Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

HijackThis Log - My brother's computer

2K views 20 replies 4 participants last post by  jenspen 
#1 ·
My brother's computer had a BAAAAAD case of spyware. I've taken care of it. However, I'm still not experienced enough with HijackThis to feel confident about it yet. Please view this log and help me. I'm sure there will be some removals... you should have SEEN the mess his computer was in before. I've never seen a case so bad (Ad-Aware detected and "cleaned" 945 objects!!!!!!!! SpyBot caught and "cleaned" a few additional ones....)

Here's his log. THANKS IN ADVANCE!

Logfile of HijackThis v1.97.3
Scan saved at 10:40:05 PM, on 1/4/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\WINNT\loadqm.exe
C:\WINNT\System32\jxpopde.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\chris1\Desktop\KEEP YOUR COMPUTER ALIVE!\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [jxpopde] c:\WINNT\System32\jxpopde.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Configuration Loader] wincffg.exe
O4 - HKLM\..\RunServices: [Configuration Loader] wincffg.exe
O4 - HKCU\..\Run: [msvc32] C:\WINDOWS\system\msvc32.exe
O4 - HKCU\..\Run: [jxpopde] c:\WINNT\System32\jxpopde.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37640.7499652778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

There's the log. Thanks again.

~Jennifer
 
See less See more
#4 ·
Well, I would, but I am using his tower at home, and he has no modem installed as he uses DSL. I am on dial-up at home. I have instructed him to perform a HouseCall scan upon my returning the computer. I will probably do it myself when I bring it back. I guess I wanted to take care of everything that I could beforehand... Why do you so strongly (and immediately) suggest virus scan? Did something in the log alert you to the probability of a virus, or are you just concerned because of all the spyware I found and the obvious unintentional neglect of the poor machine?! :p

~Jennifer
 
#9 ·
I am confused. I downloaded the free antivirus program via the URL you posted, and when I installed it, it did not install anything having to do with virus protection/removal. It installed Microsoft Voice Command... ?? Why? And is the Antivirus software hidden somewhere? I cannot find anything but MS Voice Command being installed. In fact, it never prompted me for my free version serial number, either. Is there something I'm missing??

Thanks!

~Jennifer
 
#11 ·
Originally posted by jenspen:
Well, I would, but I am using his tower at home, and he has no modem installed as he uses DSL. I am on dial-up at home. I have instructed him to perform a HouseCall scan upon my returning the computer. I will probably do it myself when I bring it back. I guess I wanted to take care of everything that I could beforehand... Why do you so strongly (and immediately) suggest virus scan? Did something in the log alert you to the probability of a virus, or are you just concerned because of all the spyware I found and the obvious unintentional neglect of the poor machine?! :p

~Jennifer
These 2 entries are agobot virus/trojan
O4 - HKLM\..\Run: [Configuration Loader] wincffg.exe
O4 - HKLM\..\RunServices: [Configuration Loader] wincffg.exe

I don't know about these 2 but when something puts an entry in hklm & hkcu it wants to stay in running and normally means virus/trojan
O4 - HKLM\..\Run: [jxpopde] c:\WINNT\System32\jxpopde.exe
O4 - HKCU\..\Run: [jxpopde] c:\WINNT\System32\jxpopde.exe
I have a sneaking suspicion that this one is going to be difficult to remove, I think it will probably be a trojan that will download other baddies to the sytem.

run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R3 - Default URLSearchHook is missing
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)

O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b

O4 - HKLM\..\Run: [jxpopde] c:\WINNT\System32\jxpopde.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup

O4 - HKLM\..\Run: [Configuration Loader] wincffg.exe
O4 - HKLM\..\RunServices: [Configuration Loader] wincffg.exe
O4 - HKCU\..\Run: [msvc32] C:\WINDOWS\system\msvc32.exe
O4 - HKCU\..\Run: [jxpopde] c:\WINNT\System32\jxpopde.exe

reboot into safe mode & delete these files
C:\WINNT\System\WINSTA~1.EXE
C:\WINDOWS\system\msvc32.exe
c:\WINNT\System32\jxpopde.exe
search for & delete
wincffg.exe

and delete these folders
C:\PROGRAM FILES \ACCELERATION SOFTWARE

Before deleting the c:\WINNT\System32\jxpopde.exe file please copy & zip it and send it to me for analysis suspectfiles@oneknight.co.uk
 
#12 ·
delete these files
C:\WINNT\System\WINSTA~1.EXE
C:\WINDOWS\system\msvc32.exe
c:\WINNT\System32\jxpopde.exe
search for & delete
wincffg.exe

and delete these folders
C:\PROGRAM FILES \ACCELERATION SOFTWARE

Before deleting the c:\WINNT\System32\jxpopde.exe file please copy & zip it and send it to me for analysis suspectfiles@oneknight.co.uk
I actually was able to delete wincffg.exe already, as it kept giving me errors after I ran spybot. I had already suspected it was a bad file anyway. When it started acting up, I copied it into a temp directory and changed its name, and then deleted the original. When all was well with Windows after more than one reboot, I deleted the copy as well. I noticed the jxpopde.exe in processes when I was just beginning my work on the computer, and I didn't like it either. I also had svchost.exe (I know it's a legit file) acting up, taking 75%-99% CPU resources. But the spyware removal tools seemed to take care of that. As soon as Spybot did its thing again on reboot, everything was A-OK as far as CPU usage and speed.

At any rate, I'll get that jxpopde.exe to you soon. Hopefully I won't flood this thread again until tomorrow!!

~Jennifer
 
#13 ·
UPDATED HIJACKTHIS LOG FILE
(with Updated HijackThis Application.. thanks Seph!)

Logfile of HijackThis v1.97.7
Scan saved at 1:57:34 AM, on 1/7/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\explorer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\WINNT\loadqm.exe
C:\WINNT\System32\jxpopde.exe
C:\Program Files\QuickTime\qttask.exe
C:\KEEP COMPUTER ALIVE!\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [jxpopde] c:\WINNT\System32\jxpopde.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Configuration Loader] wincffg.exe
O4 - HKLM\..\RunServices: [Configuration Loader] wincffg.exe
O4 - HKCU\..\Run: [msvc32] C:\WINDOWS\system\msvc32.exe
O4 - HKCU\..\Run: [jxpopde] c:\WINNT\System32\jxpopde.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37640.7499652778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I never did remove anything from the contents of the last version's scan. I thought I'd just get a fresh one and start anew with it.

Derek, I'm heading over to my email account now to send the jxpopde.exe (jxpopde.zip) to you. I ran Avast on my bro's machine, and it found another file related to gaobot (winhlpp32.exe) but it was unable to fix it. It also found 2 other files connected to a "Win32:Trojan-Gen{VC}" virus (fynbyn.exe) and "Win32:Trojan-Gen{OTHER}" virus (installer_im.exe). Avast couldn't fix either one. I am unable to find information on either of these, other than a couple sites that claim most of Avast's findings of this virus are bogus. I have given up for now and will run HouseCall when I take the computer back to my dad's (bro's)house and am able to connect to the internet via DSL. I'll be heading over there on Saturday.

Thanks again for everyone's help, and let me know what - if anything - I should do with this HijackThis information before I run HouseCall.

:)

~Jennifer
 
#14 ·
run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)

O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b

O4 - HKLM\..\Run: [jxpopde] c:\WINNT\System32\jxpopde.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup

O4 - HKLM\..\Run: [Configuration Loader] wincffg.exe
O4 - HKLM\..\RunServices: [Configuration Loader] wincffg.exe
O4 - HKCU\..\Run: [msvc32] C:\WINDOWS\system\msvc32.exe
O4 - HKCU\..\Run: [jxpopde] c:\WINNT\System32\jxpopde.exe

reboot into safe mode & delete any of these files you haven't already deleted
C:\WINNT\System\WINSTA~1.EXE
C:\WINDOWS\system\msvc32.exe
c:\WINNT\System32\jxpopde.exe
search for & delete
wincffg.exe

and delete these folders
C:\PROGRAM FILES \ACCELERATION SOFTWARE

let us know when you get it back online and do an online scan and download an antivirus to it

I'll keep you posted about that jxpopde.exe file when I get the results back
 
#15 ·
jxpopde.exe
is definitely an ad spawning trojan & has been submitted to the anti trojan & spyware developers for inclusion in updates

I submitted it to Diamond cS the makers of TDS3 and got an almost instant reply back from their analysist who will include it in TDs3 next update later today
 
#17 ·
Hello again Derek,

Wow! Wait until I tell my brother he had a NEW virus (or a new variation) on his computer that no scanner could detect (well, as of yesterday.. lol). For some reason I find this hilarious.

Thank you so much for your prompt attention to everything. You certainly have been a huge help, and the internet needs people like you for sure!

I'll be back sometime late Saturday or Sunday with the results of HouseCall's scan and - once again - an updated HijackThis log!

Thanks again.

~Jennifer
 
#18 ·
OK, Housecall has been run and detected one more virus. Took care of that and he's clean now. Here's his "final" hijackthis log. Let me know if anything else needs to be looked into. THANKS SO MUCH!!

Logfile of HijackThis v1.97.7
Scan saved at 4:55:12 PM, on 1/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\QuickTime\qttask.exe
C:\HijackThis\HijackThis-AskJenniferB4URunThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37996.5147916667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks again!

~Jennifer
 
#20 ·
LOL! Yeah, well, I felt I had a responsibility there. ;)

I also made a folder called "KEEP COMPUTER ALIVE!" and placed a shortcut to it on the desktop. The folder contains the shortcuts to HouseCall's URL and the shortcuts to Ad-Aware AND Spybot.

Now he has no excuse to respect his system. :p

Thanks again for all your help. I am now trying to save my boyfriend's computer that has been out of commission for about a year now. Be looking for a post on that soon as soon as I can compile a list of all its problems!!!!!!

~Jen
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top