Help needed with a friends HijackThis log please

hopeless · #1 (**permalink**) 03-05-2005, 01:24 AM

Hi, A friend sent me their HijackThis log and I can spot a few obvious items that look like they need fixing.

popuper.exe
msole32.exe
intmonp.exe
wuauclt.exe

Can someone take a read through the rest please? I've told him which adware/spyware tools to download and they're being sorted.
Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 00:09:18, on 03/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\popuper.exe
C:\WINDOWS\system32\intmonp.exe
C:\WINDOWS\System32\msole32.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dmsadmins.exe
C:\WINDOWS\System32\qwinnta.exe
C:\WINDOWS\System32\sesmgr.exe
C:\TEMP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} (Altiris ClientBootstraper Class) - http://uk-heme-alt0.northgate-is.com/aexns/NSCap/Bin/Win32/x86/AeXClientBootstrap.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29041f22c775e338c620/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112179624676
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northgate-is.com
O17 - HKLM\Software\..\Telephony: DomainName = northgate-is.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D60ECEFC-D2D8-49B1-B210-615D5DE46DA6}: Domain = northgate-is.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D60ECEFC-D2D8-49B1-B210-615D5DE46DA6}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northgate-is.com
O20 - AppInit_DLLs: AMInit.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

HJThis · #2 (**permalink**) 03-05-2005, 11:08 AM

Hello,hopeless & Welcome

Please change the location of HijackThis.exe.
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong

Download remv3.zip from,

http://forums.skads.org/index.php?sh...iew=getnewpost

Unzip all the files. Then boot into safe mode and run it. Wait till the dos window says it is finished.

reboot into safe mode,..
Unhide all files and folders,..

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Then,
Run hijackthis and fix the follwing entries.Hit None of the above,just start the program button.Hit SCAN button.Then put a check mark on the following and hit FIX CHECKED button.

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

This one fix only if not put inplace by you or Admins of this puter
some software like Spybot will lock this
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O15 - Trusted Zone: http://*.63.219.181.7

These here do you know what they are anyone don't fix yet
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northgate-is.com
O17 - HKLM\Software\..\Telephony: DomainName = northgate-is.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D60ECEFC-D2D8-49B1-B210-615D5DE46DA6}: Domain = northgate-is.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northgate-is.com

This one here do you know what it is your ISP maybe??? anyone have an idea
O17 - HKLM\System\CCS\Services\Tcpip\..\{D60ECEFC-D2D8-49B1-B210-615D5DE46DA6}: NameServer = 69.50.176.156,195.225.176.31

Delete the following files\folders IF still present:

C:\WINDOWS\popuper.exe<---This file
C:\Windows\system32\msole32.exe<---This file
C:\Windows\System32\intmonp.exe<---This file
C:\WINDOWS\System32\qwinnta.exe<---This file
C:\WINDOWS\System32\sesmgr.exe<---This file

Then,

Please go into NETWORK CONNECTIONS in control panel. Then right click on your default connection there and choose properties.

Then click on NETWORKING tab. Then click on INTERNET PROTOCOL. IN the window that comes up, click on the obtain DNS SERVER ADDRESS automatically radio button.

Then click ok to close those windows.

Reboot into normal mode.
Post a back a fresh hijackthis log after rescanning with hijackthis.
Also post the contents of c:\log.txt<< Very important

HGD

Mr,Baskar

hopeless · #3 (**permalink**) 03-05-2005, 11:17 AM

Thank you for the reply, i'll email all your instructions to the person whose computer it is and get him to send me a fresh log.
He only uses the computer at home with a pay as you go account so the more information I can give him to do offline the cheaper it'll be for him!

HJThis · #4 (**permalink**) 03-05-2005, 03:03 PM

Hi,hopeless

No problem just tell your friend to take it one step at a time
& to take a good look at this before he starts

HGD

hopeless · #5 (**permalink**) 15-05-2005, 01:39 AM

Sorry it's taken so long to reply to this, the friend's been offline a while.

We seem to have sorted everything out, he got all the quicknavigate stuff on his computer since the first log but we've managed to get rid of it.
The northgate stuff is his works ISP so nothing to worry about.
I'll post his latest log.
I've already told him how to disable msn messenger and everything else looks ok to me now....I could be wrong though.

Logfile of HijackThis v1.99.1
Scan saved at 10:53:16, on 14/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = wwwcache.northgate-is.com:3128
O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} (Altiris ClientBootstraper Class) - http://uk-heme-alt0.northgate-is.com...tBootstrap.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29041f22...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1112179624676
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/acces...d/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northgate-is.com
O17 - HKLM\Software\..\Telephony: DomainName = northgate-is.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D60ECEFC-D2D8-49B1-B210-615D5DE46DA6}: Domain = northgate-is.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northgate-is.com
O20 - AppInit_DLLs: AMInit.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

HJThis · #6 (**permalink**) 15-05-2005, 04:44 AM

Hi,hopeless

The logfile looks good lit us know if there is a problem

HGD