Help with HijackThis Log file?

I'm new here, so please bear with me...

I'm running Windows 2000 Professional, and I recently got DSL. Soon thereafter I began experiencing problems: Popups coming out of nowhere, my start page changing, computer slowing down, all that stuff. I downloaded AdAware and ran it, and it found over 600 items. It scans fairly clean now, except for usually 1 or 2 items every few days.

At the same time I started using Norton Internet Security Professional 2002, and after setting all the alerts on High, I found out that three different programs, all in the WINNT/System32 folder, are trying to access the Internet around 9 in the evening: Qxcn74j.exe, Qbm92z1H.exe, and yrt9f.exe. Of course, I tell NIS to block their access, but when I'm doing anything else around that time of night, I keep getting kicked out of my program (usually a game) to my desktop.

After reading some of the posts on here, I downloaded HijackThis, and followed the instructions given by Lonny Jones. So, I'm listing the log file here in hopes that someone will be willing to give me some idea of how I can get rid of these programs.

Logfile of HijackThis v1.98.0
Scan saved at 2:44:09 PM, on 7/12/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Norton Internet Security Professional\SymPxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Norton Internet Security Professional\NISSERV.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\navapw32.exe
C:\winnt\temp\jt.exe
C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINNT\System32\Okw7.exe
C:\WINNT\System32\Ghr5f.exe
C:\Antispyware\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/loginpage.phtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~4\navapw32.exe
O4 - HKLM\..\Run: [jt] C:\winnt\temp\jt.exe
O4 - HKLM\..\Run: [5PHMRKE3YS52N9] C:\WINNT\System32\Qxcn74j.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://or-iagent.allstate.com/iasite/wfica.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://rapidrate.lifewisehealth.com/ARWebCache/arview2.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.doerflerinsurance.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.doerflerinsurance.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.doerflerinsurance.net

Any advice will be greatly appreciated! Thanks so much!

 

Welcome to the boards!
Before we get to the log.... I wonder if maybe you have the Peper Trojan?
Can you do an online scan at Housecall to elliminate that possibility first?

 

Probably does have pepper and from seeing C:\WINNT\System32\ms.exe, I'd say there is another active virus on the PC. Note that ms.exe will probably be running and that may stop an AV program from being able to remove it. So step #1 is to go into task manager, locate the process, and stop it.

 

Hello! Per your suggestion, I ran the "Housecall" scan and it found 6 files that were Sandbox.A and 2 files that were Stilan.A (or something like that, I didn't write them down at the time). It cleaned 7 of them, and I had to delete the last one. Since then I've ran the Housecall scan twice and it has come up clean, as has AdAware. As a test, I opened up one of my games last night during the time when I usually start having trouble, and not once did I get kicked out, which was the first time in a while! So hopefully my computer is all clean now. Thank you SO much for your help, you all are the greatest!!!

 

Are you running an antivirus?
If not, can I suggest AVG ? It's free.

 

Glad you got it cleaned and I enjoyed your Jack Handey quote. His 'deep thoughts' were always great.

It would be a good idea at this point to post another Hijackthis log. There were some odds and ends in the last one that you don't want but a fresh look after you got the critters killed off would be good.

 

Daizy - I'm using Norton AntiVirus, and get updates regularly. I've always had success with NAV in the past, I have no idea why it didn't pick these up at all. Or AdAware, for that matter...but then, I'm really not very knowledgeable about these types of computer issues, so maybe those programs aren't set up to detect this sort of "malware "?

Newt - I did another HijackThis scan, here's the log:

Logfile of HijackThis v1.98.0
Scan saved at 7:39:07 PM, on 7/13/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Norton Internet Security Professional\SymPxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Norton Internet Security Professional\NISSERV.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\navapw32.exe
C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
D:\Maxis\SimCity 4 Deluxe\Apps\SimCity 4.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Antispyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/loginpage.phtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~4\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://or-iagent.allstate.com/iasite/wfica.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://rapidrate.lifewisehealth.com/ARWebCache/arview2.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.doerflerinsurance.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.doerflerinsurance.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.doerflerinsurance.net

Does it look OK? And, if it's not too complicated to explain, what exactly are you looking for?

Thanks again!

 

Looks better for sure.

AntiVirus programs normally won't look for (thus, won't find) spyware. And new stuff is released so fast that depending on when they were last updated, one spyware killer might find an item that another doesn't. Spybot and Ad-aware fall into the spyware killer category.

Explaining what we are looking for isn't complicated. We look for stuff that shouldn't be there. Figuring out what that stuff is is the complicated part but it's mostly a matter of looking at lots of these things and when you see something you aren't familiar with, doing some searching. Generally you'll either find an explanation of what it is and does, or that it is a bad thing, or nothing about it at all. Bad is obviously bad. Nothing is also usually bad since lots of critters throw in files with random names.

The tricky stuff is files with legit names but running from the wrong location or file names that are almost right. For instance, Iexplore.exe is normal if you use IE and explorer.exe is simply your windows explorer. Iexplorer.exe is dropped on you by the RapidBlaster parasite - advertising spyware.

The above is the reason this site and any other reputable security site strongly suggest you run Hijackthis and post a log rather than taking action yourself.

BTW - any item running from a temp folder at startup is also usually not a good thing. I haven't done an exaustive exam of your last log (not really my forte) but
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~e5d141.tmp
meets several of the criteria for 'this is probably a bad thing'. Leave it until someone gives you a solid answer though.

 

Newt - Thanks for the help, and the advice. I'll look into that program running from the Temp folder and try to figure out what it is, but like you suggested, I probably won't delete it unless I find out for sure that it isn't good. Besides, ever since using Housecall, I haven't had any of those symptoms I was experiencing before, so whatever it is, it can't be that bad!

Thanks again, you've been incredibly helpful!

 

~e5d141.tmp - I doubt you'll turn up much, if any, info on that thing. Only reason I suggested leaving it for a little while is that sometimes removing things piece-meal makes a real cleanup harder and just getting rid of the thing might not help.

Glad to hear your PC is running better but please don't take that as an 'all clear' signal. Well written junkware doesn't cause system problems. We are sorta lucky that some is poorly written and causes enough problems that we go looking for them and in the process (thanks to some sharp programmers of Hijackthis and similar) find lots of other baddies.

 

That temp file seems real suspicious to me, it could be a left over from infection. I would say that it is installed as a process as there isn't a startup for it. I would delete it, it isn't a system file, and a legitimate program wouldn't have a permanent file in the temp folder, or create a process from the temp folder.
You would find it here, remember it could be set as Hidden or a System file so you'll need to set Windows Explorer to Show All Files under Tools\Folder Options, View tab.

C:\Documents and Settings\Administrator\Local Settings\Temp\~e5d141.tmp

Use MoveOnBoot to get it. After installing this file, you get a new item in your right click menu, instead of selecting Delete, select to Delete at Next Boot, and reboot and it will be gone.
You could remove these item from HJT, they are just dead weight now.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe

 

Mark - I downloaded MoveOnBoot and will use it per your recommendation. Thanks.

 

OK, after using MoveOnBoot and deleting that file, I got this error message when Windows restarted:


The function you are trying to use cannot be accessed at this time.

To fix the problem, please restart Windows.

Info number: 236


So far everything seems to be working just fine, so is this something I should be concerned about?

 

Google search show this as a ICQ error.

http://web.icq.com/boards/view_messages/1,,,00.html?tid=7288&topic_id=401253&goto_last=yes

 

That error hasn't come up again, and frequent scans by Housecall and AdAware have come up clean. In any case, I now have better ideas of how to handle these problems in the future.

I really appreciate all the help you guys gave me, tons of thanks to all of you!!

 

You're more then welcome Joe glad the board was able to help