my hijackthis log file

Hi, I'm using Win2K and incessant popups are driving me insane. I'm having a really hard time getting anything done. I am running ad-aware scans every 10 minutes, spybot, ms adware utility, you name it. I'm growing despondent.

Logfile of HijackThis v1.99.1 Scan saved at 10:50:55 AM, on 5/25/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes: C:\\WINNT\\System32\\smss.exe C:\\WINNT\\system32\\winlogon.exe C:\\WINNT\\system32\\services.exe C:\\WINNT\\system32\\lsass.exe C:\\WINNT\\system32\\svchost.exe C:\\WINNT\\system32\\spoolsv.exe C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\DefWatch.exe C:\\WINNT\\System32\\svchost.exe C:\\WINNT\\System32\\mnmsrvc.exe C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\Rtvscan.exe C:\\WINNT\\system32\\regsvc.exe C:\\WINNT\\system32\\MSTask.exe C:\\WINNT\\System32\\WBEM\\WinMgmt.exe C:\\WINNT\\system32\\mspmspsv.exe C:\\WINNT\\system32\\svchost.exe C:\\WINNT\\Explorer.EXE C:\\WINNT\\system32\\hkcmd.exe C:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\vptray.exe C:\\Program Files\\QuickTime\\qttask.exe C:\\Program Files\\Glance\\Glance.exe C:\\Program Files\\PKWARE\\PKZIPO\\PKTray.exe C:\\Program Files\\Mozilla Firefox\\firefox.exe C:\\WINNT\\System32\\SCardSvr.exe C:\\Program Files\\Citrix\\ICA Client\\wfica32.exe C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe C:\\PROGRA~1\\PKWARE\\PKZIPW4\\pkzipw.exe C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\HijackThis.exe

R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page =

formatting link
- URLSearchHook: (no name) - _{269B6797-664E-48AA-B283-B012BDF6E525}

- (no file) R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2}

- (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\\program files\\google\\googletoolbar1.dll O4 - HKLM\\..\\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\\..\\Run: [IgfxTray] C:\\WINNT\\system32\\igfxtray.exe O4 - HKLM\\..\\Run: [HotKeysCmds] C:\\WINNT\\system32\\hkcmd.exe O4 - HKLM\\..\\Run: [vptray] C:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\vptray.exe O4 - HKLM\\..\\Run: [gkrAK] C:\\documents and settings\\administrator\\local settings\\temp\\gkrAK.exe O4 - HKLM\\..\\Run: [picsvr] C:\\WINNT\\system32\\picsvr\\picsvr.exe O4 - HKLM\\..\\Run: [SunJavaUpdateSched] C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe O4 - HKLM\\..\\Run: [QuickTime Task] "C:\\Program Files\\QuickTime\\qttask.exe" -atboottime O4 - HKLM\\..\\Run: [tsvcin] C:\\WINNT\\system32\\n20050308.EXE O4 - HKLM\\..\\Run: [gcasServ] "C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe" O4 - HKLM\\..\\Run: [Nsv] C:\\WINNT\\system32\\nsvsvc\\nsvsvc.exe O4 - HKLM\\..\\Run: [KavSvc] C:\\WINNT\\system32\\unrank.exe reg_run O4 - HKLM\\..\\Run: [checkrun] C:\\winnt\\system32\\elitenic32.exe O4 - HKCU\\..\\Run: [Ehwuz] C:\\WINNT\\system32\\r?ndll32.exe O4 - HKCU\\..\\Run: [JBsqRUN8S] rsfxdo.exe O4 - HKCU\\..\\Run: [Lcbt] C:\\Documents and Settings\\Administrator\\Application Data\\ewah.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe O4 - Global Startup: Glance.lnk = C:\\Program Files\\Glance\\Glance.exe O4 - Global Startup: Microsoft Office.lnk = C:\\Program Files\\Microsoft Office\\Office\\OSA9.EXE O4 - Global Startup: PKZIP Attachments Status.lnk = C:\\Program Files\\PKWARE\\PKZIPO\\PKTray.exe O4 - Global Startup: rtdc.exe O8 - Extra context menu item: &Google Search - res://C:\\Program Files\\Google\\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\\Program Files\\Google\\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\\Program Files\\Google\\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\\Program Files\\Google\\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\\Program Files\\Google\\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\\Program Files\\Google\\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\jre1.5.0_02\\bin\\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\jre1.5.0_02\\bin\\npjpi150_02.dll O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\\Program Files\\Ebates_MoeMoneyMaker\\Sy350\\Tp350\\scri350a.htm (file missing) (HKCU) O10 - Unknown file in Winsock LSP: c:\\winnt\\system32\\dolsp.dll O10 - Unknown file in Winsock LSP: c:\\winnt\\system32\\dolsp.dll O10 - Unknown file in Winsock LSP: c:\\winnt\\system32\\dolsp.dll O10 - Unknown file in Winsock LSP: c:\\winnt\\system32\\dolsp.dll O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) -

formatting link
- DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
formatting link
- DPF: {46378FDC-0501-446E-8CC9-9C4F6F5E906B} (DownloadInstall Class) -
formatting link
- HKLM\\System\\CCS\\Services\\Tcpip\\Parameters: Domain = wanlink.us O17 - HKLM\\System\\CS1\\Services\\Tcpip\\Parameters: Domain = wanlink.us O17 - HKLM\\System\\CS2\\Services\\Tcpip\\Parameters: Domain = wanlink.us O20 - Winlogon Notify: igfxcui - C:\\WINNT\\SYSTEM32\\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\\WINNT\\system32\\NavLogon.dll O20 - Winlogon Notify: Uninstall - C:\\WINNT\\system32\\p86slij718o.dll O23 - Service: DefWatch - Symantec Corporation - C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\\WINNT\\System32\\dmadmin.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\Rtvscan.exe

Reply to
tony.belden
Loading thread data ...

Have you tried using a fire wall

Reply to
tino

I also have a problem with clicksearchclick.com spyware. I have runned Hijack This v1.99.1

Who can help me and could tell me what is used bij hijackers and what isn't? Which of this can be removed??

Logfile of HijackThis v1.99.1 Scan saved at 20:21:59, on 25-5-05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes: C:\\WINDOWS\\SYSTEM\\KERNEL32.DLL C:\\WINDOWS\\SYSTEM\\MSGSRV32.EXE C:\\WINDOWS\\SYSTEM\\MPREXE.EXE C:\\PROGRAM FILES\\ALWIL SOFTWARE\\AVAST4\\ASHSERV.EXE C:\\WINDOWS\\SYSTEM\\SPOOLSRV32.EXE C:\\WINDOWS\\SYSTEM\\MSTASK.EXE C:\\WINDOWS\\SYSTEM\\ABCD.EXE C:\\WINDOWS\\SYSTEM\\mmtask.tsk C:\\WINDOWS\\SYSTEM\\RPCSS.EXE C:\\WINDOWS\\SYSTEM\\SPOOL32.EXE C:\\WINDOWS\\EXPLORER.EXE C:\\WINDOWS\\TASKMON.EXE C:\\WINDOWS\\SYSTEM\\SYSTRAY.EXE C:\\WINDOWS\\STARTER.EXE C:\\WINDOWS\\LOADQM.EXE C:\\PROGRAM FILES\\DAP\\DAP.EXE C:\\PROGRAM FILES\\ALWIL SOFTWARE\\AVAST4\\ASHMAISV.EXE C:\\PROGRAM FILES\\ALWIL SOFTWARE\\AVAST4\\ASHWEBSV.EXE C:\\PROGRAM FILES\\VVSN\\VVSN.EXE C:\\WINDOWS\\SYSTEM\\STIMON.EXE C:\\WINDOWS\\SYSTEM\\SERVICES\\{A4859CC0-CBD6-11D9-9167-0050BFA120F0}\\SVCHOST.EXE C:\\WP.EXE C:\\WINDOWS\\SYSTEM\\WMIEXE.EXE C:\\PROGRAM FILES\\INTERNET EXPLORER\\IEXPLORE.EXE C:\\WINDOWS\\SYSTEM\\DDHELP.EXE C:\\WINDOWS\\SYSTEM\\PSTORES.EXE C:\\PROGRAM FILES\\INTERNET EXPLORER\\IEXPLORE.EXE C:\\WINDOWS\\DESKTOP\\HIJACKTHIS.EXE

R1 - HKCU\\Software\\Microsoft\\Internet Explorer,SearchAssistant =

formatting link
- HKCU\\Software\\Microsoft\\Internet Explorer,CustomizeSearch =
formatting link
- HKCU\\Software\\Microsoft\\Internet Explorer,SearchURL =
formatting link
- HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar = res://C:\\WINDOWS\\TEMP\\se.dll/spage.html R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = about:blank R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page =
formatting link
- HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar = res://C:\\WINDOWS\\TEMP\\se.dll/spage.html R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = about:blank R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant = about:blank R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,HomeOldSP = about:blank R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,HomeOldSP = about:blank R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar,LinksFolderName = Koppelingen O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\\Program Files\\Norton AntiVirus\\NavShExt.dll (file missing) O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\\PROGRAM FILES\\DAP\\DAPBHO.DLL O2 - BHO: (no name) - {D0D00EDB-AAE1-11D9-9167-0050FCE85DC5} - C:\\WINDOWS\\SYSTEM\\GBLG.DLL (file missing) O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\\PROGRAM FILES\\EPSON\\EPSON WEB-TO-PAGE\\EPSON WEB-TO-PAGE.DLL O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

- C:\\Program Files\\Norton AntiVirus\\NavShExt.dll (file missing) O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\\PROGRAM FILES\\DAP\\DAPIEBAR.DLL O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\\PROGRAM FILES\\EPSON\\EPSON WEB-TO-PAGE\\EPSON WEB-TO-PAGE.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\\WINDOWS\\SYSTEM\\MSDXM.OCX O4 - HKLM\\..\\Run: [ScanRegistry] C:\\WINDOWS\\scanregw.exe /autorun O4 - HKLM\\..\\Run: [Taakcontrole] C:\\WINDOWS\\taskmon.exe O4 - HKLM\\..\\Run: [SystemTray] SysTray.Exe O4 - HKLM\\..\\Run: [EnsoniqMixer] starter.exe O4 - HKLM\\..\\Run: [LoadQM] loadqm.exe O4 - HKLM\\..\\Run: [DownloadAccelerator] C:\\PROGRA~1\\DAP\\DAP.EXE /STARTUP O4 - HKLM\\..\\Run: [NAV CfgWiz] C:\\PROGRA~1\\NORTON~1\\CFGWIZ.EXE /R O4 - HKLM\\..\\Run: [ashMaiSv] C:\\PROGRA~1\\ALWILS~1\\AVAST4\\ashmaisv.exe O4 - HKLM\\..\\Run: [avast! Web Scanner] C:\\PROGRA~1\\ALWILS~1\\AVAST4\\ASHWEBSV.EXE O4 - HKLM\\..\\Run: [VVSN] C:\\PROGRAM FILES\\VVSN\\VVSN.EXE O4 - HKLM\\..\\Run: [StillImageMonitor] C:\\WINDOWS\\SYSTEM\\STIMON.EXE O4 - HKLM\\..\\Run: [Security iGuard] C:\\Program Files\\Security iGuard\\Security iGuard.exe O4 - HKLM\\..\\Run: [Service Host] C:\\WINDOWS\\SYSTEM\\Services\\{A4859CC0-CBD6-11D9-9167-0050BFA120F0}\\SVCHOST.EXE O4 - HKLM\\..\\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\\..\\RunServices: [avast!] C:\\Program Files\\Alwil Software\\Avast4\\ashServ.exe O4 - HKLM\\..\\RunServices: [Srv32 spool service] C:\\WINDOWS\\System\\spoolsrv32.exe O4 - HKLM\\..\\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\\..\\RunServices: [SchedulingAgent] C:\\WINDOWS\\SYSTEM\\mstask.exe O4 - HKCU\\..\\Run: [WindowsFY] C:\\WP.EXE O4 - Startup: Microsoft Office.lnk = C:\\Program Files\\Microsoft Office\\Office\\OSA9.EXE O8 - Extra context menu item: &Download with &DAP - C:\\PROGRA~1\\DAP\\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\\PROGRA~1\\DAP\\dapextie2.htm O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\\WINDOWS\\web\\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\\WINDOWS\\web\\related.htm O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\\PROGRA~1\\DAP\\DAP.EXE O9 - Extra button: Microsoft AntiSpyware helper - {FC6C1160-B7D8-11D9-9167-0050BFA120F0} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FC6C1160-B7D8-11D9-9167-0050BFA120F0} - (no file) (HKCU) O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) -

formatting link
- DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control

4.5) -
formatting link
- DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) -
formatting link
- DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) -
formatting link
- DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
formatting link
- DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
formatting link
- DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
formatting link
- Filter: text/html - {292BE360-AACD-11D9-9167-0050008EA050} - C:\\WINDOWS\\SYSTEM\\GBLG.DLL O18 - Filter: text/plain - {292BE360-AACD-11D9-9167-0050008EA050} - C:\\WINDOWS\\SYSTEM\\GBLG.DLL

Please mail me: snipped-for-privacy@student.eur.nl

thanx in advance,

Rick

Reply to
Rick

This will go some way towards that

formatting link
the only way to properly fix the problem is to wipe the drive and reinstall everything from clean media. There is no way to know what your virus collection has done to your system.

Jason

Reply to
Jason Edwards

Have you tried wiping the drive and reinstalling everything from clean media? Please don't do that with the computer connected to the Internet. Have SP4 and all other updates on CD or a network share and don't reconnect to the internet until the reinstall is fully up to date. External USB 2.0 hard drives can also be useful. So can

formatting link
instead of Internet Explorer. A little knowledge of how to run Windows 2000 as a user instead of an administrator is also useful.

You may want to find someone in your area who knows how to help you and pay them to do it.

Jason

Reply to
Jason Edwards

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.