Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log for analysis - thanks!


  • Please log in to reply
7 replies to this topic

#1 Webbie

Webbie

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 24 January 2005 - 02:46 PM

Could someone please take a look at this Hijack This log and see what looks to be a problem? This is an XP Pro PC that suffers terribly when opening IE6.

Thanks in advance!

Webbie


Here's the text of the log:

Logfile of HijackThis v1.99.0
Scan saved at 1:40:20 PM, on 1/24/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINNT\system32\dmislsrv.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\loadwc.exe
C:\OfficeScan NT\pccntmon.exe
C:\WINNT\System32\qttask.exe
C:\WINNT\System32\rrosqq.exe
D:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINNT\System32\ddhelp.exe
C:\PROGRA~1\PLUS!\MICROS~1\IEXPLORE.EXE
C:\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.0.0.x:80;https=10.0.0.x:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10;*.weber.com;x.weber.com;x;<local>
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [udigxoupiih] C:\WINNT\System32\rrosqq.exe
O4 - Startup: Microsoft Outlook.lnk = D:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Startup: Shortcut to Shortcut Bar.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://d:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O13 - WWW. Prefix: http://
O16 - DPF: Oracle Discoverer 4i - http://x.weber.com/discwb4/applet/dis4uie.cab
O16 - DPF: Oracle Discoverer 4i Initializer - http://x/discwb4/applet/start/dis4sie.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://x/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://x/officescan/clientinstall/setup.cab
O16 - DPF: {093501ce-d290-11d3-a3d6-00c04fa32518} - http://x.weber.com:8000/OA_HTML/oajinit.exe
O16 - DPF: {332BD5A0-8000-11D7-B657-00C04FAEDB18} (Oracle JInitiator 1.1.8.22) - http://x.weber.com:8004/jinitiator/oajinit.exe
O16 - DPF: {42780420-E62F-490A-82FC-D626BE90B302} (ASAP! Session Class) - http://x.weber.com/AntiSpamGateway/Cabs/Mapicom.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://x/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {86ECB6A0-400A-11D5-B638-00C04FAEDB18} - http://x.weber.com:7777/discwb4/jinit/jinit11811.exe
O16 - DPF: {9B935470-AD4A-11D5-B63E-00C04FAEDB18} (Oracle JInitiator 1.1.8.16) - http://x.weber.com:8000/jinitiator/oajinit.exe
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {CCF028C4-4631-11D3-90BD-00A0C9B727E1} (PVCS VM I-NET Client for MSIE) - http://x/vminet_images/vmi660ie.cab
O16 - DPF: {FF348B6E-FD21-11D4-A3F0-00C04FA32518} - http://x.weber.com:8000/jinitiator/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = weber.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = weber.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = weber.com webermarking.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = x
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = weber.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = weber.com webermarking.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = x
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = weber.com webermarking.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = x
O23 - Service: Compaq Local Alerter - Unknown - CPQAlert.exe (file missing)
O23 - Service: Compaq BIOS - Unknown - CPQBIOS.exe (file missing)
O23 - Service: DMISL - Unknown - C:\WINNT\system32\dmislsrv.exe
O23 - Service: Hummingbird Inetd - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Hummingbird Jconfig Daemon - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OracleClientCache80 - Unknown - D:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleORA_WORKFLOWClientCache - Unknown - D:\ora_workflow\BIN\ONRSD.EXE
O23 - Service: OfficeScanNT Listener - Unknown - C:\OfficeScan NT\tmlisten.exe

BC AdBot (Login to Remove)

 


#2 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 25 January 2005 - 06:50 PM

Your logfile is being analyzed now, and a response will be posted shortly.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#3 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 25 January 2005 - 07:02 PM

Thanks for sending your HijackThis log.

I have some questions to start with.

First, what can you tell me about these: weber.com and webermarking.com?

Are they your ISP?

And, this

This is an XP Pro PC that suffers terribly when opening IE6.


doesn't agree with what your HJT log reports

Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)


Did you upgrade from NT4 to XP Pro?


Of immediate concern is the version of Internet Explorer you are running. So before we start fising things, please Download Internet Explorer 6 Service Pack 1.

Then, start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there to ensure you are uptodate on critical security patches.

Once you have taken careof that, respond back with a fresh HijackThis log, and I'll put together a fix.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#4 Webbie

Webbie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 26 January 2005 - 08:28 AM

Okay...what a dope I am! This IS and NT4 PC...I forgot that part...we maintain about 300 pc's and most of them are XP...this is a 2nd PC for that user and I forgot that it was NT4. Weber.com and webermarking.com are domain names that we own and they should be there. Wherever you see an X.webermarking.com it's because I removed the server name and put an X in place, as I knew that wasn't the problem. Let me know if you'd still like me to look at Internet Explorer version on this and send another log if I need to.

Thanks again!

Webbie

#5 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 26 January 2005 - 02:54 PM

Thanks

It is very important that you update IE asap, or you will surely reinfect.

Download Internet Explorer 6 Service Pack 1.

Then, start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there to ensure you are uptodate on critical security patches.


Also, in your reply, please tell me a little more about he security protections you run on the system. I see no anti-virus, let alone any of the other common safeguards. Again, a quaranteed reinfection if not addressed.


I want you to fix some of those HJT entries. Please do the following:

1 -- Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

2 -- Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [udigxoupiih] C:\WINNT\System32\rrosqq.exe


3 -- Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINNT\System32\rrosqq.exe <-- This file

4 -- Reboot your computer to go back to normal mode and post a new log.


Then, please take a few moments and review the following general prevention steps to keep one's computer clean and secure.

1 -- Use an AntiVirus Software, and be sure you update your anti-virus software at least once a week. There are several very good free programs available. Grinler offers an outstanding overview at Virus, Spyware, and Malware Protection and Removal Resources

2 -- To reduce re-infection potential for malware in the future, I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

3 -- Use AdAware SE and Spybot S&D to regularly to scan your system.

4 -- It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

5 -- I strongly recommend that you consider using a Firewall. Just by using a Firewall in its default configuration can lower your risk greatly. Check out what Lawrence Abrams has to say at Understanding and Using Firewalls

An excellent overview is: So how did I get infected in the first place?. Be sure to visit the browser test link at the end of the article to really see how secure your system is!!

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#6 Webbie

Webbie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 26 January 2005 - 04:22 PM

Okay, we DO have anti-virus software on the PC (Trend Office Scan) that is running the latest virus definitions. And we do have a corporate firewall here (I suppose that you are speaking of a personal firewall product though, right?). I did as you suggested, then re-ran Hijack This and here is the latest log:

Logfile of HijackThis v1.99.0
Scan saved at 3:08:44 PM, on 1/26/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\system32\dmislsrv.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\RpcSs.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\system32\CPQBIOS.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\CPQAlert.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\loadwc.exe
C:\OfficeScan NT\pccntmon.exe
C:\WINNT\System32\qttask.exe
C:\OfficeScan NT\ofcdog.exe
C:\OfficeScan NT\pccntupd.exe
C:\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O13 - WWW. Prefix: http://
O16 - DPF: Oracle Discoverer 4i - http://x.weber.com/discwb4/applet/dis4uie.cab
O16 - DPF: Oracle Discoverer 4i Initializer - http://x/discwb4/applet/start/dis4sie.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://x/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://x/officescan/clientinstall/setup.cab
O16 - DPF: {093501ce-d290-11d3-a3d6-00c04fa32518} - http://x.weber.com:8000/OA_HTML/oajinit.exe
O16 - DPF: {332BD5A0-8000-11D7-B657-00C04FAEDB18} (Oracle JInitiator 1.1.8.22) - http://x.weber.com:8004/jinitiator/oajinit.exe
O16 - DPF: {42780420-E62F-490A-82FC-D626BE90B302} (ASAP! Session Class) - http://x.weber.com/AntiSpamGateway/Cabs/Mapicom.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://x/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {86ECB6A0-400A-11D5-B638-00C04FAEDB18} - http://x.weber.com:7777/discwb4/jinit/jinit11811.exe
O16 - DPF: {9B935470-AD4A-11D5-B63E-00C04FAEDB18} (Oracle JInitiator 1.1.8.16) - http://x.weber.com:8000/jinitiator/oajinit.exe
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {CCF028C4-4631-11D3-90BD-00A0C9B727E1} (PVCS VM I-NET Client for MSIE) - http://x/vminet_images/vmi660ie.cab
O16 - DPF: {FF348B6E-FD21-11D4-A3F0-00C04FA32518} - http://x.weber.com:8000/jinitiator/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = weber.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = weber.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = weber.com webermarking.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.0.0.30 10.0.0.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = weber.com webermarking.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.0.0.30 10.0.0.13
O23 - Service: Compaq Local Alerter - Unknown - CPQAlert.exe (file missing)
O23 - Service: Compaq BIOS - Unknown - CPQBIOS.exe (file missing)
O23 - Service: DMISL - Unknown - C:\WINNT\system32\dmislsrv.exe
O23 - Service: Hummingbird Inetd - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Hummingbird Jconfig Daemon - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OracleClientCache80 - Unknown - D:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleORA_WORKFLOWClientCache - Unknown - D:\ora_workflow\BIN\ONRSD.EXE
O23 - Service: OfficeScanNT Listener - Unknown - C:\OfficeScan NT\tmlisten.exe

#7 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 26 January 2005 - 11:58 PM

Thanks

I figured you had security protections in an environment with 300 units :thumbsup:

And, I was speaking of personal firewalls, since we mostly help individuals.

Your HijackThis log is clean. No obvious malware.

How about the problems? Have they cleared up?

daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#8 Webbie

Webbie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 27 January 2005 - 12:42 PM

Daveai, thanks! I have not heard any complaints from the user to suggest that his problems have not been corrected (and he would tell me, believe me!). So, other than running NT4, which is a problem in and of itself, it appears that what you suggested took care of his issues - Thanks again! I really appreciate your help with this. I plan on using this forum in the future; is there any limit to the number of help requests that I can post here? Let me know....I don't want to abuse the free help that you provide, but it is most helpful to me in situations where the normal ad-aware and spybot don't correct the problems. I would mess with Hijack This myself, but it seems that it has potential to break a lot of stuff if not used properly, correct?

Let me know and thanks again!

Webbie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users