check HJT please guys!

Discussion in 'adware, spyware & hijack cleaning' started by Tassie_Devils, Apr 1, 2004.

Thread Status:
Not open for further replies.
  1. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Guys.

    I have run HJT today and found a new entry that I am curious about.
    Could you have a quick decko at this lot.

    Entry in bold I was wondering about. Could not find it in msconfig and a search found 2files in system32 but MS related it seems.

    Checked on web and got a part description, cannot fathom out how it now appears in listings.

    I did install a new program called SleuthHound [searches for files/folders/docs on HD, recommened from Langalist] That's all.

    Here's what I found.

    Huh? :)



    Logfile of HijackThis v1.97.7
    Scan saved at 3:25:42 AM, on 4/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
    C:\Program Files\Kerio\Personal Firewall\persfw.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\HiJackThis\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntf.flinders.edu.au/TEXT/TIDES/qld.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
    O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
    O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: Add to Ad Hunter - C:\Program Files\MYIE2\config/blacklist.htm
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.8650694444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3BFC770A-3F8D-42AE-AD75-C0BD03FDBDA3}: NameServer = 203.194.27.57 203.194.56.150
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3BFC770A-3F8D-42AE-AD75-C0BD03FDBDA3}: NameServer = 203.194.27.57 203.194.56.150

    Cheers, Adrian.
     
  2. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    OK... I forgot to mention I had done full scans of course with everything.

    AdAware, Spybot, KAV, TDS, SpySweeper... nada...

    Now, I just uninstalled that SleuthHound program [it would not work like I wanted it to, it mainly looked for different docs, etc].

    Rebooted, re-ran HJT and now that entry I asked about above has gone. :)

    Soooooooooo, appears to be of no concern any more, unless of course something else is wrong... LOL.

    Cheers, in advance thanks, Adrian
     
  3. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,141
    Location:
    North Carolina, USA
    Hi TD,

    Your log is clean. The one file you mention appears to be a legit file and now I see you found out where it came from ;) ....

    Regards.
    Kent
     
  4. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Kent.

    Thanks for that. ;)

    Only submitted in the first place because it had never shown up before.

    Cheers, Adrian
     
  5. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,141
    Location:
    North Carolina, USA
    Hi TD,

    No problem as it was my pleasure....

    Regards,
    Kent
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.