Am I hijacked?

[drgrudge]

Hmmm, some useless programs (which i dint know) was starting when i start in my computer, so i thought i would give a shot to hijackthis

==============

Logfile of HijackThis v1.99.1
Scan saved at 9:21:27 PM, on 4/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\temp\salm.exe
C:\WINDOWS\dot.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [dot] C:\WINDOWS\dot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)


So i interpreted it and see if it holds good.

[drgrudge]

Quote:

Originally Posted by drgrudge

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\temp\salm.exe
C:\WINDOWS\dot.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [dot] C:\WINDOWS\dot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Ok, shall i remove the red entries?

wht abt the blue ones? (esp. 04 entry od dot.exe)

And i have no idea of 09 entries... , wht to do with so much buttons on main Internet Explorer toolbar?

[bharathbala2003]

u can remove the red ones.. and as far as the blue..

first is power dvd loadin on start up.. then one is real player auto update u can safely remove em.. i dunno about the excel..

as for others i suppose u can keep em.. no harm

(not sure much about the .dot)

[drgrudge]

Quote:

Originally Posted by bharathbala2003

u can remove the red ones.. and as far as the blue..

first is power dvd loadin on start up.. then one is real player auto update u can safely remove em.. i dunno about the excel..

as for others i suppose u can keep em.. no harm

(not sure much about the .dot)

Hmm...
powerdvd thing is for remote control ur DVD playback, i case u have one , which i dont have...

realsched.exe is realmedia auto update for real player, also there is a worm by the name LOVE, so i dint know abt it.

i need to know abt dot.exe. and 09 entries, there are so many of them and all of them yahoo

[swatkat]

Those 09 entries are the Toolbars, Contect Menu and Tools Menu items in IE, that are added by the Third Party softwares like Yahoo messesnger, Downloaders etc.
You can remove them if you dont want them.
But in your log file, some Yahoo files are missing, so it's better to remove these entries.

Quote:

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

And the 08 entry you highlighted in Blue is the MS Office context menu entry in IE. You can leave it as it is.

And for dot.exe, you can upload it here for a scan.
http://www.kaspersky.com/scanforvirus

[drgrudge]

ok, did as said....

Here is the new one.

Logfile of HijackThis v1.99.1
Scan saved at 5:50:53 AM, on 4/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [dot] C:\WINDOWS\dot.exe
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{52407194-A84A-4255-8CF9-7A24824E3EF0}: NameServer = 61.1.96.69 61.1.96.71

Quote:

O17 - HKLM\System\CCS\Services\Tcpip\..\{52407194-A84A-4255-8CF9-7A24824E3EF0}: NameServer = 61.1.96.69 61.1.96.71

shall i remove this?

[enoonmai]

LOL, in case you forgot, thats your DataOne DNS entries. You have absolutely no need of removing that.

[drgrudge]

OK..., i dint know abt BSNL thing.

And abt dot.exe , swat suggested to do a online scan..., it's a virus!
dot.exe - infected by not-a-virus:AdWare.180Solutions

Thanks for the help guys

[swatkat]

180Solutions is not a Virus, but it's a Spyware in the guise of 180SearchAssistant Search toolbar for IE.
So, fix that entry in HJT and delete the file and run CCleaner and CleanUp! after this.
Also scan using AdAware once.

[it_waaznt_me]

Hmm That Dot.exe looks fishy to me ..
Anyways if you have installed this thing then its legitimate or send it to me .. Ill examine it more closely ...