Options
Assistance with a Hijack This log
In advance, thank everyone so much for their help, we were able to get a lot of it whittled down by just the reading of the other messages alone (Trying not to be too newbie-ish, ya know... 
Apparantly, on the day they left admin rights open, and we were busily installing all of our home softwares at work, and actually having internet access before they granted it to us, the peon class, of course...Something got on here. Catch being: This is running on the 2000/NT model, and without Administrator's privledges. That being said, I did have tech run SpyBot, I think it's called, but they don't have the Adaware on the server. Then I ran the online .exe, (can't install) of the HJT, and here's a log
I bolded the ones that I was suspicious of, but couldn't find a way to get rid of, especially the nem219.dll and wsem301.dll. But all up for getting that fixed wonderfully, and have a blessed day!
Logfile of HijackThis v1.98.2
Scan saved at 3:46:02 PM, on 8/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Documents and Settings\dragon\My Documents\Trillian\trillian.exe
C:\Documents and Settings\dragon\Local Settings\Temporary Internet Files\Content.IE5\GLARO9AN\HijackThis[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem301.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Pictometry] C:\WINNT\pictometry.vbs
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [zav] C:\WINNT\zav.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
Apparantly, on the day they left admin rights open, and we were busily installing all of our home softwares at work, and actually having internet access before they granted it to us, the peon class, of course...Something got on here. Catch being: This is running on the 2000/NT model, and without Administrator's privledges. That being said, I did have tech run SpyBot, I think it's called, but they don't have the Adaware on the server. Then I ran the online .exe, (can't install) of the HJT, and here's a log
I bolded the ones that I was suspicious of, but couldn't find a way to get rid of, especially the nem219.dll and wsem301.dll. But all up for getting that fixed wonderfully, and have a blessed day!Logfile of HijackThis v1.98.2
Scan saved at 3:46:02 PM, on 8/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Documents and Settings\dragon\My Documents\Trillian\trillian.exe
C:\Documents and Settings\dragon\Local Settings\Temporary Internet Files\Content.IE5\GLARO9AN\HijackThis[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem301.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Pictometry] C:\WINNT\pictometry.vbs
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [zav] C:\WINNT\zav.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
0
Comments
Dexter...
Thank you so much for your assistance, don't think I can use that uninstall programs, but the guys at Tech should be able to boost it on outta there. I'll give that a shot tomorrow, today's my off day
On another note, was working on the computer at the house, as something had hit my old HD, and had it stuck in a discolored mode, from what I could see it was some sort of casino spyware that I'm guessing my little cousin picked up somewhere, but then the system locked up, so I put a new HD and reinstalled my XP on it...Now, the old HD is set as my C: drive, and the new drive is F: ... Only catch is, I can't get Hijack This! to scan the C: drive, even though that's where I saved the file. Any ideas?
Thanks again!
Zo
- set the home and search pages for major browsers (IE and Netscape / Mozilla browsers);
- specify "Browser Helper Objects", plug-ins, extra buttons, etc; and
- set programs to automatically run at startup.
Those are all places where hijacks, spyware, adware, and most viruses / trojans will show signs of infections. It also shows you the content of your Downloaded Program Files folder, which is a location sometimes used by hijacks to re-load themselves.
The best thing to do if you want to go back to using that hard drive would be to disconnect the F drive, try to start-up from the C drive in SAFE MODE, and run HJT then from the C drive, and see what it shows you from there. Otehrwise, since you have already put another drive in and installed your OS on it, just transfer your data from C to F, wipe the old drive, set the F drive to C, and use the old drive as a second drive which you can now set to F, G or whatever.
Dexter...