Jump to content


Photo

A New .exe File Discovery


  • Please log in to reply
3 replies to this topic

#1 dainty_rose

dainty_rose

    Member

  • New Member
  • Pip
  • 2 posts

Posted 09 July 2004 - 05:36 PM

Hello everyone, I'm new and happy to be here.

I'm hoping that together we can figure out what "Pop Heart.exe" is. I found it in my running processes list one day after being blasted with a bunch of spyware/malware/adware etc.

It took up about 100MB of memory but didn't appear to be using any processor time. It did seem to correspond with some mysterious add popups and page redirections though. After some inspection of my hard drive I found the file in a folder that I believe was called "Heck Mags Bait".

After deleting the folder and the file the .exe process no longer loaded up and I thought I was done with it.

Now, after running "Hijack This" it surprisingly shows up in the scan log. What could it be. I'm slightly concerned and terribly curious. Any help would be fantastic!

Thanks everyone!

-rose-

PS If there's any other suspicious file that I may have missed, will you please let me know? Thank you so much!! :D

Here's my log:
Logfile of HijackThis v1.97.7
Scan saved at 4:28:19 PM, on 7/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wfxsnt40.exe
C:\WINNT\System32\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PVSW\Bin\W3dbsmgr.exe
C:\Program Files\Symantec\ACT\act.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\wisptis.exe
C:\WINNT\explorer.exe
C:\Program Files\Microsoft Streets & Trips\Streets.exe
C:\Documents and Settings\user\Desktop\HijackThis Internet Security Scan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ownsweb - {BC51C175-4ADB-73C4-C3B0-7EBFAEB93D37} - C:\PROGRA~1\GRIDLO~1\defy more.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\manage.exe
O4 - HKLM\..\Run: [iexplore] C:\WINNT\system32\iexplore.exe
O4 - HKLM\..\Run: [camp does] C:\PROGRA~1\Heck Mags Bait\Pop Heart.exe
O4 - HKLM\..\Run: [MSN Manager] C:\WINNT\system32\mcamgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3dbsmgr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = maxwellproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{199076CC-64D5-45E9-892E-3AC600E9981A}: NameServer = 192.168.1.50
O17 - HKLM\System\CCS\Services\Tcpip\..\{48867DF4-87C3-4DD5-87A9-ECD7292C10FA}: NameServer = 192.168.1.50
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = maxwellproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{199076CC-64D5-45E9-892E-3AC600E9981A}: NameServer = 192.168.1.50
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = maxwellproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{199076CC-64D5-45E9-892E-3AC600E9981A}: NameServer = 192.168.1.50

Edited by dainty_rose, 09 July 2004 - 05:50 PM.


#2 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 12 July 2004 - 01:21 PM

What's showing up in the HJT log is the Registry entry that launched the Pop Heart.exe program at each bootup. We can use HJT to fix that, plus some other problems you have as well.

First, I need you to relocate HijackThis. Create a folder via Windows Explorer for HijackThis (such as C:\HJT), then move the file to that folder. This way any backups created are saved in a legit folder instead of being spread around your Desktop.

Start by looking under Add/Remove Programs in Control Panel. See if you can find System Soap Pro and remove it if found - this is an Internet cleaner utility that installs spyware/adware on your machine - there are reports of it showing up on users machines without being intentionally downloaded.

Do not uninstall SystemSoap Pro if you value the service it offers. But it was probably involved with installing some of the malware we're dealing with now.

Look for another program - possibly named Gridlock - which is installed in C:\PROGRA~1\GRIDLO~1. PROGRA~1 is the short form of Program Files - I can only guess what GRIDLO~1 is the short form of. Most programs installed in the Program Files folder will be listed in Add/Remove programs. If you don't find any likely suspects, don't fret - we'll also take care of it in HijackThis.

Run a new HJT scan and mark these items: (some may be gone due to the uninstalling above)

R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)

O3 - Toolbar: ownsweb - {BC51C175-4ADB-73C4-C3B0-7EBFAEB93D37} - C:\PROGRA~1\GRIDLO~1\defy more.dll

O4 - HKLM\..\Run: [version] C:\WINNT\system32\manage.exe

O4 - HKLM\..\Run: [iexplore] C:\WINNT\system32\iexplore.exe

O4 - HKLM\..\Run: [camp does] C:\PROGRA~1\Heck Mags Bait\Pop Heart.exe

O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min


You have PowerReg Scheduler in your log. This is a registration reminder that is used by a number of different companies. It is not needed and some people think that it reports back to the company about your computer, so I suggest fixing it.

O4 - Startup: PowerReg Scheduler.exe

This is considered to be a resource hog that's not needed to run at startup and it may be worthwhile to fix it with HJT. You will still be able to start it manually when you need it.

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

Reboot your computer and open Windows Explorer and reconfigure it to Enable Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the Files and Folders section.
Select: Display the contents of system folders.

Scroll down to the Hidden Files and Folders section.
Select: Show hidden files and folders, Ok the prompt
Uncheck: Hide file extensions for known file types
Uncheck: Hide protected operating system files
Ok the Prompt, click Apply

Click the Apply to all Folders button.

Delete these folders (if still present) and all their contents:

C:\Program Files\GRIDLO~1
C:\Program Files\System Soap Pro

Navigate to the C:\WINNT\system32 folder and delete these files:

C:\WINNT\system32\iexplore.exe
C:\WINNT\system32\manage.exe

Now, I recommend you get Ad-aware and Spybot S&D as per these two links:

How to use Ad-aware to remove Spyware <- Please check this link for instructions on how to download, install and then use Ad-aware.

How to use Spybot to remove Spyware <= Please check this link for instructions on how to download, install and then use Spybot. It sometimes catches things that Ad-aware misses.

After using them as detailed in those articles, you should be clean of any malware. Run another HJT scan, and post it here and I'll take another look just to be sure.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#3 dainty_rose

dainty_rose

    Member

  • New Member
  • Pip
  • 2 posts

Posted 13 July 2004 - 10:59 AM

Thank you so much for your help Fireflyer, I really appreciate it!!

I followed your recommendations and got rid of those files. It turns out that the GRIDLO~1 stands for the folder name "gridlocksbird". In the folder I found 3 odd files:
1. 8653.exe (Which my McAffee scan idntified as adware and deleted for me.)
2. defy more.dll
3. stupid proxy up (A file without an extension that just said "file" under the "Type" heading in windows explorer.)

So having deleted the folder, fixed all of the problems that HJT, Ad-Aware, and SpyBot S&D found here is my new HJT scan log: (Thanks again for the help, you're the best! ;) )

Logfile of HijackThis v1.97.7
Scan saved at 9:47:40 AM, on 7/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wfxsnt40.exe
C:\WINNT\System32\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PVSW\Bin\W3dbsmgr.exe
C:\Program Files\Symantec\ACT\act.exe
C:\Program Files\Microsoft Streets & Trips\Streets.exe
C:\WINNT\system32\wisptis.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Internet Security\Hijack This Internet Security Scanner\HijackThis Internet Security Scan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MSN Manager] C:\WINNT\system32\mcamgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3dbsmgr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = maxwellproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{199076CC-64D5-45E9-892E-3AC600E9981A}: NameServer = 192.168.1.50
O17 - HKLM\System\CCS\Services\Tcpip\..\{48867DF4-87C3-4DD5-87A9-ECD7292C10FA}: NameServer = 192.168.1.50
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = maxwellproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{199076CC-64D5-45E9-892E-3AC600E9981A}: NameServer = 192.168.1.50
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = maxwellproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{199076CC-64D5-45E9-892E-3AC600E9981A}: NameServer = 192.168.1.50

-rose-

#4 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 13 July 2004 - 12:37 PM

rose, you did very well. Congratulations, your log is clean.

I see Firefox in your log, and switching to it is one of the best things you can do for prevention of malware. Even if you switch to Firefox, be sure to stay current with any Windows critical updates.

SpywareBlaster http://www.javacools...areblaster.html will work with Mozilla/Firefox as well as IE to block spyware and tracking cookies.

You might also want to consider installing a firewall program - two very good free ones are available thru the links in my Signature. I use Kerio Personal Firewall myself.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button