Hijackthis what to remove?

I'm not sure what to remove from logfile. Can anyone advise.

Logfile of HijackThis v1.98.2
Scan saved at 12:13:35 AM, on 11/9/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Avant Browser\iexplore.exe
C:\Program Files\GNU\WinCvs 1.3\wincvs.exe
C:\Program Files\WS_FTP\WS_FTP95.exe
C:\Program Files\McAfee\McAfee Privacy Service\GuardDog.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\Documents and Settings\plinnane\Desktop\NPRTON_VIRUS_TOOLS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.seekwell.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.seekwell.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.seekwell.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://localhost:8000/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.internet-search.info/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.seekwell.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.seekwell.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.internet-search.info/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.seekwell.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.seekwell.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.seekwell.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.seekwell.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.seekwell.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O1 - Hosts: www.adultrevenueservice.com
O1 - Hosts: www.ccbill.com
O1 - Hosts: www.maximumcash.com
O1 - Hosts: www.freeezinebucks.com
O1 - Hosts: www.silvercash.com
O1 - Hosts: www.freeticketcash.com
O1 - Hosts: www.epiccash.com
O1 - Hosts: www.aebn.net
O1 - Hosts: www.lightspeedcash.com
O1 - Hosts: www.fatpockets.com
O1 - Hosts: www.adultplatinum.com
O1 - Hosts: www.vidsandtoys.com
O1 - Hosts: www.cumfiesta.com
O1 - Hosts: www.nastydollars.com
O1 - Hosts: www.hawgscash.com
O1 - Hosts: www.pure-pornstars.com
O1 - Hosts: www.oxcash.com
O1 - Hosts: www.amateurpages.com
O1 - Hosts: www.milfhunter.com
O1 - Hosts: www.gammae.com
O1 - Hosts: www.captainstabbin.com
O1 - Hosts: www.bignaturals.com
O1 - Hosts: www.sweetmoney.com
O1 - Hosts: www.karasxxx.com
O1 - Hosts: www.albionmedical.com
O1 - Hosts: www.wegcash.com
O1 - Hosts: www.karupspc.com
O1 - Hosts: www.pillsmoney.com
O1 - Hosts: adultrevenueservice.com
O1 - Hosts: ccbill.com
O1 - Hosts: maximumcash.com
O1 - Hosts: freeezinebucks.com
O1 - Hosts: silvercash.com
O1 - Hosts: freeticketcash.com
O1 - Hosts: epiccash.com
O1 - Hosts: aebn.net
O1 - Hosts: lightspeedcash.com
O1 - Hosts: fatpockets.com
O1 - Hosts: adultplatinum.com
O1 - Hosts: vidsandtoys.com
O1 - Hosts: cumfiesta.com
O1 - Hosts: nastydollars.com
O1 - Hosts: hawgscash.com
O1 - Hosts: pure-pornstars.com
O1 - Hosts: oxcash.com
O1 - Hosts: amateurpages.com
O1 - Hosts: milfhunter.com
O1 - Hosts: gammae.com
O1 - Hosts: captainstabbin.com
O1 - Hosts: bignaturals.com
O1 - Hosts: sweetmoney.com
O1 - Hosts: karasxxx.com
O1 - Hosts: albionmedical.com
O1 - Hosts: wegcash.com
O1 - Hosts: karupspc.com
O1 - Hosts: pillsmoney.com
O1 - Hosts: sublimedirectory.com
O1 - Hosts: www.sublimedirectory.com
O1 - Hosts: uh-oh.net
O1 - Hosts: www.uh-oh.net
O1 - Hosts: wetcircle.com
O1 - Hosts: www.wetcircle.com
O1 - Hosts: free64all.com
O1 - Hosts: www.free64all.com
O1 - Hosts: teeniefiles.com
O1 - Hosts: www.teeniefiles.com
O1 - Hosts: richards-realm.com
O1 - Hosts: www.richards-realm.com
O1 - Hosts: richards-realm.com
O1 - Hosts: www.richards-realm.com
O1 - Hosts: hardcorejunky.net
O1 - Hosts: www.hardcorejunky.net
O1 - Hosts: mmm100.com
O1 - Hosts: www.mmm100.com
O1 - Hosts: mature-post.com
O1 - Hosts: www.mature-post.com
O1 - Hosts: elephant-list.com
O1 - Hosts: www.elephant-list.com
O1 - Hosts: sleazydream.com
O1 - Hosts: www.sleazydream.com
O1 - Hosts: al4a.com
O1 - Hosts: www.al4a.com
O1 - Hosts: call-kelly.com
O1 - Hosts: www.call-kelly.com
O1 - Hosts: chubbyland.com
O1 - Hosts: www.chubbyland.com
O1 - Hosts: blitzpics.com
O1 - Hosts: www.blitzpics.com
O1 - Hosts: bondagewizard.com
O1 - Hosts: www.bondagewizard.com
O1 - Hosts: pichunter.com
O1 - Hosts: www.pichunter.com
O1 - Hosts: male-movies.com
O1 - Hosts: www.male-movies.com
O1 - Hosts: silent-screams.com
O1 - Hosts: www.silent-screams.com
O1 - Hosts: citizencane.org
O1 - Hosts: www.citizencane.org
O1 - Hosts: persiankitty.com
O1 - Hosts: www.persiankitty.com
O1 - Hosts: easypic.com
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\plinnane\LOCALS~1\Temp\syscca.dat
O2 - BHO: CATLEvents Object - {6A06CDAD-9D2D-42A0-9C91-C0CF7CB9971B} - C:\DOCUME~1\plinnane\LOCALS~1\Temp\tenrba.dat
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\plinnane\LOCALS~1\Temp\syscca.dat
O2 - BHO: CATLEvents Object - {870B70D4-F6DA-47AE-9158-D146440A0A4D} - C:\DOCUME~1\plinnane\LOCALS~1\Temp\cmoc.dat
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O2 - BHO: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINNT\dealhlpr.dll
O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\plinnane\LOCALS~1\Temp\rbateni.dat
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_11_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINNT\dealhlpr.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SimplyDefault] C:\PROGRA~1\Simply\CBWExec.exe /Run C:\PROGRA~1\Simply\CBWAttn.exe -run
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [TimeSyncApp] C:\WINNT\TimeSynchronize.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [javaps] C:\WINNT\Config\javaps.exe
O4 - HKLM\..\Run: [mssys] C:\WINNT\system\mssys.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [window.exe] C:\WINNT\System32\window.exe
O4 - Startup: BadBlue.lnk = C:\Program Files\BadBlue\PE\badblue.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Customize Menu      &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms      &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Save Forms      &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms      &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms      &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar      &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.soccernet.com
O15 - Trusted Zone: http://www.soccernet.com
O16 - DPF: {008BBE7E-C096-11D0-B4E3-00A0C901D681} (TeeChart Pro Activex control) - http://www.steema.com/files/activex/public/teechart.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0A2276C8-6AC1-11D3-BF1D-00105ACE49EC} (Autoload Modem Pool Monitor and Launcher Control) - http://staging.dmotorworks.com/activex/common/MP_MonitorLaunch.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {1C92EE3A-51FE-11D2-B506-00104BC858E1} (Digital Motorworks Date/Time Picker Control) - http://inca.dmotorworks.com/activex/common/DMDateTimePicker.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13a4b45f80e87e28aa18/netzip/RdxIE601.cab
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - http://activex.microsoft.com/activex/controls/iexplorer/x86/iemenu.cab
O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll
O16 - DPF: {A28DAC07-0D34-4A90-A0E6-CEE27208C86D} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.cab
O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_02) -
O16 - DPF: {CEEBC0A9-E9A8-11D2-B50D-00104BC858E1} (Digital Motorworks Intranet Administrator(TM) Entity Tree Control) - http://inca.dmotorworks.com/activex/IA/IAEntityTree.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) -

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi dplinnane,

First, do not post a HJT log as a Question. That's a no-no. There is an online HJT Log analyzer that can give you a report on what is good, bad and maybe-maybe. Copy and Paste your Log into the appropriate box at this URL:


After obtaining the report, you can go and check in your HJT those entries that you think should be removed. The online log analyzer is not perfect, so check every entry that it tags as nasty to make sure it is not somethig you have installed and do not want removed. If in doubt, do not check it.

After you've cleaned your system using the online analyzer, if there are any issues remaining in your nachine we'll be more than happy to help you.

Good Vibes!

Lobo said it all. The URL is very interesting.
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Stay out of the porn sites and your machine will remain much cleaner....   :-)
dplinnaneAuthor Commented:
Thanks, for the advice, I ran adware, spybot and hijackthis.  Removed all files that looked suspicious. However when I restart my computer it reboots as soon as I enter my user name and password in login win 2k. When I disconnect from the internet I do not have this problem. I also have an exe called ****-site.com it has being there forever and I cannot get rid of it. Any ideas on whats going on. Access denied the source file may be in use.
Also do a check with stinger:

>> Access denied the source file may be in use

Try to take ownership of this file and then delete it,
Take Ownership of Files

And get msconfig for Win2000 from here >> http://www.perfectdrivers.com/howto/msconfig.html
and run it and Disable all those extra and unwanted application in Startup section except Antivirus and firewall entries,
Then run all those removal tools in safemode and delete all those junk files manually also if they are present on ur system... restart and now check if same problem ??
>> However when I restart my computer it reboots as soon as I enter my user name and password in login win 2k. When I disconnect from the internet I do not have this problem.

A new breed of trojans. Seen them and they are nasty. And they fly right under HJT's radar. Look in your System32 folder for a subfolder named KernelW32.
dplinnaneAuthor Commented:
Don't seem to have a subfolder in SYSTEM32,   was able to get rid of f-site above by chnaging ownership and deleting. Still having restart problems. Ironically enough my problems started after I installed mcafee security center.
>> However when I restart my computer it reboots as soon as I enter my user name and password in login win 2k. When I disconnect from the internet I do not have this problem.

How are u connecting to internet,,, means via cable\adsl modem or dialup connection ??
dplinnaneAuthor Commented:
USB port, dsl, wireless
then what does this mean, that u cannot login with ur username after a restart UNLESS u disconnect from internet ??
i mean when u will restart, the USB modem will get disconnected, and thus there will be no internet connection..... sorry but this confused me :-?
dplinnaneAuthor Commented:
If I remove my usb nic card I can logon onto my computer. As soon as I plug in my nic card my computer restarts.

 I have noticed that if I disable privacy setting with mcafee and then plug in my nic card I can connect to the internet, seems a bit bizarre.
ok what u shud try at this moment, is to uninstall Mcafee and then check what are the problems left after removing it !!
Coz may be its just the Mcafee which has problems with ur system :-?
dplinnaneAuthor Commented:
I'll give it a try later and see what happens.
hmmmm listening.....
Knowing that the machine is infected I would not remove the antivirus and go online just to see what happens. I would install an alternate AV just for the test, although I'm pretty sure the problem is not MacAfee but a trojan. I've seen that behaviour before and it's really nasty. One thing you can do is install AVG and do a scan. Write down everything it finds and go looking for the folders it points at. Chances are if you tell it to clean the files it finds it'll tell you it can't delete them. So you'll need to write down those locations and go hunting manually.

Good Vibes!


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.