Please check this hi-jack log for me

Discussion in 'privacy problems' started by SnoopyNorm, Aug 13, 2003.

Thread Status:
Not open for further replies.
  1. SnoopyNorm

    SnoopyNorm Guest

    Hi guys:

    I am new to this forum and new to HijackThis which a friend of mine told me about.
    Could anyone please interpret it for me.

    Thanks in Advance:

    Logfile of HijackThis v1.95.0
    Scan saved at 3:26:21 PM, on 13/08/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Atievxx.exe
    C:\Program Files\Canon\VDC\AuVdc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\system32\cba\pds.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\SSC\NSCTOP.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\WINNT\system32\ams_ii\hndlrsvc.exe
    C:\WINNT\system32\MsgSys.EXE
    C:\WINNT\system32\ams_ii\iao.exe
    C:\WINNT\system32\cba\xfr.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\Atiptaxx.exe
    C:\Program Files\DELL\AccessDirect\dadapp.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Iomega HotBurn\Autolaunch.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Naviscope\naviscope.exe
    C:\Program Files\DELL\AccessDirect\DadTray.exe
    C:\WINNT\System32\wuauclt.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\WINNT\system32\ntvdm.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOCUME~1\STEVED~1\LOCALS~1\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.sureseeker.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.sureseeker.com/search.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.dailymercury.com.au/news.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.dodo.com.au
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.sureseeker.com/search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.dodo.com.au
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.dodo.com.au
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Dodo Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=192.168.177.31:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=192.168.*.*;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: Shortcut to apnroute.bat.lnk = C:\Documents and Settings\Steve Dew\My Documents\Batchfiles\apnroute.bat
    O4 - Global Startup: Shortcut to whitroute.bat.lnk = C:\Documents and Settings\Steve Dew\My Documents\Batchfiles\whitroute.bat
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Wallpaper (HKLM)
    O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bigpond.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bigpond.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bigpond.com
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,282
    Location:
    New England
    Hi SnoopyNorm,

    It looks like you are using an older version of HijackThis and that version doesn't show everything that may be needed to give you a full analysis. Could you go over to the site below and download the latest version by clicking the "HiJackThis" button on the left side of the screen? (It has a small flashing green light next to it.)

    http://www.tomcoyote.org/hjt

    The new version may show additional useful information. If you could download, extract and run that one, then just reply to this thread here with the new log...

    Thanks,
    LowWaterMark
     
  3. SnoopyNorm

    SnoopyNorm Guest

    Hi LWM...

    Thans for that.. here is the new log

    Logfile of HijackThis v1.96.0
    Scan saved at 4:34:06 PM, on 13/08/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Atievxx.exe
    C:\Program Files\Canon\VDC\AuVdc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\system32\cba\pds.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\SSC\NSCTOP.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\WINNT\system32\ams_ii\hndlrsvc.exe
    C:\WINNT\system32\MsgSys.EXE
    C:\WINNT\system32\ams_ii\iao.exe
    C:\WINNT\system32\cba\xfr.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\Atiptaxx.exe
    C:\Program Files\DELL\AccessDirect\dadapp.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Iomega HotBurn\Autolaunch.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Naviscope\naviscope.exe
    C:\Program Files\DELL\AccessDirect\DadTray.exe
    C:\WINNT\System32\wuauclt.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\Steve Dew\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sureseeker.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sureseeker.com/search.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dailymercury.com.au/news.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.dodo.com.au
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sureseeker.com/search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.dodo.com.au
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.dodo.com.au
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dodo Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.177.31:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*.*;<local>
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: Shortcut to apnroute.bat.lnk = C:\Documents and Settings\Steve\My Documents\Batchfiles\apnroute.bat
    O4 - Global Startup: Shortcut to whitroute.bat.lnk = C:\Documents and Settings\Steve\My Documents\Batchfiles\whitroute.bat
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Wallpaper (HKLM)
    O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{67EE6478-D587-46F2-B228-C6E35FB11FAF}: NameServer = 139.130.4.4
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7CBDC5B2-B317-43DE-A3B4-3A4C3AD6254F}: NameServer = 139.130.4.4
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bigpond.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bigpond.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bigpond.com
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi SnoopyNorm,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sureseeker.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sureseeker.com/search.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sureseeker.com/search.htm

    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

    Not sure about this one:
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll

    Reboot after doing so.
    mobsync.exe will probably return in the list at some point. I just advised to disable it, because that helps in getting rid of the hijacked entries.

    I assumed these:
    O4 - Global Startup: Shortcut to apnroute.bat.lnk = C:\Documents and Settings\Steve\My Documents\Batchfiles\apnroute.bat
    O4 - Global Startup: Shortcut to whitroute.bat.lnk = C:\Documents and Settings\Steve\My Documents\Batchfiles\whitroute.bat
    were made by yourself, so I left them alone.
    If they aren't we'll need to have a closer look.

    Regards,

    Pieter
     
  5. SnoopyNorm

    SnoopyNorm Guest

    Thanx Pieter,

    Fixed the sureseeker links, mobsync didn't returned.

    Yes the batch files are mine, any thoughts on the "TIBSLoader" line, have left it alone for now.

    SnoopyNorm :D
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Snoopynorm,

    There is almoste never any harm in deleting Downloaded Program Files, since you will be prompted to reinstall them at the moment you need them.
    And directplugin is a name that gives me creepy associations, so if you don't know what it is, toss it out.

    Regards.

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.