• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0

Need Analysis of Hijackthis log

2 posts in this topic

I have a user that has been logging in from home and had so many adware problems it is simply scary. His browser address bar is even grayed out and can't be typed in. I've had him run ad-aware, spybot, and cwshredder. He's still got some wtools problems and spybot can't seem to remove a couple of the things he's found. I had him create a hijackthis log and send it to me and this is what it is. I saw some of these things and knew they needed to be fixed, but have no idea about some of the others. Can anybody show me exactly which of these needs to be repaired by hijackthis for this guy to be able to work again. Thanks a ton!!!





Logfile of HijackThis v1.97.7

Scan saved at 2:16:05 PM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:











C:\Program Files\Common files\WinTools\WToolsS.exe


C:\Program Files\Microsoft Works\WksSb.exe


C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe


C:\Program Files\Common files\WinTools\WToolsA.exe




C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe

C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe

C:\Program Files\AIM95\aim.exe

C:\Documents and Settings\Harllee\Application Data\soba.exe


C:\Program Files\Citrix\ICA Client\pnagent.exe




C:\Program Files\Common files\WinTools\WSup.exe


C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50094

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://northernvirginia.cox.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50094

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50094

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif

O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe

O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe


O4 - HKLM\..\Run: [havcv] C:\WINDOWS\havcv.exe

O4 - HKLM\..\Run: [EJJWoY] C:\windows\temp\EJJWoY.exe

O4 - HKLM\..\Run: [53RKL3@4QABSCZ] C:\WINDOWS\System32\QmtPCB55.exe

O4 - HKLM\..\Run: [sysUpd] C:\WINDOWS\sysupd.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe

O4 - HKLM\..\Run: [ilopcnmite] C:\WINDOWS\System32\ivbndb.exe

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [vbwave] C:\WINDOWS\addins\vbwave.exe

O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"

O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s

O4 - HKLM\..\Run: [3m74qf0t.exe] C:\WINDOWS\3m74qf0t.exe /dk

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Htra] C:\Documents and Settings\Harllee\Application Data\soba.exe

O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapicc.exe

O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKCU\..\Run: [3m74qf0t.exe] C:\WINDOWS\3m74qf0t.exe /dk

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe

O4 - Global Startup: 3m74qf0t.lnk = C:\WINDOWS\3m74qf0t.exe

O9 - Extra button: AIM (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8143.5784027778

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post

Link to post
Share on other sites

Hello Kolut


You may find it helpful to print out these instructions. This is in something of a mess and its probably going to be easier to deal with it in stages, we'll get rid of the serious infections first and scan out what we can, then deal with the rest.


To remove Adtomi,download this file here (Adtomi Cleanup.zip) by Mosaic1

http://www.wilderssecurity.com/atta...omi_Cleanup.zip for XP


First If you have a Script Blocking Program enabled, disable it first so the scripts may run.


Unzip it to C:\Windows


See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part

--A web page from Adtomi would appear "-uninstall was succesful!"

then go off line (note not all infections have this icon, so if it isn't there then don't worry)


next press ctrl+ ALT+DEL once to bring up task manager & stop the running process on the funny named file with 8 assorted letters & numbers (3m74qf0t.exe), that will be listed towards the bottom of the running process list in your hijackthis log,and there might also be morze1 running, if so end that process as well


if you don't have any strange named exe files running or you can't stop it running, then DO NOT CONTINUE, please ask for more help first.


Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )


***Do not Touch the VBS files. The bat file will run the scripts.***


It will remove the Adtomi Spyware files from the Windows Folder

Clean the Startup Folders

Create Backups of the Adtomi exe files it deletes and save them in this folder

Create a list of all oddly named files deleted from the Windows Folder

Uninstall the BHO

Start HijackThis and give you directions on what to remove. (This should be as below)


O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O4 - HKLM\..\Run: [3m74qf0t.exe] C:\WINDOWS\3m74qf0t.exe /dk

O4 - HKCU\..\Run: [3m74qf0t.exe] C:\WINDOWS\3m74qf0t.exe /dk

O4 - Global Startup: 3m74qf0t.lnk = C:\WINDOWS\3m74qf0t.exe


When you have finished please restart the computer.


You have a Peper infection, click here to download the PeperFix tool, save it to your desktop, doubleclick on it, click 'Find and Fix' and reboot if prompted. Run it again to make sure. Next download this uninstaller and run it.


When this is done, run adaware - make sure it is configured as follows. Screenshot instructions for setup are here if needed.

  • In the main window look in the bottom right corner and click on Check for updates now and download the latest reference files.
  • Make sure the following settings are made and on (ON = GREEN)
  • From main window : Click Start then Activate in-depth scan (recommended)
  • Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.
  • Now click on the Tweak button in that same window. Under Scanning Engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot.
  • Click Proceed to save your settings. Now to scan just click the Next button.
  • When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Now reboot your computer and start in safe mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter. For further information on safe mode click here. Now run that last uninstaller and ad-aware again to fully remove the remnants then reboot normally.


Go to TrendMicro and perform an online virus scan. Let it fix anything that it finds. Do the same at Pandasoftware.


Please go to sygatetech or TrojanScan and run a free online Trojan scan. Let it delete anything it finds. Then download a free trial of TrojanHunter and perform a scan and clean anything it finds.


You already have Spybot, if you do not have version 1.3 installed, uninstall version 1.2 with the provided uninstaller. Download Spybot1.3 from here. Install it, open it and click the Search for Updates button. When updates are found, put a check mark next to all and click the Download Updates button. Now click the Search & Destroy icon in the left pane, then the Check for problems button at the bottom of the window. When the scan completes, make sure all the items in RED are ticked, then click the Fix Selected Problems button. Screenshot instructions for installation and setup are here if needed.


Close all other windows except for hijackthis, perform a scan and put a check against the following items and click 'fix checked'.


O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll


O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll


O4 - HKLM\..\Run: [53RKL3@4QABSCZ] C:\WINDOWS\System32\QmtPCB55.exe

O4 - HKLM\..\Run: [3m74qf0t.exe] C:\WINDOWS\3m74qf0t.exe /dk

O4 - HKCU\..\Run: [3m74qf0t.exe] C:\WINDOWS\3m74qf0t.exe /dk

O4 - Global Startup: 3m74qf0t.lnk = C:\WINDOWS\3m74qf0t.exe


O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab


Reboot your computer


Next, remove the contents (not the folders themselves) of all these temporary folders:

  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
  • Empty your "Recycle Bin"

You are running an outdated version of HiJackThis, please download HijackThis v1.98 here.

Unzip to a convenient permanent folder, for example: C:/HiJackThis/HiJackThis.exe

Double click HijackThis.exe, and hit "Scan". The scan button will turn into "Save Log" copy and paste the fresh log here along with the adtomi.txt file....


Can you also add the answers to these to your reply..

You are running MyWebSearch. This is not technically malware, but it is thought to be bad by many experts and it will bring malware with it. There are safer alternatives available such as the Google toolbar. I recommend that you remove it. If you wish to - let me know in your reply.


Clocksync is a pop-up laden program by WhenU, would you like it removed and replaced with a clean alternative?


Please find this file in windows explorer SysTray.Exe and note down the file path, right click on it and note down all its properties, make sure you do it for every tab.

Share this post

Link to post
Share on other sites
Sign in to follow this  
Followers 0