Please check this hi-jack log for me [Archive]

View Full Version : Please check this hi-jack log for me

SnoopyNorm

August 13th, 2003, 01:38 AM

Hi guys:

I am new to this forum and new to HijackThis which a friend of mine told me about.
Could anyone please interpret it for me.

Thanks in Advance:

Logfile of HijackThis v1.95.0
Scan saved at 3:26:21 PM, on 13/08/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Atievxx.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\cba\pds.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Atiptaxx.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Naviscope\naviscope.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\STEVED~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.sureseeker.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.dailymercury.com.au/news.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.dodo.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.sureseeker.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.dodo.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.dodo.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Dodo Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=192.168.177.31:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=192.168.*.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Shortcut to apnroute.bat.lnk = C:\Documents and Settings\Steve Dew\My Documents\Batchfiles\apnroute.bat
O4 - Global Startup: Shortcut to whitroute.bat.lnk = C:\Documents and Settings\Steve Dew\My Documents\Batchfiles\whitroute.bat
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bigpond.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bigpond.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bigpond.com

LowWaterMark

August 13th, 2003, 02:01 AM

Hi SnoopyNorm,

It looks like you are using an older version of HijackThis and that version doesn't show everything that may be needed to give you a full analysis. Could you go over to the site below and download the latest version by clicking the "HiJackThis" button on the left side of the screen? (It has a small flashing green light next to it.)

http://www.tomcoyote.org/hjt

The new version may show additional useful information. If you could download, extract and run that one, then just reply to this thread here with the new log...

Thanks,
LowWaterMark

SnoopyNorm

August 13th, 2003, 02:36 AM

Hi LWM...

Thans for that.. here is the new log

Logfile of HijackThis v1.96.0
Scan saved at 4:34:06 PM, on 13/08/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Atievxx.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\cba\pds.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Atiptaxx.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Naviscope\naviscope.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Steve Dew\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sureseeker.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dailymercury.com.au/news.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.dodo.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sureseeker.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.dodo.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.dodo.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dodo Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.177.31:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*.*;<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Shortcut to apnroute.bat.lnk = C:\Documents and Settings\Steve\My Documents\Batchfiles\apnroute.bat
O4 - Global Startup: Shortcut to whitroute.bat.lnk = C:\Documents and Settings\Steve\My Documents\Batchfiles\whitroute.bat
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67EE6478-D587-46F2-B228-C6E35FB11FAF}: NameServer = 139.130.4.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CBDC5B2-B317-43DE-A3B4-3A4C3AD6254F}: NameServer = 139.130.4.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bigpond.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bigpond.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bigpond.com

Pieter_Arntz

August 13th, 2003, 02:45 AM

Hi SnoopyNorm,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sureseeker.com/search.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sureseeker.com/search.htm

O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

Not sure about this one:
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll

Reboot after doing so.
mobsync.exe will probably return in the list at some point. I just advised to disable it, because that helps in getting rid of the hijacked entries.

I assumed these:
O4 - Global Startup: Shortcut to apnroute.bat.lnk = C:\Documents and Settings\Steve\My Documents\Batchfiles\apnroute.bat
O4 - Global Startup: Shortcut to whitroute.bat.lnk = C:\Documents and Settings\Steve\My Documents\Batchfiles\whitroute.bat
were made by yourself, so I left them alone.
If they aren't we'll need to have a closer look.

Regards,

Pieter

SnoopyNorm

August 13th, 2003, 08:38 PM

Thanx Pieter,

Fixed the sureseeker links, mobsync didn't returned.

Yes the batch files are mine, any thoughts on the "TIBSLoader" line, have left it alone for now.

SnoopyNorm ;D

Pieter_Arntz

August 14th, 2003, 02:18 AM

Hi Snoopynorm,

There is almoste never any harm in deleting Downloaded Program Files, since you will be prompted to reinstall them at the moment you need them.
And directplugin is a name that gives me creepy associations, so if you don't know what it is, toss it out.

Regards.

Pieter