hijackthis log file

Discussion in 'adware, spyware & hijack cleaning' started by hdengineer1, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. hdengineer1

    hdengineer1 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    3
    Below is the results of running HiJackThis on my PC.

    The original problem was an xlime.offeroptimizer.com pop-up whenever IE6 was opened, and during browsing. I ran Spybot and removed the red entries.

    Please let me know if you have suggestions. I will say that after running SpyBot, rebooting and going back into IE, I haven't gotten the pop-up again. That may not be saying much considering I've only opened it once and browsed to a few pages. Thanks!

    Logfile of HijackThis v1.97.7
    Scan saved at 9:03:36 AM, on 6/17/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
    C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    C:\WINNT\System32\cusrvc.exe
    C:\DMI\WIN32\bin\DellDmi.exe
    C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    C:\Program Files\Dell\OpenManage\Client\DLT.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\NALNTSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\dmi\win32\bin\Win32sl.exe
    C:\WINNT\system32\wm.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\NOVELL\ZENRC\WUOLService.exe
    C:\NOVELL\ZENRC\wuser32.exe
    C:\WINNT\system32\WMRUNDLL.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINNT\system32\SxgTkBar.exe
    C:\WINNT\system32\dpmw32.exe
    C:\WINNT\system32\NWTRAY.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\RightFax\faxctrl.exe
    C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\qljbna.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Temp\HiJackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acli.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.acli.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
    O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
    O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
    O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
    O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wtij] C:\WINNT\wtij.exe
    O4 - HKLM\..\Run: [jfqint] C:\WINNT\system32\qljbna.exe
    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
    O4 - HKLM\..\Run: [pwv] C:\WINNT\pwv.exe
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.acli.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {42780420-E62F-490A-82FC-D626BE90B302} (ASAP! Session Class) - http://aclint1.acli.local/AntiSpamGateway/Cabs/Mapicom.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37698.3438194444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN.cab
    O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.i-lookup.com/toolbar2/windec32.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acli.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: Domain = acli.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: NameServer = 38.250.210.10,38.9.212.2
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CE256A54-430C-45C3-B7B7-16D45273C988}: NameServer = 38.250.210.10
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F7914B1C-B2BC-4CAA-BF09-6DAED8302276}: NameServer = 38.250.210.10,38.9.212.2
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acli.local
    O17 - HKLM\System\CS1\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: Domain = acli.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: NameServer = 38.250.210.10,38.9.212.2
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = acli.local
    O17 - HKLM\System\CS2\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: Domain = acli.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: NameServer = 38.250.210.10,38.9.212.2
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    hi hdengineer1,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O4 - HKLM\..\Run: [wtij] C:\WINNT\wtij.exe
    O4 - HKLM\..\Run: [jfqint] C:\WINNT\system32\qljbna.exe
    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
    O4 - HKLM\..\Run: [pwv] C:\WINNT\pwv.exe

    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN.cab
    O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.i-lookup.com/toolbar2/windec32.cab

    Then reboot into safe mode and delete:
    C:\WINNT\alchem.exe
    C:\WINNT\system32\qljbna.exe

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. hdengineer1

    hdengineer1 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    3
    Hi Pieter,

    Below is the logfile from the scan after the tasks you suggested were completed.
    Let me know how it looks. Thanks, again.


    Logfile of HijackThis v1.97.7
    Scan saved at 10:25:08 AM, on 6/17/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
    C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    C:\WINNT\System32\cusrvc.exe
    C:\DMI\WIN32\bin\DellDmi.exe
    C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    C:\Program Files\Dell\OpenManage\Client\DLT.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\NALNTSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\dmi\win32\bin\Win32sl.exe
    C:\WINNT\system32\wm.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\NOVELL\ZENRC\WUOLService.exe
    C:\NOVELL\ZENRC\wuser32.exe
    C:\WINNT\System32\MsiExec.exe
    C:\WINNT\system32\WMRUNDLL.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINNT\system32\SxgTkBar.exe
    C:\WINNT\system32\dpmw32.exe
    C:\WINNT\system32\NWTRAY.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\RightFax\faxctrl.exe
    C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Tools\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acli.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.acli.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
    O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
    O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
    O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
    O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.acli.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {42780420-E62F-490A-82FC-D626BE90B302} (ASAP! Session Class) - http://aclint1.acli.local/AntiSpamGateway/Cabs/Mapicom.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37698.3438194444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acli.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: Domain = acli.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: NameServer = 38.250.210.10,38.9.212.2
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CE256A54-430C-45C3-B7B7-16D45273C988}: NameServer = 38.250.210.10
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F7914B1C-B2BC-4CAA-BF09-6DAED8302276}: NameServer = 38.250.210.10,38.9.212.2
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acli.local
    O17 - HKLM\System\CS1\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: Domain = acli.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: NameServer = 38.250.210.10,38.9.212.2
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = acli.local
    O17 - HKLM\System\CS2\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: Domain = acli.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{26B3B1FB-B05E-4405-A460-923403613673}: NameServer = 38.250.210.10,38.9.212.2
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
  5. hdengineer1

    hdengineer1 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    3
    Pieter,

    I appreciate your help.
    Everything looks to be back to normal!

    Take care,
    hdengineer1
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.