat reaching the bottom of the cheese.

zoeythecat,

You have something that is morphing its name, and it would help if you could describe in detail what the popup messages say, their windows titles, etc..

It is likely every invocation of AdAware or SpyBot removes entries that lead to the addition of a new morphed.exe.

See the steps outlined in faq608-4650, particularly running at least two online AV scans to hopefully provide a name for this malware.

 
Upvote 0 Downvote
Bcastner,

Thanks for the response. As of right now it appears no popup messages are appearing. Before when opening IE there would be all kinds of advertising popup messages appearing. I removed some of the entries Yellow noted and so far so good. This computer in question has been a nightmare. I work for a school and this computer is for the security/guard shack. Most places would not let the security guards have a computer never mind a computer with Internet Access. I've revisited this computer several times because the guards like to explore the internet and are not safe users. They have been warned. This is the last warning. Next time we will take their Internet Access away.

Thanks again for the help.
 
Upvote 0 Downvote
Consider: SpySweeper does a fairly decent job of actively preventing problems. I have thrown it on workstations in similar settings where going and running AdAware, etc. on a regular basis is too onerous.

Once you are convinced your are clean, I would Ghost or otherwise create a clean image of that workstation and keep it handy. It sounds like being able to quickly re-image that workstation would have been a help.

Best,
Bill Castner
 
Upvote 0 Downvote
Thx for the hint Bcastner - I regulary put it in the oven though... - oh well, this is getting quite off topic though ;) But nice to see other people who really cook ;)

About the "Ahum... this looks bad" section:
Delete all these:
O4 - HKLM\..\Run: [frsk] C:\WINNT\frsk.exe
O4 - HKLM\..\Run: [BIOVBIPVF] C:\WINNT\BIOVBIPVF.exe
O4 - HKLM\..\Run: [HCJ] C:\WINNT\HCJ.exe
O4 - HKLM\..\Run: [FMTZDJQWA] C:\WINNT\FMTZDJQWA.exe
O4 - HKLM\..\Run: [OUHOVBLSY] C:\WINNT\OUHOVBLSY.exe
O4 - HKLM\..\Run: [GMTAGNTE] C:\WINNT\GMTAGNTE.exe
O4 - HKLM\..\Run: [JPWDJNT] C:\WINNT\JPWDJNT.exe
O4 - HKLM\..\Run: [DKQXBH] C:\WINNT\DKQXBH.exe
O4 - HKLM\..\Run: [GMTWDK] C:\WINNT\GMTWDK.exe
O4 - HKLM\..\Run: [ELR] C:\WINNT\ELR.exe
O4 - HKLM\..\Run: [CJPWAGNT] C:\WINNT\CJPWAGNT.exe
O4 - HKLM\..\Run: [GMTZDJ] C:\WINNT\GMTZDJ.exe
O4 - HKLM\..\Run: [HQXEO] C:\WINNT\HQXEO.exe
O4 - HKLM\..\Run: [ELRVFLS] C:\WINNT\ELRVFLS.exe
O4 - HKLM\..\Run: [UBHLRYBW] C:\WINNT\UBHLRYBW.exe
O4 - HKLM\..\Run: [qxofmpad] C:\WINNT\qxofmpad.exe
O4 - HKLM\..\Run: [rudsz] C:\WINNT\rudsz.exe
O4 - HKLM\..\Run: [xyneb] C:\WINNT\xyneb.exe
O4 - HKLM\..\Run: [mlofkroj] C:\WINNT\mlofkroj.exe
O4 - HKLM\..\Run: [gP3RKG] C:\documents and settings\security\local settings\temp\gP3RKG.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKCU\..\Run: [BIOVBIPVY] C:\WINNT\BIOVBIPVY.exe

The only one I'm not sure about is:
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\system32\idctup20.exe

Peace,

Yellow
 
Upvote 0 Downvote
Ok yellow, I will delete these.....

Thanks for cleaning up the popup mess for me.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

stillhanginon
  • Locked
  • Question
Is this a FF issue?
Replies
1
Views
76
ChrisHirst
ChrisHirst
sthorne1271
  • Locked
  • Question
ActiveX Install Issue - Need help Please !!
Replies
2
Views
87
sthorne1271
sthorne1271
goombawaho
  • Locked
  • Question
Comcast login - auto filled account is not mine
Replies
9
Views
118
goombawaho
goombawaho
rws70
  • Locked
  • Helpful tip
Google hijack and redirect solved and Fake antivirus software popups
Replies
3
Views
68
Sympology
Sympology
samurrai
  • Locked
  • Question
IE Auto Login Script for Password Protected Site
Replies
0
Views
54
samurrai
samurrai

Part and Inventory Search

Sponsor

Back
Top