HijackThis Log for consideration by the gods

Just a bit of background on my situation. I was out sick for a couple days last week and someone in the office took advantage of having my computer free to surf some unsavoury sites. Now if I'm using IE, every couple of hours I get some rather nasty porn pop-ups from places like http://www.fantaporn.com/, http://69.31.87.70/, and some with really long URLs.

So far, I have run Spybot S&D (1.2), Adaware (6.0), XoftSpy (trial) , and Spy Sweeper (trial). Aside from the usual tracking cookies and a few registry entries, nothing has been able to detect what the heck is causing this blasted pop-up. And I just know that one day, the boss will be over my shoulder and suddenly - POP!

Here's the logfile for your consideration. Since I'm going braindead trying to sort this, your help is GREATLY appreciated!

---
Logfile of HijackThis v1.97.7
Scan saved at 11:36:59 a.m., on 24/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\Smtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\VISION\Vision32.exe
C:\WINNT\explorer.exe
C:\Program Files\VISION\VISIJOBC.EXE
C:\Program Files\VISION\visisale.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\Jeremy\My Documents\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\winnt\iehr.dll
O2 - BHO: (no name) - {5357A9C5-0C45-466A-B64F-A9ECDD528B09} - C:\WINNT\system32\kbiimdb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: setprint.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - http://server/myconsole/mstscax.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37958.5992824074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gracetek.co.nz
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gracetek.co.nz
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gracetek.co.nz

 

Sorry to repost so quickly, but I think I solved the problem on my own. I found an old post showing the problem was more than likely to be:

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\winnt\iehr.dll

And a little comment from a learned one that this was the porn hijacker. I removed that and:

O2 - BHO: (no name) - {5357A9C5-0C45-466A-B64F-A9ECDD528B09} - C:\WINNT\system32\kbiimdb.dll (file missing)

since that file was indeed missing. So far, no sign of any new pop-ups...but it is still early days.

 

It just occurred to me that I should have posted the updated log file after I performed the repair. One thing I noticed was that my proxy server settings and search bar settings got reset to defaults, but that was easy enough to set back up. This is the log after I closed out of everything. If someone could just verify that I am indeed clean?

---
Logfile of HijackThis v1.97.7
Scan saved at 4:09:24 p.m., on 25/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\Smtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.xtramsn.co.nz/0SEENNZ/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://SERVER:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: setprint.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - http://server/myconsole/mstscax.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37958.5992824074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gracetek.co.nz
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gracetek.co.nz
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gracetek.co.nz

 

Hello JermCool,

Log looks good.

Here is a link for you to go to that will give you suggestions on how to keep your computer safe:
https://www.wilderssecurity.com/showthread.php?t=27971