Jump to content


Photo

Newbie Hijack user needs help.


  • Please log in to reply
7 replies to this topic

#1 Mark EG

Mark EG

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 12 July 2004 - 12:00 PM

Can anyone have a look at my log and tell me if anything needs removing?

Many thanks in advance.

Logfile of HijackThis v1.98.0
Scan saved at 17:56:19, on 12/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NILaunch.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Cerience\RepliGo\RepliGoMon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wholeworl...com/search/top/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wholeworl...ket.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wholeworl...ket.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wholeworl...ket.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wholeworl...com/search/top/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.wholeworl...ket.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wholeworl...ket.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wholeworl...ket.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wholeworl...ket.com/search/
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RepliGoIEHelperCtl Class - {91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Program Files\Cerience\RepliGo\RepliGoIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\sysdll32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RepliGo Assistant] "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Startup: Phone Connection Monitor.lnk = ?
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

#2 Mark EG

Mark EG

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 12 July 2004 - 04:27 PM

please?

#3 Mark EG

Mark EG

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 12 July 2004 - 05:21 PM

hello?

#4 Mark EG

Mark EG

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 12 July 2004 - 05:36 PM

anyone?

#5 Mark EG

Mark EG

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 12 July 2004 - 05:37 PM

i really could do with some help here :(

#6 Mark EG

Mark EG

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 13 July 2004 - 01:23 AM

???

#7 Mark EG

Mark EG

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 13 July 2004 - 04:29 AM

why is no-one wanting to help me?

#8 kulshan

kulshan

    Member

  • New Member
  • Pip
  • 1 posts

Posted 07 September 2004 - 12:11 PM

Sorry no one has replied. Being all volunteer, you don't always get the service you need...
I've looked at quite a few of these and yours looks fairly normal. DataViz doesn't need to be sending info onto the internet so I block it with my firewall. All the O4s are the programs that run on startup. You'll notice your antivirus, etc. Here is a place viruses usually plant themselves. The following are questions I have:

O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\sysdll32.exe
O4 - HKLM\..\Run: [RepliGo Assistant] "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe"
O4 - Startup: Phone Connection Monitor.lnk = ?
O4 - Global Startup: Phone Connection Monitor.lnk = ?
I'm not sure what these are. You might want to make sure you know that they are
safe. Don't disable them just because I don't know what they are. Find out.

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
These are main stream, but I've heard that Webshots has a spyware componant. I don't know...

O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
Why are these here? I don't know.

I hope this helps. I probably won't be back for a while however.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button