Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: HELP...I think i've been Hijacked  (Read 7057 times)

0 Members and 1 Guest are viewing this topic.

magic9669

    Topic Starter


    Starter

    HELP...I think i've been Hijacked
    « on: June 11, 2009, 12:10:40 PM »
    Everytime I use a search and click on a link, it goes to this ix-find site and then follows to another random site out of no where.  Soemtimes youtube, sometimes a different site altogether.  Here is a list of my log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:53:32 PM, on 6/11/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\PaperSecu\SecuGate.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\paperSecu\PaperSrv.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\INCOPS3\ictray.exe
    C:\WINDOWS\system32\rpcnet.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\jayrjr\Local Settings\Temporary Internet Files\Content.IE5\STIRODUN\Support-LogMeInRescue[1].exe
    C:\WINDOWS\LMI1CB.tmp\lmi_rescue.exe
    C:\WINDOWS\LMI1CB.tmp\lmi_rescue.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061017
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O1 - Hosts: 105.1.11.201 nagspn
    O1 - Hosts: 105.1.11.201 service
    O1 - Hosts: 105.1.11.201 naskp
    O1 - Hosts: 105.1.11.5 seahq_exchange
    O1 - Hosts: 105.1.11.6 seahq_exchange2
    O1 - Hosts: 105.1.11.7 seahq_exchange3
    O1 - Hosts: 105.1.11.12 seusa seusa.net
    O1 - Hosts: 105.1.11.19 pilot pilot.sdsosc.co.kr #acube communication server
    O1 - Hosts: 105.1.11.24 sds.samsung.com sds
    O1 - Hosts: 105.1.11.229 foxhound
    O1 - Hosts: 105.1.11.233 hawker
    O1 - Hosts: 105.1.15.80 edcmon
    O1 - Hosts: 105.1.2.140 acc.samsung.com // US Accessories
    O1 - Hosts: 201.118.63.163 erms.samsung.com
    O1 - Hosts: 210.181.57.82 dev.samsung.com
    O1 - Hosts: 211.36.91.21 real.samsung.com // HQ
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (file missing)
    O2 - BHO: PMURLMObj Class - {922C022A-E97F-4FB6-890E-D167DA951D5E} - C:\WINDOWS\INCOPS3\PMURLMon.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [trueImageMonitor.exe] C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [sysldtray] C:\windows\ld09.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [*LogMeInRescue_739529774] "C:\WINDOWS\LMI1CB.tmp\lmi_rescue.exe" -runonce reboot
    O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
    O4 - Startup: 101Clips.lnk = C:\Program Files\101 Clips\101Clips.exe
    O4 - Global Startup: SAMSUNG NETWORKS VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\windows\system32\anywall3.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\anywall3.dll
    O15 - Trusted Zone: http://*.samsung.net
    O15 - Trusted Zone: *.samsungportal.com
    O15 - Trusted IP range: http://70.2.140.140
    O15 - Trusted IP range: http://70.20.10.140
    O16 - DPF: {08BCD971-A13B-4D6E-A2A5-E9B2324FC00D} (ClientEXE Class) - http://service.samsungportal.com/EP/web/common/cabfiles/CM_ClientEXE.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://naskp.samsungportal.com/km/htdocs/include/cabfiles/DjVuControl_en_US.cab
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://nagspn.samsungportal.com/gspn/ocx/smsx.cab
    O16 - DPF: {18D347E0-C710-4F78-9996-195A8D91E280} (NamoWeCtl 5.0 for Samsung_SKP) - http://service.samsungportal.com/EP/web/common/cabfiles/NamoWec.cab
    O16 - DPF: {2DAAD547-FA98-498C-8FB7-63A7FCBDC0AF} (MenuCtrl Class) - http://70.20.10.140:8011/sdscc/cabs/pdss40.cab
    O16 - DPF: {2FF8F8B7-1B3F-4E5F-93B1-FEF1D703C0F4} (LocalTree.LocalXMLTree) - http://w2.samsung.net/cabs/LocalFolder2004/Cab/mySingleLocal_U.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {317642DD-AF52-11D4-BC2A-0050DA8AEE6F} (FileMng Control) - http://service.samsungportal.com/EP/web/common/cabfiles/FileWiz.cab
    O16 - DPF: {34B5A473-9696-4F9A-9BA1-41B8185A9798} (EpFTP3 Control) - http://w2.samsung.net/cabs/EpFTP3/EpFTP3_U.cab
    O16 - DPF: {37DEC207-782F-40F5-803C-18ACEDA1ABA6} (PersonalCache Control) - http://w2.samsung.net/portalWeb/cabs/mySinglePersonalCache.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200941689187
    O16 - DPF: {714E667D-360C-4BFB-8C1A-E4812B608CC1} (ACUBETrustChecker Control) - http://70.20.10.140:8000/EP/web/common/cabfiles/ACUBETrustChecker.cab
    O16 - DPF: {859A7EB3-35E6-434B-A82B-08B4F8DDE1B6} (NamoWeCtl 6.0 for samsung_mysingle) - http://w2.samsung.net/cabs/Namo/NamoWec.cab
    O16 - DPF: {88DDFD7D-14F7-4E89-8F85-737B90B1A0D0} (mySingleTrust.ClsMain) - http://w2.samsung.net/cabs/LocalFolder2004/Cab/mySingle_Trust.CAB
    O16 - DPF: {9D67EBF0-AF1A-4BCE-BAC9-C84A9383E0B3} (SSOCheck Class) - https://service.samsungportal.com//EP/web/common/cabfiles/UniSSOCheck.cab
    O16 - DPF: {B06ECF02-E502-4737-BA32-91CA0CECFBD1} (MultiDownload Control) - http://naskp.samsungportal.com/km/htdocs/include/cabfiles/MultiDownload.cab
    O16 - DPF: {C4D88B8E-352B-11D6-BF77-0080C740A177} (Setup Class) - http://service.samsungportal.com/EP/web/common/cabfiles/ActiveXSetup.cab
    O16 - DPF: {C63E3330-049F-4C31-B47E-425C84A5A725} (EpAdm2 Control) - http://w2.samsung.net/cabs/Tray/EpAdm2.cab
    O16 - DPF: {DE6ABA6A-095B-43E3-BEBB-879868DC5C8A} (SSLinks Control) - http://w2.samsung.net/cabs/messenger/SSLinks.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://samsung.webex.com/client/T26L/webex/ieatgpc.cab
    O16 - DPF: {E1D1DACA-5BA2-4376-89AD-3A213B916779} (IBLeaders IBSheet For Unicode Control) - http://70.20.1.100:7081/ghr/common/sheet/IBSheet4Unicode.CAB
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://206.67.236.179/dana-cached/setup/JuniperSetupSP1.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sea.samsung.com
    O17 - HKLM\Software\..\Telephony: DomainName = sea.samsung.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD95933-CE86-4F62-9DF3-3F5AC5ADF1D6}: NameServer = 105.1.11.4,105.1.11.5,206.67.236.3,206.67.236.20
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sea.samsung.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{7BD95933-CE86-4F62-9DF3-3F5AC5ADF1D6}: NameServer = 105.1.11.4,105.1.11.5,206.67.236.3,206.67.236.20
    O20 - Winlogon Notify: WinPrint - C:\WINDOWS\SYSTEM32\WinPrint.dll
    O20 - Winlogon Notify: wlic3 - C:\WINDOWS\SYSTEM32\WLIC3Pk.dll
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: gateman - SDS - C:\WINDOWS\incops3\gateman.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
    O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Windows Spooler (W32Print) - Unknown owner - C:\WINDOWS\system32\PaperSecu\svcpaper.exe
    O23 - Service: winfil32 - SDS - C:\WINDOWS\system32\winfil32.exe
    O23 - Service: Windows Spooler regsiter (WinRegService) - Unknown owner - C:\WINDOWS\system32\PaperSecu\regmem.exe

    --
    End of file - 15579 bytes
    Logged

    Nastarb

    • Guest
    Re: HELP...I think i've been Hijacked
    « Reply #1 on: June 11, 2009, 12:21:11 PM »
    I have the same problem. Have tried, SuperAntispware, Malware etc. Anytime O do a search using Yahoo or Google it sends me to a commercial site using ix-find.com  HELP
    Logged

    Karnac



      Specialist

      Thanked: 211
      Re: HELP...I think i've been Hijacked
      « Reply #2 on: June 11, 2009, 02:38:50 PM »
      Nastarb, go to http://www.computerhope.com/forum/index.php/topic,46313.0.html

      Follow the guidelines and start your own thread and a specialist will see you in turn
      Logged


      Never argue with a stupid person, they'll drag you down to their level and beat you with experience.

      Karnac



        Specialist

        Thanked: 211
        Re: HELP...I think i've been Hijacked
        « Reply #3 on: June 11, 2009, 02:41:23 PM »
        Magic9669, perhaps you should also go to

        http://www.computerhope.com/forum/index.php/topic,46313.0.html
         

        Follow the guidelines, post the logs, run HJT last and evilfantasy will review them in turn
        Logged


        Never argue with a stupid person, they'll drag you down to their level and beat you with experience.

        magic9669

          Topic Starter


          Starter

          Re: HELP...I think i've been Hijacked
          « Reply #4 on: July 07, 2009, 01:39:17 PM »
          This is my latest log from HJT

          Logfile of Trend Micro HijackThis v2.0.2
          Scan saved at 3:38:54 PM, on 7/7/2009
          Platform: Windows XP SP2 (WinNT 5.01.2600)
          MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
          Boot mode: Normal

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
          C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
          C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\program Files\Cisco Systems\VPN Client\cvpnd.exe
          C:\Program Files\Symantec AntiVirus\DefWatch.exe
          C:\Program Files\Java\jre6\bin\jqs.exe
          C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
          C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
          C:\Program Files\Symantec AntiVirus\SavRoam.exe
          C:\Program Files\Symantec AntiVirus\Rtvscan.exe
          C:\WINDOWS\Explorer.EXE
          C:\mpktnpah.exe
          C:\Program Files\Apoint\Apoint.exe
          C:\WINDOWS\system32\hkcmd.exe
          C:\WINDOWS\system32\igfxpers.exe
          C:\Program Files\Java\jre6\bin\jusched.exe
          C:\WINDOWS\stsystra.exe
          C:\Program Files\Dell\QuickSet\quickset.exe
          C:\Program Files\Common Files\Symantec Shared\ccApp.exe
          C:\PROGRA~1\SYMANT~1\VPTray.exe
          C:\Program Files\Apoint\HidFind.exe
          C:\Program Files\Apoint\Apntex.exe
          C:\WINDOWS\system32\ctfmon.exe
          C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
          C:\Program Files\WinZip\WZQKPICK.EXE
          C:\WINDOWS\system32\msiexec.exe
          C:\WINDOWS\LMI7.tmp\lmi_rescue.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\system32\rpcnet.exe
          C:\WINDOWS\system32\wuauclt.exe
          C:\WINDOWS\LMI7.tmp\lmi_rescue.exe
          C:\Program Files\Internet Explorer\IEXPLORE.EXE
          C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
          C:\Program Files\Trend Micro\HijackThis\sniper.exe

          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061017
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
          R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
          R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061017
          R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
          O1 - Hosts: 105.1.11.5 seahq_exchange
          O1 - Hosts: 105.1.11.6 seahq_exchange2
          O1 - Hosts: 105.1.11.7 seahq_exchange3
          O1 - Hosts: 105.1.11.12 seusa seusa.net
          O1 - Hosts: 105.1.11.19 pilot pilot.sdsosc.co.kr #acube communication server
          O1 - Hosts: 105.1.11.24 sds.samsung.com sds
          O1 - Hosts: 105.1.11.229 foxhound
          O1 - Hosts: 105.1.11.233 hawker
          O1 - Hosts: 105.1.15.80 edcmon
          O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
          O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
          O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
          O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
          O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
          O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
          O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
          O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
          O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
          O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
          O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
          O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
          O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
          O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
          O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
          O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
          O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
          O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
          O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
          O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
          O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
          O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
          O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
          O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
          O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
          O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
          O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
          O4 - HKCU\..\RunOnce: [*LogMeInRescue_2581696517] "C:\WINDOWS\LMI7.tmp\lmi_rescue.exe" -runonce reboot
          O4 - HKLM\..\Policies\Explorer\Run: [SpywareGuard] "C:\mpktnpah.exe"
          O4 - Global Startup: SAMSUNG NETWORKS VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
          O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
          O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
          O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
          O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
          O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
          O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
          O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
          O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
          O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
          O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
          O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
          O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
          O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
          O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
          O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
          O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
          O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
          O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
          O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
          O15 - Trusted Zone: http://*.samsung.net
          O15 - Trusted Zone: *.samsungportal.com
          O15 - Trusted IP range: http://70.2.140.140
          O15 - Trusted IP range: http://70.20.10.140
          O16 - DPF: {08BCD971-A13B-4D6E-A2A5-E9B2324FC00D} (ClientEXE Class) - http://service.samsungportal.com/EP/web/common/cabfiles/CM_ClientEXE.cab
          O16 - DPF: {2DAAD547-FA98-498C-8FB7-63A7FCBDC0AF} (MenuCtrl Class) - http://70.20.10.140:8011/sdscc/cabs/pdss40.cab
          O16 - DPF: {2FF8F8B7-1B3F-4E5F-93B1-FEF1D703C0F4} (LocalTree.LocalXMLTree) - http://w2.samsung.net/cabs/LocalFolder2004/Cab/mySingleLocal_U.cab
          O16 - DPF: {34B5A473-9696-4F9A-9BA1-41B8185A9798} (EpFTP3 Control) - http://w2.samsung.net/cabs/EpFTP3/EpFTP3_U.cab
          O16 - DPF: {37DEC207-782F-40F5-803C-18ACEDA1ABA6} (PersonalCache Control) - http://203.254.195.140/portalWeb/cabs/mySinglePersonalCache.cab
          O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
          O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200941689187
          O16 - DPF: {714E667D-360C-4BFB-8C1A-E4812B608CC1} (ACUBETrustChecker Control) - http://70.20.10.140:8000/EP/web/common/cabfiles/ACUBETrustChecker.cab
          O16 - DPF: {859A7EB3-35E6-434B-A82B-08B4F8DDE1B6} (NamoWeCtl 6.0 for samsung_mysingle) - http://w2.samsung.net/cabs/Namo/NamoWec.cab
          O16 - DPF: {88DDFD7D-14F7-4E89-8F85-737B90B1A0D0} (mySingleTrust.ClsMain) - http://203.254.195.140/cabs/LocalFolder2004/Cab/mySingle_Trust.CAB
          O16 - DPF: {9D67EBF0-AF1A-4BCE-BAC9-C84A9383E0B3} (SSOCheck Class) - https://service.samsungportal.com//EP/web/common/cabfiles/UniSSOCheck.cab
          O16 - DPF: {C4D88B8E-352B-11D6-BF77-0080C740A177} (Setup Class) - http://service.samsungportal.com/EP/web/common/cabfiles/ActiveXSetup.cab
          O16 - DPF: {C63E3330-049F-4C31-B47E-425C84A5A725} (EpAdm2 Control) - http://203.254.195.140/cabs/Tray/EpAdm2.cab
          O16 - DPF: {DE6ABA6A-095B-43E3-BEBB-879868DC5C8A} (SSLinks Control) - http://203.254.195.140/cabs/messenger/SSLinks.cab
          O16 - DPF: {E1D1DACA-5BA2-4376-89AD-3A213B916779} (IBLeaders IBSheet For Unicode Control) - http://70.20.1.100:7081/ghr/common/sheet/IBSheet4Unicode.CAB
          O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://206.67.236.179/dana-cached/setup/JuniperSetupSP1.cab
          O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sea.samsung.com
          O17 - HKLM\Software\..\Telephony: DomainName = sea.samsung.com
          O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD95933-CE86-4F62-9DF3-3F5AC5ADF1D6}: NameServer = 105.1.11.4,105.1.11.5,206.67.236.3,206.67.236.20
          O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sea.samsung.com
          O17 - HKLM\System\CS1\Services\Tcpip\..\{7BD95933-CE86-4F62-9DF3-3F5AC5ADF1D6}: NameServer = 105.1.11.4,105.1.11.5,206.67.236.3,206.67.236.20
          O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
          O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
          O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
          O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\program Files\Cisco Systems\VPN Client\cvpnd.exe
          O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
          O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
          O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
          O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
          O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
          O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
          O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
          O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
          O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

          --
          End of file - 12519 bytes
          Logged
          Pages: [1]   Go Up
          « previous next »