• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Samanax

Hijacked system

10 posts in this topic

Could someone go over this Hijack This! log and tell me what needs to be removed. Thank you.

 

Logfile of HijackThis v1.97.7

Scan saved at 8:24:07 PM, on 6/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\mgabg.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\documents and settings\guy\local settings\temp\IvCtEA31I.exe

C:\PROGRA~1\STOPLO~1\Mapi Mpeg Ante.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MProcessor\mprocessor.exe

C:\Program Files\Sony Handheld\Hotsync.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\System32\Bqx21Ym1.exe

C:\WINDOWS\System32\GoxoZ.exe

J:\Security\HijackThis\HijackThis.exe

 

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [ivCtEA31I] C:\documents and settings\guy\local settings\temp\IvCtEA31I.exe

O4 - HKLM\..\Run: [Noun Bash] C:\PROGRA~1\STOPLO~1\Mapi Mpeg Ante.exe

O4 - HKLM\..\Run: [2Z6QBBG5A4JPGY] C:\WINDOWS\System32\GtnSCZ.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [TUOKISVOUPP] C:\WINDOWS\NQUSTQQNSS.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8022.9807407407

Share this post


Link to post
Share on other sites

You have the Peper trojan, which requires special treatment to put it out of your misery!

Please download and run this uninstaller.

 

Click on the peperfix link, and download the program. Then go off line, and run the program. It will remove the files, leaving one orphaned entry to be cleaned up with Hijack this.

 

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

 

O4 - HKLM\..\Run: [ivCtEA31I] C:\documents and settings\guy\local settings\temp\IvCtEA31I.exe

O4 - HKLM\..\Run: [Noun Bash] C:\PROGRA~1\STOPLO~1\Mapi Mpeg Ante.exe

O4 - HKLM\..\Run: [2Z6QBBG5A4JPGY] C:\WINDOWS\System32\GtnSCZ.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKCU\..\Run: [TUOKISVOUPP] C:\WINDOWS\NQUSTQQNSS.exe

Reboot and delete

 

files

C:\documents and settings\guy\local settings\temp\IvCtEA31I.exe

C:\WINDOWS\System32\GtnSCZ.exe

C:\WINDOWS\System32\dp-him.exe

C:\WINDOWS\NQUSTQQNSS.exe

folders

C:\PROGRA~1\STOPLO~1

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

Here's the Hijack This! log after running PeperFix. He told me his IE home page is still hijacked though (he keeps getting SpywareGuard alerts about the home page changing).

 

Logfile of HijackThis v1.97.7

Scan saved at 5:46:51 PM, on 6/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\mgabg.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MProcessor\mprocessor.exe

C:\Program Files\Sony Handheld\Hotsync.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\Program Files\SpywareGuard\sgbhp.exe

J:\Security\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8022.9807407407

 

Thank you.

Share this post


Link to post
Share on other sites

I was informed that besides the Peper Virus, the Hijack This log indicates my friend's computer has been hit by another nasty hijack. Could someone take a look at the above Hijack This! log and tell me what you see. Thank you.

 

My friend told me that after running the PeperFix his computer ran a little better, but his homepage was still hijacked and the computer still felt "sluggish". The items that stand out to me are the mprocessor.exe file and the dp-him.exe file. The Search and Homepage items look suspect too. But I'm no security expert and don't want to tell my friend to remove anything unless someone more knowledgeable in this area than I am tells me that those files/items should be removed.

 

Thank you.

Share this post


Link to post
Share on other sites

First, open Rask Manager ( CRTL-ALT-DEL) and end task on any, and all wintools entries.

 

Then have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

 

O1 - Hosts: 69.20.16.183 ieautosearch

 

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

 

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"

 

Reboot and delete

 

files

C:\WINDOWS\System32\dp-him.exe

C:\WINDOWS\TEMP\sp.html

 

folders

C:\Program Files\Common files\WinTools

C:\Program Files\\MProcessor

C:\Program Files\Toolbar

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

My friend told me he did everything you instructed but the problem still exists. Here's the latest Hijack This log.

 

Logfile of HijackThis v1.97.7

Scan saved at 8:57:44 PM, on 6/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\mgabg.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MProcessor\mprocessor.exe

C:\Program Files\Sony Handheld\Hotsync.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

J:\Security\HijackThis\HijackThis.exe

 

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8022.9807407407

 

Why does MProcessor keep coming back?

 

Thanks for the help so far.

Share this post


Link to post
Share on other sites

Try rebooting into safe mode and run Hijack this. Fix the mprocessor entry, and then without rebooting, delete the file.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0