Hijack This Log - DMH

Discussion in 'adware, spyware & hijack cleaning' started by DeltaMikeHotel, Jun 19, 2004.

Thread Status:
Not open for further replies.
  1. DeltaMikeHotel

    DeltaMikeHotel Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    4
    Hi there.

    I obviously need help or I wouldn't be here. I've run AdAware, Spybot S&D prior to getting Hijack This, and I ran them again immediately prior to saving the log. If I've forgotten any information I'll gladly include it in a reply.

    My problem is, essentially, uncontrollable pop-ups. They appear seemingly at random, though they tend to occur more when I am trying to open Internet Explorer. They do occur when I'm not doing anything with the computer, and no programs, other then whatever runs on startup, are going. Whatever I am doing when they appear, the pop-up will supercede, leading to my having accidentally clicked a couple. They tend to be window pop-up advertisements for a variety of things, but I think a couple are also Windows Messenger pop ups. When in the Task Manager there are several ...new and rather suspicious looking items I can't remove, "wintoolsB.exe" and the like.

    Despite the risk of losing a lot of material that can't be replaced, I'm getting to the point where a complete format is sounding preferable to this constant nuisance. I'd like Congress to pass a law permitting citizens to toss bricks through the home windows of folks that make these programs, the physical equivalent of their silicon vandalism...but that's neither here nor there. I'd format, but I'm worried it will just happen again. I've obviously reached the end of my rope, and I'm sincerely hoping you folks can help me. Much obliged.

    DMH
    --------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 10:04:18 AM, on 6/19/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\PackethSvc.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\runservice.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINNT\system32\OnSrvr.exe
    C:\WINNT\system32\AChkr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
    C:\Documents and Settings\Darren\Desktop\AOL Saved Files\America Online 6.0\download\WoWstuff\EMP\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINNT\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50029
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blizzard.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINNT\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINNT\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINNT\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50029
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50029
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O1 - Hosts: 207.44.240.65 ads.x10.com
    O1 - Hosts: 207.44.240.65 images.x10.com
    O1 - Hosts: 207.44.240.65 count.exitexchange.com
    O1 - Hosts: 207.44.240.65 servedby.netadvertising.com
    O1 - Hosts: 207.44.240.65 images.trafficmp.com
    O1 - Hosts: 207.44.240.65 ad.uk.doubleclick.net
    O1 - Hosts: 207.44.240.65 ad.ca.doubleclick.net
    O1 - Hosts: 207.44.240.65 ads.specificpop.com
    O1 - Hosts: 207.44.240.65 ads.specificclick.com
    O1 - Hosts: 207.44.240.65 ads.popupsponsor.com
    O1 - Hosts: 207.44.240.65 adfarm.mediaplex.com
    O1 - Hosts: 207.44.240.65 media.fastclick.net
    O1 - Hosts: 207.44.240.65 media1.fastclick.net
    O1 - Hosts: 207.44.240.65 media19.fastclick.net
    O1 - Hosts: 207.44.240.65 media28.fastclick.net
    O1 - Hosts: 207.44.240.65 media29.fastclick.net
    O1 - Hosts: 207.44.240.65 media39.fastclick.net
    O1 - Hosts: 207.44.240.65 adserv.internetfuel.com
    O1 - Hosts: 207.44.240.65 www.satellitepop.com
    O1 - Hosts: 207.44.240.65 count.exitexchange.com
    O1 - Hosts: 207.44.240.65 z1.adserver.com
    O1 - Hosts: 207.44.240.65 view.atdmt.com
    O1 - Hosts: 207.44.240.65 servedfor.valuead.com
    O1 - Hosts: 207.44.240.65 banners.valuead.com
    O1 - Hosts: 207.44.240.65 img.mediaplex.com
    O1 - Hosts: 207.44.240.65 ln.doubleclick.net
    O1 - Hosts: 207.44.240.65 m2.doubleclick.net
    O1 - Hosts: 207.44.240.65 m.doubleclick.net
    O1 - Hosts: 207.44.240.65 ad.doubleclick.net
    O1 - Hosts: 207.44.240.65 media28.fastclick.net
    O1 - Hosts: 207.44.240.65 media39.fastclick.net
    O1 - Hosts: 207.44.240.65 media.fastclick.net
    O1 - Hosts: 207.44.240.65 popuptraffic.com
    O1 - Hosts: 207.44.240.65 leader.linkexchange.com
    O1 - Hosts: 207.44.240.65 rad.msn.com
    O1 - Hosts: 207.44.240.65 view.atdmt.com
    O1 - Hosts: 207.44.240.65 iv.doubleclick.net
    O1 - Hosts: 207.44.240.65 focusin.ads.targetnet.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\unzipped\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINNT\SysUpd.exe
    O4 - HKLM\..\Run: [GNUBIPWE] C:\WINNT\GNUBIPWE.exe
    O4 - HKLM\..\Run: [AEHKO] C:\WINNT\AEHKO.exe
    O4 - HKLM\..\Run: [Winsdllv32 driver] EM32\FIKS.EXE
    O4 - HKLM\..\Run: [BEILO] C:\WINNT\BEILO.exe
    O4 - HKLM\..\Run: [wtkg] C:\WINNT\cqzby.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [OnSrv] C:\WINNT\system32\AChkr.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
    O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
    O4 - Startup: Emerald PopStop.lnk = C:\Program Files\Emerald PopStop\ETIPopStop.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm
    O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Whistle (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://tank.wizards.com/chat/data/html/user/msie/msichat.ocx
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {4EBD0320-3FA7-4234-9461-638469C74E25} - http://www.pinksandsmediagroup.com/external/cabs/packages/cab_4.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50029/QDow_AS2.cab
    O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessenger.com/activex/MyEMessengerSetupProject.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38094.3471064815
    O16 - DPF: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - http://ads.onwebmedia.com/dlver/1_5.exe
    O16 - DPF: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE54} - http://ads.onwebmedia.com/dlver/1_5.exe
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast.com/download/SBFS.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_US.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9AA7C61B-7DA4-4E36-B871-9DE5179248FD}: NameServer = 68.35.192.5,68.35.192.6
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi DeltaMikeHotel,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINNT\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50029

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINNT\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINNT\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINNT\system32\searchbar.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50029

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50029
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O1 - Hosts: 207.44.240.65 ads.x10.com
    O1 - Hosts: 207.44.240.65 images.x10.com
    O1 - Hosts: 207.44.240.65 count.exitexchange.com
    O1 - Hosts: 207.44.240.65 servedby.netadvertising.com
    O1 - Hosts: 207.44.240.65 images.trafficmp.com
    O1 - Hosts: 207.44.240.65 ad.uk.doubleclick.net
    O1 - Hosts: 207.44.240.65 ad.ca.doubleclick.net
    O1 - Hosts: 207.44.240.65 ads.specificpop.com
    O1 - Hosts: 207.44.240.65 ads.specificclick.com
    O1 - Hosts: 207.44.240.65 ads.popupsponsor.com
    O1 - Hosts: 207.44.240.65 adfarm.mediaplex.com
    O1 - Hosts: 207.44.240.65 media.fastclick.net
    O1 - Hosts: 207.44.240.65 media1.fastclick.net
    O1 - Hosts: 207.44.240.65 media19.fastclick.net
    O1 - Hosts: 207.44.240.65 media28.fastclick.net
    O1 - Hosts: 207.44.240.65 media29.fastclick.net
    O1 - Hosts: 207.44.240.65 media39.fastclick.net
    O1 - Hosts: 207.44.240.65 adserv.internetfuel.com
    O1 - Hosts: 207.44.240.65 www.satellitepop.com
    O1 - Hosts: 207.44.240.65 count.exitexchange.com
    O1 - Hosts: 207.44.240.65 z1.adserver.com
    O1 - Hosts: 207.44.240.65 view.atdmt.com
    O1 - Hosts: 207.44.240.65 servedfor.valuead.com
    O1 - Hosts: 207.44.240.65 banners.valuead.com
    O1 - Hosts: 207.44.240.65 img.mediaplex.com
    O1 - Hosts: 207.44.240.65 ln.doubleclick.net
    O1 - Hosts: 207.44.240.65 m2.doubleclick.net
    O1 - Hosts: 207.44.240.65 m.doubleclick.net
    O1 - Hosts: 207.44.240.65 ad.doubleclick.net
    O1 - Hosts: 207.44.240.65 media28.fastclick.net
    O1 - Hosts: 207.44.240.65 media39.fastclick.net
    O1 - Hosts: 207.44.240.65 media.fastclick.net
    O1 - Hosts: 207.44.240.65 popuptraffic.com
    O1 - Hosts: 207.44.240.65 leader.linkexchange.com
    O1 - Hosts: 207.44.240.65 rad.msn.com
    O1 - Hosts: 207.44.240.65 view.atdmt.com
    O1 - Hosts: 207.44.240.65 iv.doubleclick.net
    O1 - Hosts: 207.44.240.65 focusin.ads.targetnet.com

    O2 - BHO: (no name) - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - (no file)

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O4 - HKLM\..\Run: [SysUpd] C:\WINNT\SysUpd.exe
    O4 - HKLM\..\Run: [GNUBIPWE] C:\WINNT\GNUBIPWE.exe
    O4 - HKLM\..\Run: [AEHKO] C:\WINNT\AEHKO.exe
    O4 - HKLM\..\Run: [Winsdllv32 driver] EM32\FIKS.EXE
    O4 - HKLM\..\Run: [BEILO] C:\WINNT\BEILO.exe
    O4 - HKLM\..\Run: [wtkg] C:\WINNT\cqzby.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    O9 - Extra button: Whistle (HKLM)

    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50029/QDow_AS2.cab

    O16 - DPF: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - http://ads.onwebmedia.com/dlver/1_5.exe
    O16 - DPF: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE54} - http://ads.onwebmedia.com/dlver/1_5.exe
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast.com/download/SBFS.cab

    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_US.cab

    Then reboot into safe mode and delete:
    C:\Program Files\Common files\WinTools <= entire folder
    C:\WINNT\SysUpd.exe

    That leaves two I can't find anything about:
    O4 - HKLM\..\Run: [Winsdllv32 driver] EM32\FIKS.EXE
    O4 - HKLM\..\Run: [OnSrv] C:\WINNT\system32\AChkr.exe

    Can you find and mail me (preferably zipped) copies of:
    FIKS.EXE
    C:\WINNT\system32\AChkr.exe

    Post a new log when you are done. It will need some more work.

    Regards,

    Pieter
     
  3. DeltaMikeHotel

    DeltaMikeHotel Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    4
    Thanks very much for the help so far. I followed the instructions you gave to the letter, but I had a couple hitches. First, I couldn't find FIKS.EXE on my computer. I used the "Find Files or Folders" search and had no success, and I tried manually with Windows Explorer and had no luck. Also, when I restarted in safe-mode and tried to find C:\WINNT\SysUpd.exe to delete it, I was unable to do so.

    Here is the new log.
    -------------------

    Logfile of HijackThis v1.97.7
    Scan saved at 1:00:58 PM, on 6/19/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\PackethSvc.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\runservice.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINNT\system32\AChkr.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Trillian\trillian.exe
    C:\WINNT\system32\OnSrvr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\Documents and Settings\Darren\Desktop\AOL Saved Files\America Online 6.0\download\WoWstuff\EMP\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blizzard.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\unzipped\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [OnSrv] C:\WINNT\system32\OnSrvr.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
    O4 - Startup: Emerald PopStop.lnk = C:\Program Files\Emerald PopStop\ETIPopStop.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm
    O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://tank.wizards.com/chat/data/html/user/msie/msichat.ocx
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {4EBD0320-3FA7-4234-9461-638469C74E25} - http://www.pinksandsmediagroup.com/external/cabs/packages/cab_4.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessenger.com/activex/MyEMessengerSetupProject.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38094.3471064815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9AA7C61B-7DA4-4E36-B871-9DE5179248FD}: NameServer = 68.35.192.5,68.35.192.6
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi DeltaMikeHotel,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [OnSrv] C:\WINNT\system32\OnSrvr.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    Then reboot into safe mode and delete:
    C:\WINNT\system32\OnSrvr.exe
    Still in safe mode rename
    C:\WINNT\system32\AChkr.exe to AChkr.bak

    I am not sure yet what it is, but a short look inside told me I don't trust it.
    I will send it on for analysis.

    Regards,

    Pieter
     
  5. DeltaMikeHotel

    DeltaMikeHotel Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    4
    Hello again,

    Followed your instructions once more. This time there were no problems, and afterward my processes on Task Manager appeared to be back to normal. Should I post another log? Thank you once again for your help.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    I'll gladly have a look at your log.
    Hopefully it will be my first clean one today :)

    Regards,

    Pieter
     
  7. DeltaMikeHotel

    DeltaMikeHotel Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    4
    Hopefully it's clean... the pop-ups seem to be gone. :D
    ----------

    Logfile of HijackThis v1.97.7
    Scan saved at 3:09:25 PM, on 6/21/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\PackethSvc.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\runservice.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Trillian\trillian.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Darren\Desktop\AOL Saved Files\America Online 6.0\download\WoWstuff\EMP\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blizzard.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\unzipped\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
    O4 - Startup: Emerald PopStop.lnk = C:\Program Files\Emerald PopStop\ETIPopStop.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm
    O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://tank.wizards.com/chat/data/html/user/msie/msichat.ocx
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {4EBD0320-3FA7-4234-9461-638469C74E25} - http://www.pinksandsmediagroup.com/external/cabs/packages/cab_4.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessenger.com/activex/MyEMessengerSetupProject.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38094.3471064815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9AA7C61B-7DA4-4E36-B871-9DE5179248FD}: NameServer = 68.35.192.5,68.35.192.6
     
Thread Status:
Not open for further replies.