Another Hijack Nightmare!!!

jzak22 · 12-08-2004, 02:33 PM

Hello all,

I have tried everything in my limited scope including CWShredder,Spybot, Ad-Aware and Giant Anti-Spyware but after a reboot the hijacking continues. Not sure what to do at this point. I'm trying to avoid a rebbuildso if someone could kindly take a look at my logfile and help, it would be greatly appreciated.

Thanks,

Jerry-Z

Logfile of HijackThis v1.97.7
Scan saved at 3:03:54 PM, on 12/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\system32\hpb2ksrv.exe
C:\WINNT\system32\hpbhksrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\hpstatus.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINNT\system32\hpmtime.exe
C:\WINNT\system32\wkwoiv.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINNT\system32\HPBSPSVR.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\HPBJDSNT.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\oieq07j5e.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Documents and Settings\jzekanoski\RNT\theanswer\rightnow.exe
C:\WINNT\system32\ntvdm.exe
C:\Documents and Settings\jzekanoski\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] C:\WINNT\system32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [s3Eg3tX] hpmtime.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [d0xmRjbFi] oieq07j5e.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwhb.ops.placeware.com/etc/...uicksilver.cab
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - http://theanswer.custhelp.com/rnt/co...ebeditpro3.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://theanswer.custhelp.com/rnt/co...tor/msxml4.cab
O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - http://rightnow.custhelp.com/rnt/rnw...RNTProcMan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - http://rightnow.custhelp.com/rnt/rnw...SDAipp_Dll.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m

Dave · 12-08-2004, 06:23 PM

First thing, download the latest version of HijackThis and run it. Make sure it's not in a temp file.

After doing that, post your new log here.

Dave

jzak22 · 12-08-2004, 07:17 PM

Dave,

Sorry about the old version.. .here is the new logfile.

Thanks,

Jerry

Logfile of HijackThis v1.98.2
Scan saved at 8:10:18 PM, on 12/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\system32\hpb2ksrv.exe
C:\WINNT\system32\hpbhksrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wkwoiv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\hpstatus.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINNT\system32\hpmtime.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\oieq07j5e.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\HPBSPSVR.EXE
C:\WINNT\system32\HPBJDSNT.EXE
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] C:\WINNT\system32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [s3Eg3tX] hpmtime.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [d0xmRjbFi] oieq07j5e.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwhb.ops.placeware.com/etc/...uicksilver.cab
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - http://theanswer.custhelp.com/rnt/co...ebeditpro3.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://theanswer.custhelp.com/rnt/co...tor/msxml4.cab
O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - http://rightnow.custhelp.com/rnt/rnw...RNTProcMan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - http://rightnow.custhelp.com/rnt/rnw...SDAipp_Dll.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m

Dave · 12-08-2004, 08:42 PM

Hi Jerry,

Make sure that you read our "Common Instructions" thread (link in my sig) to give you an idea of what we're doing.

Make sure that all your browser windows are closed and fix the following:
R3 - Default URLSearchHook is missing

Unless you have intentionally set up these redirects, fix these:
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Continue with the following fixes:
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

The following are best fixed using SpyBot S&D, but you said that you have already run it. Another better way to fix winsock hijackers is with LSPFix. You can download it here. After running that, fix these:
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll

If you don't recognize the following names nor url, then continue by fixing the following:
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwhb.ops.placeware.com/etc...quicksilver.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://theanswer.custhelp.com/rnt/c...itor/msxml4.cab
O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - http://rightnow.custhelp.com/rnt/rn.../RNTProcMan.cab
O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - http://rightnow.custhelp.com/rnt/rn...MSDAipp_Dll.cab

Unless your ISP or company is "rightnow.com", fix the following:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m

Is this your remote:
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper

You can post a new log after fixing.

Dave

jzak22 · 12-09-2004, 07:37 AM

Dave,

I just have one quick questions about the LSPFix? Just want to be sure before I remove something. The aklsp.dll and calsp.dll files that are detected when using the LSPFix should be removed?

Thanks,

Jerry

southernlady · 12-09-2004, 08:04 AM

Jerry, if you go read this thread: http://forums.techguy.org/t302307.html it will shed some light on that. Liz

jzak22 · 12-09-2004, 10:25 AM

Thanks again folks,

I didn't know if after I performed all the tasks in the last reply if I was supposed to reboot before capturing the new logfile. Anyway I did reboot and got a blue screen fatal error. I'm runnig W2K so I just booted into Last Known Good Config. Things have seemed to slowdown a great deal as far as popups and redirected wesites. The only popups I'm getting now are from my Mozilla browser which I just deleted. Here is the latest logfile.
Let me know what you think.

Logfile of HijackThis v1.98.2
Scan saved at 11:08:50 AM, on 12/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\system32\hpb2ksrv.exe
C:\WINNT\system32\hpbhksrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wkwoiv.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\hpstatus.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\WINNT\system32\akrbk32.exe
C:\WINNT\system32\HPBSPSVR.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\HPBJDSNT.EXE
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\licmlr.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] C:\WINNT\system32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [s3Eg3tX] akrbk32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [d0xmRjbFi] licmlr.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - http://theanswer.custhelp.com/rnt/co...ebeditpro3.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://theanswer.custhelp.com/rnt/co...tor/msxml4.cab
O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - http://rightnow.custhelp.com/rnt/rnw...RNTProcMan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - http://rightnow.custhelp.com/rnt/rnw...SDAipp_Dll.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m

southernlady · 12-09-2004, 04:31 PM

jzak22, What a/v's are you running?

southernlady · 12-09-2004, 04:43 PM

We are going to run this one now: http://www.spyware911.net/downloads/KillBox.exe

We have some that are just not budging.

Then run Hijack This again and IF the items are still there put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [s3Eg3tX] akrbk32.exe

O4 - HKCU\..\Run: [d0xmRjbFi] licmlr.exe

017 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m

Restart to safe mode. http://tinyurl.com/3px9

Because 2000 will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK" http://www.spyware911.net/forum/index.php?showtopic=27

Now find and delete these files:

C:\WINNT\system32\wkwoiv.exe

C:\WINNT\system32\akrbk32.exe

C:\WINNT\system32\[b]licmlr.exe

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Reboot

Empty the Recycle Bin

Then post another log. Liz

jzak22 · 12-10-2004, 10:40 AM

Liz,

What exactly am I deleting with killbox.exe.

As far as these entries below, corp.rightnow.com is the company I work. Should I really be deleting these entries?

017 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m

Thanks,

Jerry

12-08-2004, 02:33 PM	#1 (permalink)
jzak22 Newb Techie Join Date: Dec 2004 Posts: 12	Another Hijack Nightmare!!! Hello all, I have tried everything in my limited scope including CWShredder,Spybot, Ad-Aware and Giant Anti-Spyware but after a reboot the hijacking continues. Not sure what to do at this point. I'm trying to avoid a rebbuildso if someone could kindly take a look at my logfile and help, it would be greatly appreciated. Thanks, Jerry-Z Logfile of HijackThis v1.97.7 Scan saved at 3:03:54 PM, on 12/8/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINNT\System32\svchost.exe C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe C:\WINNT\system32\hpb2ksrv.exe C:\WINNT\system32\hpbhksrv.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wltrysvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\bcmwltry.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\rundll32.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\hkcmd.exe C:\WINNT\system32\carpserv.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\WINNT\system32\hpnra.exe C:\WINNT\system32\hpstatus.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\WINNT\system32\hpmtime.exe C:\WINNT\system32\wkwoiv.exe C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe C:\PROGRA~1\AIM\aim.exe C:\WINNT\system32\HPBSPSVR.EXE C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe C:\WINNT\system32\HPBJDSNT.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINNT\system32\ctfmon.exe C:\WINNT\system32\oieq07j5e.exe C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\PROGRA~1\Webshots\webshots.scr C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\Documents and Settings\jzekanoski\RNT\theanswer\rightnow.exe C:\WINNT\system32\ntvdm.exe C:\Documents and Settings\jzekanoski\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe O4 - HKLM\..\Run: [HP Status] C:\WINNT\system32\hpstatus.exe O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [s3Eg3tX] hpmtime.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [d0xmRjbFi] oieq07j5e.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: AIM (HKLM) O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwhb.ops.placeware.com/etc/...uicksilver.cab O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - http://theanswer.custhelp.com/rnt/co...ebeditpro3.cab O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://theanswer.custhelp.com/rnt/co...tor/msxml4.cab O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - http://rightnow.custhelp.com/rnt/rnw...RNTProcMan.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - http://rightnow.custhelp.com/rnt/rnw...SDAipp_Dll.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m

12-08-2004, 06:23 PM	#2 (permalink)
Dave Admin Join Date: Mar 2002 Location: "Almost Heaven" USA Posts: 4,852	First thing, download the latest version of HijackThis and run it. Make sure it's not in a temp file. After doing that, post your new log here. Dave __________________ Tech Forums Moderating Policies \| Forum Rules \| ***PROFANITY*** Note that I do not accept support requests via IM, email, or PMs. Please ask it on the forums. Trying this out: My Dollar Store :: Naturally Good

12-08-2004, 08:42 PM	#4 (permalink)
Dave Admin Join Date: Mar 2002 Location: "Almost Heaven" USA Posts: 4,852	Hi Jerry, Make sure that you read our "Common Instructions" thread (link in my sig) to give you an idea of what we're doing. Make sure that all your browser windows are closed and fix the following: R3 - Default URLSearchHook is missing Unless you have intentionally set up these redirects, fix these: O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch Continue with the following fixes: O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe The following are best fixed using SpyBot S&D, but you said that you have already run it. Another better way to fix winsock hijackers is with LSPFix. You can download it here. After running that, fix these: O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll If you don't recognize the following names nor url, then continue by fixing the following: O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwhb.ops.placeware.com/etc...quicksilver.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://theanswer.custhelp.com/rnt/c...itor/msxml4.cab O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - http://rightnow.custhelp.com/rnt/rn.../RNTProcMan.cab O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - http://rightnow.custhelp.com/rnt/rn...MSDAipp_Dll.cab Unless your ISP or company is "rightnow.com", fix the following: O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m Is this your remote: O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper You can post a new log after fixing. Dave __________________ Tech Forums Moderating Policies \| Forum Rules \| ***PROFANITY*** Note that I do not accept support requests via IM, email, or PMs. Please ask it on the forums. Trying this out: My Dollar Store :: Naturally Good

12-09-2004, 08:04 AM	#6 (permalink)
southernlady Monster Techie Join Date: Nov 2004 Posts: 1,346	Jerry, if you go read this thread: http://forums.techguy.org/t302307.html it will shed some light on that. Liz __________________ Priority Computers \| AdAware SE \| SpyBot-Search & Destroy \| SpywareBlaster \| SpywareGuard \| HijackThis \| Stealing is illegal Powered by Emily!

12-09-2004, 04:31 PM	#8 (permalink)
southernlady Monster Techie Join Date: Nov 2004 Posts: 1,346	jzak22, What a/v's are you running? __________________ Priority Computers \| AdAware SE \| SpyBot-Search & Destroy \| SpywareBlaster \| SpywareGuard \| HijackThis \| Stealing is illegal Powered by Emily!

12-08-2004, 07:17 PM	#3 (permalink)
jzak22 Newb Techie Join Date: Dec 2004 Posts: 12	Dave, Sorry about the old version.. .here is the new logfile. Thanks, Jerry Logfile of HijackThis v1.98.2 Scan saved at 8:10:18 PM, on 12/8/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINNT\System32\svchost.exe C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe C:\WINNT\system32\hpb2ksrv.exe C:\WINNT\system32\hpbhksrv.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wltrysvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\bcmwltry.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\wkwoiv.exe C:\WINNT\system32\rundll32.exe C:\WINNT\System32\hkcmd.exe C:\WINNT\system32\carpserv.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\WINNT\system32\hpnra.exe C:\WINNT\system32\hpstatus.exe C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\WINNT\system32\hpmtime.exe C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe C:\PROGRA~1\AIM\aim.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINNT\system32\ctfmon.exe C:\WINNT\system32\oieq07j5e.exe C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe C:\WINNT\system32\HPBSPSVR.EXE C:\WINNT\system32\HPBJDSNT.EXE C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE C:\Program Files\SpywareGuard\sgmain.exe C:\PROGRA~1\Webshots\webshots.scr C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe O4 - HKLM\..\Run: [HP Status] C:\WINNT\system32\hpstatus.exe O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [s3Eg3tX] hpmtime.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [d0xmRjbFi] oieq07j5e.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwhb.ops.placeware.com/etc/...uicksilver.cab O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - http://theanswer.custhelp.com/rnt/co...ebeditpro3.cab O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://theanswer.custhelp.com/rnt/co...tor/msxml4.cab O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - http://rightnow.custhelp.com/rnt/rnw...RNTProcMan.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - http://rightnow.custhelp.com/rnt/rnw...SDAipp_Dll.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m

12-09-2004, 07:37 AM	#5 (permalink)
jzak22 Newb Techie Join Date: Dec 2004 Posts: 12	Dave, I just have one quick questions about the LSPFix? Just want to be sure before I remove something. The aklsp.dll and calsp.dll files that are detected when using the LSPFix should be removed? Thanks, Jerry

12-09-2004, 10:25 AM	#7 (permalink)
jzak22 Newb Techie Join Date: Dec 2004 Posts: 12	Thanks again folks, I didn't know if after I performed all the tasks in the last reply if I was supposed to reboot before capturing the new logfile. Anyway I did reboot and got a blue screen fatal error. I'm runnig W2K so I just booted into Last Known Good Config. Things have seemed to slowdown a great deal as far as popups and redirected wesites. The only popups I'm getting now are from my Mozilla browser which I just deleted. Here is the latest logfile. Let me know what you think. Logfile of HijackThis v1.98.2 Scan saved at 11:08:50 AM, on 12/9/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINNT\System32\svchost.exe C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe C:\WINNT\system32\hpb2ksrv.exe C:\WINNT\system32\hpbhksrv.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wltrysvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\bcmwltry.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\wkwoiv.exe C:\WINNT\system32\carpserv.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\WINNT\system32\hpnra.exe C:\WINNT\system32\hpstatus.exe C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe C:\WINNT\system32\akrbk32.exe C:\WINNT\system32\HPBSPSVR.EXE C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe C:\WINNT\system32\HPBJDSNT.EXE C:\PROGRA~1\AIM\aim.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINNT\system32\licmlr.exe C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE C:\Program Files\SpywareGuard\sgmain.exe C:\PROGRA~1\Webshots\webshots.scr C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe O4 - HKLM\..\Run: [HP Status] C:\WINNT\system32\hpstatus.exe O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe" O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\rc\winvnc.exe" -servicehelper O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [s3Eg3tX] akrbk32.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [d0xmRjbFi] licmlr.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - http://theanswer.custhelp.com/rnt/co...ebeditpro3.cab O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://theanswer.custhelp.com/rnt/co...tor/msxml4.cab O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - http://rightnow.custhelp.com/rnt/rnw...RNTProcMan.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {ED222A11-E1C6-11D0-B1E1-00AA006DCDF4} - http://rightnow.custhelp.com/rnt/rnw...SDAipp_Dll.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CCS\Services\Tcpip\..\{D977347E-27FC-401A-8E28-E708BFA81732}: NameServer = 64.79.34.7,172.22.1.123 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m

12-09-2004, 04:43 PM	#9 (permalink)
southernlady Monster Techie Join Date: Nov 2004 Posts: 1,346	We are going to run this one now: http://www.spyware911.net/downloads/KillBox.exe We have some that are just not budging. Then run Hijack This again and IF the items are still there put a check by these. Close ALL windows except HijackThis and click "Fix checked" O4 - HKLM\..\Run: [s3Eg3tX] akrbk32.exe O4 - HKCU\..\Run: [d0xmRjbFi] licmlr.exe 017 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m Restart to safe mode. http://tinyurl.com/3px9 Because 2000 will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders" Click "Apply" then "OK" http://www.spyware911.net/forum/index.php?showtopic=27 Now find and delete these files: C:\WINNT\system32\wkwoiv.exe C:\WINNT\system32\akrbk32.exe C:\WINNT\system32\[b]licmlr.exe Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Reboot Empty the Recycle Bin Then post another log. Liz __________________ Priority Computers \| AdAware SE \| SpyBot-Search & Destroy \| SpywareBlaster \| SpywareGuard \| HijackThis \| Stealing is illegal Powered by Emily!

12-10-2004, 10:40 AM	#10 (permalink)
jzak22 Newb Techie Join Date: Dec 2004 Posts: 12	Liz, What exactly am I deleting with killbox.exe. As far as these entries below, corp.rightnow.com is the company I work. Should I really be deleting these entries? 017 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.rightnow.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rightnow.com,rightnow.com,rightnow.com,rightnow.co m Thanks, Jerry

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode