Hijack this log - Please review

[zoeythecat]

Hi all,

Sorry to bother this forum again regarding another computer. I ran virus check, spybot, adaware, cwshredder (followed all the guidlines laid out here) and I still get some popups for a particular workstation. Can someone review this hijack log? I would appreciatel any help on what entries I can remove.

Thanks in advance
_________________________________________________________
Logfile of HijackThis v1.98.0
Scan saved at 12:40:18 PM, on 7/30/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\System32\SxgTkBar.exe
C:\Program Files\Nikon\NkView\EvLstnr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\Fonts\mcdb.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Jasc Software Inc\After Shot\IXApplet.exe
C:\WINNT\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.msnbc.com/

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\hidhere\LOCALS~1\Temp\bdcm.dat
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [EVENTLISTENER] C:\Program Files\Nikon\NkView\EvLstnr.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.6.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [mcdb] C:\WINNT\Fonts\mcdb.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Jasc Software Inc\After Shot\IXApplet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1408.g.akamai.net/7/1408/99...W/win/061-0848.20031022.TtzS4/iTunesSetup.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.real.com/156e899fa5b5f40d5016/netzip/RdxIE601.cab

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) -

http://www.webshots.com/samplers/WSDownloader.ocx

O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} -

http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=200331312

 

[bcastner]

Remove Weatherbug:

http://www.kephyr.com/spywarescanner/library/weatherbug/index.phtml

 

[zoeythecat]

Hi Bcastner,

Would this be causing popups? The popup she gets is when she opens up "Windows Explorer" a program pops up "Your system has been infected with the MY Doom virus. Run a scan". This is a trick because when you click on Scan it brings you out to a website. Her system is up to date with the latest virus signatures (and has been up to date). I am assuming that something from the hijack this log can be removed to fix this popup. She uses the weatherbug but if you believe I need to remove this and this will remove the popup I will do that. Could you please verify for me. Also, do you see anything in the other entries from the hijack log that I can remove?

TIA

 

[bcastner]

No, the Weatherbug popups clearly identify the advertisor. The AVS people have gotten better about this, so lets leave Weatherbug alone at the moment.

Give this free trial a shot at the issue: Spy Sweeper

http://www.webroot.com/wb/products/spysweeper/index.php

And this freeware a shot at the problem: AdAware

http://www.lavasoftusa.com/support/download/

If the problem continues, follow carefully the steps in faq608-4650

 

[zoeythecat]

Ok...I will give that a shot. So I guess everything you see in the log looks good? Nothing suspicious?

Thanks again.

 

[bcastner]

Nothing screams out to me.

Personally I would remove:

WebShots -- See:

http://info-center.ccit.arizona.edu/~ccitinfo/newsletters/march2002/problems_with_webshots.html

QuickTime
Real Media Player
iTunes
MUSICMATCH
WeatherOnTray.exe
The Nikon Event listener
mcdb.exe - A font manipulation shareware

But it is unlikely these are the source of popups.

 

[joegz]

The BHO with the PID number 60112085-E1CE-4e0e-823A-EBB1AD98804C looks suspicious. Any BHO pointing to a file in the TEMP directory generally isn't a legit program.

joegz
"Sometimes you just need to find out what it's not first to figure out what it is."

 

[carrr]

Fair warning:
Yesterday, I was feeding my everpresent, sick need to keep a test machine infected with the goal of staying on top of things.
I picked up a malware that truly tested my patience, and took a lot of time to clean off.
It generated pop-ups for antispyware tools, of all things.
The only sign that it was there was the presence of Rundll32 in the Task List. It took the form of about eight or ten randomly named, and hidden, files, mostly dlls (all bearing yesterday's date in the modified column). All of these files were in the System folder. All but one of which could be deleted from within Windows Explorer. Upon restart, in order to come in under safe mode, it had replicated. I couldn't delete the thing from safe mode either, but eventually won out by using Killbox on it.
Hijack This did not pick it up. SpyBot, Adaware, Spysweeper, and Bazooka all missed it too.

What's next?



Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[zoeythecat]

Joegz,

Thanks for the help. Unfortunately it did not resolve the popup. The popup happens immediately when opening up Start==>Programs==>Accessories==>Windows Explorer< I will try what BCastner suggests. Maybe I need to run some different spyware programs. I also feel Carr's pain. Sometimes you can run everything you need to run (Virus program, spyware) and still cannot get rid of the popup. Very frustrating.

 

[carrr]

My post was actually intended as anecdotal.
I'd advise downloading a copy of Process Explorer (

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml)

and look what's going on.
It's there, no doubt, but sometimes it's up to us to get the jump on things and find it ourselves rather than wait on the next round of updates for the standard arsenal.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[byteofram]

I would reboot in safe mode, run Ad Aware and Spybot Search and Destroy. Get the latest version of HijackThis and run the log again. You should not have any iexplorer processes running at the time.

----------
Computer TIPs - Columbus Computer Consultants

http://www.comptips.com

 

[zoeythecat]

Thanks for all the tips everyone. I will revisit this sometime this week and try all your suggestions.

Thanks

 

[diogenes10]

carrr, If I ever get one of those new cws problems I think I'll ask you for help.

I saw this mentioned today as a killbox alternative-dont know if it's something you've seen but thought I'd pass it on.

http://theabsolute.net/sware/#deletedr

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[bcastner]

dogenese10,

Thank you for the link to Delete Doctor. I have no idea whether it will handle truely corrupt filenames on NTFS stores, but I am always looking for something that will.

Thanks for the link.
Bill

 

[carrr]

diogenes10,
I second that....thanks for the link.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244