[Another Hijack Nightmare!!!] -
Another Hijack Nightmare!!!
Discuss Another Hijack Nightmare!!!
Posted by: jzak22
Hello all,
I have tried everything in my limited scope including CWShredder,Spybot, Ad-Aware and Giant Anti-Spyware but after a reboot the hijacking continues. Not sure what to do at this point. I'm trying to avoid a rebbuildso if someone could kindly take a look at my logfile and help, it would be greatly appreciated.
Thanks,
Jerry-Z
Logfile of HijackThis v1.97.7
Scan saved at 3:03:54 PM, on 12/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\system32\hpb2ksrv.exe
C:\WINNT\system32\hpbhksrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\hpstatus.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINNT\system32\hpmtime.exe
C:\WINNT\system32\wkwoiv.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINNT\system32\HPBSPSVR.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\HPBJDSNT.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\oieq07j5e.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Documents and Settings\jzekanoski\RNT\theanswer\rightnow.exe
C:\WINNT\system32\ntvdm.exe
C:\Documents and Settings\jzekanoski\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net[/url]
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] C:\WINNT\system32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [s3Eg3tX] hpmtime.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [d0xmRjbFi] oieq07j5e.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url]http://www.apple.com/qtactivex/qtplugin.cab[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - [url]http://scpwhb.ops.placeware.com/etc/place/HOTEL/SCHpws-b2/5.1.2.150/lib/quicksilver.cab[/url]
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - [url]http://theanswer.custhelp.com/rnt/common/editor/ewebeditpro3.cab[/url]
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - [url]http://www.webshots.com/samplers/WSDownloader.ocx[/url]
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://theanswer.custhelp.com/rnt/common/editor/msxml4.cab[/url]
O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - [url]http://rightnow.custhelp.com/rnt/rnw/client_files/RNTProcMan.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - [url]http://rightnow.custhelp.com/rnt/rnw/activex/MSDAipp_Dll.cab[/url]
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - [url]http://cdn.digitalcity.com/_media/dalaillama/ampx.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
Posted by: DMo224
First thing, download the latest version of HijackThis and run it. Make sure it's not in a temp file.
After doing that, post your new log here.
Dave :D
Posted by: jzak22
Dave,
Sorry about the old version.. .here is the new logfile.
Thanks,
Jerry
Logfile of HijackThis v1.98.2
Scan saved at 8:10:18 PM, on 12/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\system32\hpb2ksrv.exe
C:\WINNT\system32\hpbhksrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wkwoiv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\hpstatus.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINNT\system32\hpmtime.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\oieq07j5e.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\HPBSPSVR.EXE
C:\WINNT\system32\HPBJDSNT.EXE
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net[/url]
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] C:\WINNT\system32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [s3Eg3tX] hpmtime.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [d0xmRjbFi] oieq07j5e.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - [url]http://scpwhb.ops.placeware.com/etc/place/HOTEL/SCHpws-b2/5.1.2.150/lib/quicksilver.cab[/url]
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - [url]http://theanswer.custhelp.com/rnt/common/editor/ewebeditpro3.cab[/url]
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - [url]http://www.webshots.com/samplers/WSDownloader.ocx[/url]
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://theanswer.custhelp.com/rnt/common/editor/msxml4.cab[/url]
O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - [url]http://rightnow.custhelp.com/rnt/rnw/client_files/RNTProcMan.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - [url]http://rightnow.custhelp.com/rnt/rnw/activex/MSDAipp_Dll.cab[/url]
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - [url]http://cdn.digitalcity.com/_media/dalaillama/ampx.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
Posted by: DMo224
Hi Jerry,
Make sure that you read our "Common Instructions" thread (link in my sig) to give you an idea of what we're doing.
Make sure that all your browser windows are closed and fix the following:
[b]R3 - Default URLSearchHook is missing[/b]
Unless you have intentionally set up these redirects, fix these:
[b]O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch[/b]
Continue with the following fixes:
[b]O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe[/b]
The following are best fixed using SpyBot S&D, but you said that you have already run it. Another better way to fix winsock hijackers is with LSPFix. You can download it [b][url=http://www.cexx.org/lspfix.htm]here[/url].[/b] After running that, fix these:
[b]O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll[/b]
If you [u]don't recognize[/u] the following names nor url, then continue by fixing the following:
[b]O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - [url]http://scpwhb.ops.placeware.com/etc...quicksilver.cab[/url]
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://theanswer.custhelp.com/rnt/c...itor/msxml4.cab[/url]
O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - [url]http://rightnow.custhelp.com/rnt/rn.../RNTProcMan.cab[/url]
O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - [url]http://rightnow.custhelp.com/rnt/rn...MSDAipp_Dll.cab[/url][/b]
Unless your ISP or company is "rightnow.com", fix the following:
[b]O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com[/b]
Is this your remote:
[b]O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper[/b]
You can post a new log after fixing.
Dave :D
Posted by: jzak22
Dave,
I just have one quick questions about the LSPFix? Just want to be sure before I remove something. The aklsp.dll and calsp.dll files that are detected when using the LSPFix should be removed?
Thanks,
Jerry
Posted by: southernlady
Jerry, if you go read this thread: [url]http://forums.techguy.org/t302307.html[/url] it will shed some light on that. Liz
Posted by: jzak22
Thanks again folks,
I didn't know if after I performed all the tasks in the last reply if I was supposed to reboot before capturing the new logfile. Anyway I did reboot and got a blue screen fatal error. I'm runnig W2K so I just booted into Last Known Good Config. Things have seemed to slowdown a great deal as far as popups and redirected wesites. The only popups I'm getting now are from my Mozilla browser which I just deleted. Here is the latest logfile.
Let me know what you think.
Logfile of HijackThis v1.98.2
Scan saved at 11:08:50 AM, on 12/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\system32\hpb2ksrv.exe
C:\WINNT\system32\hpbhksrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wkwoiv.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\hpstatus.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\WINNT\system32\akrbk32.exe
C:\WINNT\system32\HPBSPSVR.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\HPBJDSNT.EXE
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\licmlr.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net[/url]
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] C:\WINNT\system32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [s3Eg3tX] akrbk32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [d0xmRjbFi] licmlr.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - [url]http://theanswer.custhelp.com/rnt/common/editor/ewebeditpro3.cab[/url]
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - [url]http://www.webshots.com/samplers/WSDownloader.ocx[/url]
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://theanswer.custhelp.com/rnt/common/editor/msxml4.cab[/url]
O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - [url]http://rightnow.custhelp.com/rnt/rnw/client_files/RNTProcMan.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - [url]http://rightnow.custhelp.com/rnt/rnw/activex/MSDAipp_Dll.cab[/url]
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - [url]http://cdn.digitalcity.com/_media/dalaillama/ampx.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
Posted by: southernlady
jzak22, What a/v's are you running?
Posted by: southernlady
We are going to run this one now: [url]http://www.spyware911.net/downloads/KillBox.exe[/url]
[u][color=#ff0000]We have some that are just not budging[/color][/u].
Then run Hijack This again and [b]IF[/b] the items are still there put a check by these. Close ALL windows except HijackThis and click [b] "Fix checked"[/b]
[b]O4 - HKLM\..\Run: [s3Eg3tX] akrbk32.exe[/b]
[b]O4 - HKCU\..\Run: [d0xmRjbFi] licmlr.exe[/b]
[b]017 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com[/b]
[b]O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com[/b]
[b]O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com[/b]
[b]O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com[/b]
[b]O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com[/b]
[b]O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com[/b]
Restart to safe mode. [url]http://tinyurl.com/3px9[/url]
Because 2000 will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"
Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK" [url]http://www.spyware911.net/forum/index.php?showtopic=27[/url]
Now find and delete these files:
C:\WINNT\system32\[b]wkwoiv.exe[/b]
C:\WINNT\system32\[b]akrbk32.exe[/b]
C:\WINNT\system32\[b]licmlr.exe
Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Go to Start > Run and type[b] %temp%[/b] in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Reboot
Empty the Recycle Bin
Then post another log. Liz
Posted by: jzak22
Liz,
What exactly am I deleting with killbox.exe.
As far as these entries below, corp.rightnow.com is the company I work. Should I really be deleting these entries?
017 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
Thanks,
Jerry
Posted by: southernlady
If the 017's are correct, then ignore them.
The last time you got blue screened, so we are running Killbox first to get rid of these nasties first. Then if we have to we may not have to do anything else. Liz
Posted by: jzak22
Liz,
When I oepn killbox it asks me a path to the file I want to delete. What exactly am I supposed to be entering.
C:\WINNT\system32\wkwoiv.exe?
C:\WINNT\system32\akrbk32.exe?
C:\WINNT\system32\licmlr.exe?
Thanks,
Jerry
Posted by: southernlady
Go to your c> winnt>system32 folder> and then delete those files:
wkwoiv.exe
akrbk32.exe
licmlr.exe
To unhide that see this: Show hidden files & folders [url]http://www.spyware911.net/forum/index.php?showtopic=27[/url]
Posted by: jzak22
Hey Liz,
The only file of the three that we needed to delete that was there was wkwoiv.exe . Even in safe mode with fixbox it would not delete. So I finished all the other steps and rebooted and then tried to find wkwoiv.exe but it was actually gone. Here is the latest logfile.
Thanks,
Jerry
Logfile of HijackThis v1.98.2
Scan saved at 1:13:02 PM, on 12/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\system32\hpb2ksrv.exe
C:\WINNT\system32\hpbhksrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wkwoiv.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\hpnra.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\system32\hpstatus.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\WINNT\system32\glmadt40.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\HPBSPSVR.EXE
C:\WINNT\system32\HPBJDSNT.EXE
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net[/url]
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] C:\WINNT\system32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [s3Eg3tX] glmadt40.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - [url]http://theanswer.custhelp.com/rnt/common/editor/ewebeditpro3.cab[/url]
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - [url]http://www.webshots.com/samplers/WSDownloader.ocx[/url]
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://theanswer.custhelp.com/rnt/common/editor/msxml4.cab[/url]
O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - [url]http://rightnow.custhelp.com/rnt/rnw/client_files/RNTProcMan.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - [url]http://rightnow.custhelp.com/rnt/rnw/activex/MSDAipp_Dll.cab[/url]
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - [url]http://cdn.digitalcity.com/_media/dalaillama/ampx.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
Posted by: southernlady
Run Hijack This again and put a check by these. Close [b]ALL[/b] windows except HijackThis and click [b] "Fix checked"[/b]
[b]O4 - HKLM\..\Run: [s3Eg3tX] glmadt40.exe[/b]
[b]O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl [/b][color=#ff0000] [u][b](this is not the REAL AIM) [/u] [/b][/color]
Restart to safe mode:
Now find and delete these files: [url]http://tinyurl.com/3px9[/url]
C:\WINNT\system32\[b]wkwoiv.exe[/b]
C:\WINNT\system32\[b]glmadt40.exe[/b]
Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Go to Start > Run and type[b] %temp% [/b]in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Reboot
Empty the Recycle Bin
Then post another log. Liz
Posted by: jzak22
Liz,
Once again when I got into safe mode I was able to find and delete the glmadt40.exe but the wkwoiv.exe was nowhere to be found....followed the reset of the steps and here is the latest logfile.
Oh I forgot......AIM disappeared so I reinstalled it again,
Thanks,
Jerry
Logfile of HijackThis v1.98.2
Scan saved at 2:42:16 PM, on 12/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\system32\hpb2ksrv.exe
C:\WINNT\system32\hpbhksrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wkwoiv.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\hpstatus.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\HPBSPSVR.EXE
C:\WINNT\system32\HPBJDSNT.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net[/url]
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] C:\WINNT\system32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - [url]http://theanswer.custhelp.com/rnt/common/editor/ewebeditpro3.cab[/url]
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - [url]http://www.webshots.com/samplers/WSDownloader.ocx[/url]
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://theanswer.custhelp.com/rnt/common/editor/msxml4.cab[/url]
O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - [url]http://rightnow.custhelp.com/rnt/rnw/client_files/RNTProcMan.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - [url]http://rightnow.custhelp.com/rnt/rnw/activex/MSDAipp_Dll.cab[/url]
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - [url]http://cdn.digitalcity.com/_media/dalaillama/ampx.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.com
Posted by: southernlady
Make sure you have your folders set so that even the hidden ones are showing: [url]http://www.spyware911.net/forum/index.php?showtopic=27[/url]
Restart to safe mode: [url]http://www.spyware911.net/safemode.htm[/url]
C:\WINNT\system32\[B]wkwoiv.exe[/B]
Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Go to Start > Run and type [B]%temp%[/B] in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Reboot
Empty the Recycle Bin
Then post another log.
If this doesn't work, we mave have to resort to something else. Liz
Posted by: southernlady
Closing this thread due to lack of activity. Liz