hijackthis log file

Discussion in 'adware, spyware & hijack cleaning' started by hdengineer1, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. hdengineer1

    hdengineer1 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    3
    Below is the results of running HiJackThis on my PC.

    The original problem was an xlime.offeroptimizer.com pop-up whenever IE6 was opened, and during browsing. I ran Spybot and removed the red entries.

    Please let me know if you have suggestions. I will say that after running SpyBot, rebooting and going back into IE, I haven't gotten the pop-up again. That may not be saying much considering I've only opened it once and browsed to a few pages. Thanks!

    Logfile of HijackThis v1.97.7
    Scan saved at 9:03:36 AM, on 6/17/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
    C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    C:\WINNT\System32\cusrvc.exe
    C:\DMI\WIN32\bin\DellDmi.exe
    C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    C:\Program Files\Dell\OpenManage\Client\DLT.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\NALNTSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\dmi\win32\bin\Win32sl.exe
    C:\WINNT\system32\wm.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\NOVELL\ZENRC\WUOLService.exe
    C:\NOVELL\ZENRC\wuser32.exe
    C:\WINNT\system32\WMRUNDLL.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINNT\system32\SxgTkBar.exe
    C:\WINNT\system32\dpmw32.exe
    C:\WINNT\system32\NWTRAY.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\RightFax\faxctrl.exe
    C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\qljbna.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Temp\HiJackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acli.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.acli.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
    O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
    O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
    O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
    O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wtij] C:\WINNT\wtij.exe
    O4 - HKLM\..\Run: [jfqint] C:\WINNT\system32\qljbna.exe
    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
    O4 - HKLM\..\Run: [pwv] C:\WINNT\pwv.exe
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.acli.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {42780420-E62F-490A-82FC-D626BE90B302} (ASAP! Session Class) - http://aclint1.acli.local/AntiSpamGateway/Cabs/Mapicom.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37698.3438194444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN.cab
    O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.i-lookup.com/toolbar2/windec32.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acli.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: Domain = acli.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: NameServer = 38.250.210.10,38.9.212.2
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CE256A54-430C-45C3-B7B7-16D45273C988}: NameServer = 38.250.210.10
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F7914B1C-B2BC-4CAA-BF09-6DAED8302276}: NameServer = 38.250.210.10,38.9.212.2
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acli.local
    O17 - HKLM\System\CS1\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: Domain = acli.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: NameServer = 38.250.210.10,38.9.212.2
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = acli.local
    O17 - HKLM\System\CS2\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: Domain = acli.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: NameServer = 38.250.210.10,38.9.212.2
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    hi hdengineer1,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O4 - HKLM\..\Run: [wtij] C:\WINNT\wtij.exe
    O4 - HKLM\..\Run: [jfqint] C:\WINNT\system32\qljbna.exe
    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
    O4 - HKLM\..\Run: [pwv] C:\WINNT\pwv.exe

    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN.cab
    O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.i-lookup.com/toolbar2/windec32.cab

    Then reboot into safe mode and delete:
    C:\WINNT\alchem.exe
    C:\WINNT\system32\qljbna.exe

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. hdengineer1

    hdengineer1 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    3
    Hi Pieter,

    Below is the logfile from the scan after the tasks you suggested were completed.
    Let me know how it looks. Thanks, again.


    Logfile of HijackThis v1.97.7
    Scan saved at 10:25:08 AM, on 6/17/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
    C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    C:\WINNT\System32\cusrvc.exe
    C:\DMI\WIN32\bin\DellDmi.exe
    C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    C:\Program Files\Dell\OpenManage\Client\DLT.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\NALNTSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\dmi\win32\bin\Win32sl.exe
    C:\WINNT\system32\wm.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\NOVELL\ZENRC\WUOLService.exe
    C:\NOVELL\ZENRC\wuser32.exe
    C:\WINNT\System32\MsiExec.exe
    C:\WINNT\system32\WMRUNDLL.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINNT\system32\SxgTkBar.exe
    C:\WINNT\system32\dpmw32.exe
    C:\WINNT\system32\NWTRAY.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\RightFax\faxctrl.exe
    C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Tools\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acli.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.acli.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
    O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
    O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
    O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
    O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.acli.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {42780420-E62F-490A-82FC-D626BE90B302} (ASAP! Session Class) - http://aclint1.acli.local/AntiSpamGateway/Cabs/Mapicom.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37698.3438194444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acli.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: Domain = acli.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: NameServer = 38.250.210.10,38.9.212.2
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CE256A54-430C-45C3-B7B7-16D45273C988}: NameServer = 38.250.210.10
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F7914B1C-B2BC-4CAA-BF09-6DAED8302276}: NameServer = 38.250.210.10,38.9.212.2
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acli.local
    O17 - HKLM\System\CS1\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: Domain = acli.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: NameServer = 38.250.210.10,38.9.212.2
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = acli.local
    O17 - HKLM\System\CS2\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: Domain = acli.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: NameServer = 38.250.210.10,38.9.212.2
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  5. hdengineer1

    hdengineer1 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    3
    Pieter,

    I appreciate your help.
    Everything looks to be back to normal!

    Take care,
    hdengineer1
     
Thread Status:
Not open for further replies.