Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help needed with Hijack This log


  • Please log in to reply

#1
indian2003us2003

indian2003us2003

    New Member

  • Member
  • Pip
  • 3 posts
Hi,

My system is caught up with aurora, elite cash back, winfix 2005, casino, betterinetnet, partypoker...etc., I dont know all of a sudden all these came up.

I tried to run the spyware tools: Ad-Aware SE Personal, Microsoft antispyware, ewido security suite, Norton antivirus.

But every time after clearing these spyware, it used to appear again. I have restarted in safe mode and ran all these again.

After doing this, I have ran the hijackthis, here is the log. Can you please let me know, is there any problem still? Do I need to delete any of the things in this..

Please help me in resolving the problem.

Thanks in advance.


Here is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 7:53:58 PM, on 7/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Soft\Trials\SunWebServer61ASP\bin\https\bin\webservd-wdog.exe
C:\Soft\Trials\SunWebServer61ASP\bin\https\bin\webservd.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Soft\Yahoo!\Messenger\ypager.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Documents and Settings\MadhuSiva\Desktop\Spyware\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=wren.state.mo.us:1080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\MadhuSiva\Application Data\Mozilla\Profiles\default\4v9lzb5o.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CSoft%5CFree%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MadhuSiva\Application Data\Mozilla\Profiles\default\4v9lzb5o.slt\prefs.js)
O1 - Hosts: 216.239.37.99 google.com
O1 - Hosts: 216.239.37.99 google.co.uk
O1 - Hosts: 216.239.37.99 google.ca
O1 - Hosts: 216.239.37.99 google.es
O1 - Hosts: 216.239.37.99 google.de
O1 - Hosts: 216.239.37.99 google.fr
O1 - Hosts: 216.239.37.99 google.com.au
O1 - Hosts: 216.109.118.79 yahoo.com
O1 - Hosts: 207.68.173.254 msn.com
O2 - BHO: MSEvents Object - {7697DB96-5DA3-44F2-BC97-AD35E5F4CEDC} - C:\WINDOWS\inf\cathard.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [wqpychp] c:\windows\system32\nqtpigd.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Soft\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Soft\Free\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Soft\Free\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Read By Natural Voice Reader - C:\Soft\Free\read.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Soft\Free\read.html
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.telugutor...om/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.c...er/IbmEgath.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) -
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...autocompletecab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_2us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F436D2E-F569-40D5-AFE1-9BF4F9050550}: NameServer = 204.127.202.4,216.148.227.68
O18 - Protocol: alp - {D7F12BDE-1092-11D5-999A-0040332BA2EA} - C:\PROGRA~1\NEWOBJ~1\ALP\iewebsrv.dll
O18 - Protocol: alpdump - {D7F12BDE-1092-11D5-999A-0040332BA2EA} - C:\PROGRA~1\NEWOBJ~1\ALP\iewebsrv.dll
O20 - Winlogon Notify: cathard - C:\WINDOWS\inf\cathard.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Sun ONE Web Server 6.1 Administration Server (https-admserv61) - Sun Microsystems, Inc. - C:\Soft\Trials\SunWebServer61ASP\bin\https\bin\webservd-wdog.exe
O23 - Service: Sun ONE Web Server 6.1 (https-DREAMS1) (https-DREAMS1) - Sun Microsystems, Inc. - C:\Soft\Trials\SunWebServer61ASP\bin\https\bin\webservd-wdog.exe
O23 - Service: IBM HTTP Administration 1.3.26 (IBMHTTPAdministration1.3.26) - Unknown owner - C:\Soft\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM HTTP Server 1.3.26 (IBMHTTPServer1.3.26) - Unknown owner - C:\Soft\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM WebSphere Application Server V5 - server1 (IBMWAS5Service - server1) - Unknown owner - C:\Soft\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
indian2003us2003

indian2003us2003

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Some body pls help me in correcting the errors from the above log file pls..

So that I can work on my computer .. your help is appreciated..

Thanks in advance
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Lets start off by downloading a few necessary programs.

Download and Unzip Process Explorer Here
Scroll to the bottom of the page and select your Operating System.
Unzip it to its own folder on the desktop so you can find it later.
Download and install Advanced Process Manipulation Here

Then copy the part in bold below into notepad and save it directly to the rootdirectory as vundoh.reg
Set Filetype to "All files" (the file should now be here: C:\vundoh.reg)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cathard]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7697DB96-5DA3-44F2-BC97-AD35E5F4CEDC}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{7697DB96-5DA3-44F2-BC97-AD35E5F4CEDC}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7697DB96-5DA3-44F2-BC97-AD35E5F4CEDC}]
"Compatibility Flags"=dword:00000400


Now reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Open Process Explorer.
  • Scroll down in the main window and find winlogon.exe
  • Right click on winlogon.exe and select Suspend
  • Leave Process Explorer open.
Now run HijackThis and put checkmarks in front of these lines

O1 - Hosts: 216.239.37.99 google.com
O1 - Hosts: 216.239.37.99 google.co.uk
O1 - Hosts: 216.239.37.99 google.ca
O1 - Hosts: 216.239.37.99 google.es
O1 - Hosts: 216.239.37.99 google.de
O1 - Hosts: 216.239.37.99 google.fr
O1 - Hosts: 216.239.37.99 google.com.au
O1 - Hosts: 216.109.118.79 yahoo.com

O2 - BHO: MSEvents Object - {7697DB96-5DA3-44F2-BC97-AD35E5F4CEDC} - C:\WINDOWS\inf\cathard.dll

O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp

O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe

O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab

O20 - Winlogon Notify: cathard - C:\WINDOWS\inf\cathard.dll


Do NOT fix them yet

Now open Advanced Process Manipulation.
  • Scroll down in the main window and find c:\windows\explorer.exe
  • Click on the entry and that will display a list of files in the second window.
  • Scroll down the list in the second window and find C:\WINDOWS\inf\cathard.dll
  • Right click on that entry and select Unload DLL
  • You will now lose your Start Bar and Desktop Icons. This is normal.
  • Leave Advanced Process Manipulation open
Go back to Process Explorer window.
  • Click File > Run
  • In the run box type regedit.exe /s C:\vundoh.reg
Back in Advanced Process Manipulation.
  • Scroll down in the main window and find c:\windows\system32\winlogon.exe
  • Click on the entry and that will display a list of files in the second window.
  • Scroll down the list in the second window and find C:\WINDOWS\inf\cathard.dll
  • Right click on that entry and select Unload DLL
  • You will have to click OK about six times
In HijackThis click Fix checked. You will be prompted you are about to remove a BHO. That's what you want.

Now back in Process Explorer.
  • Find winlogon.exe again.
  • Right click on winlogon.exe and select Resume
  • This should reboot your computer automatically.
After the reboot copy the code below into notepad and save it as findtheother.bat

echo ** This batch was originally written by OSC **
cd <<<<<C:\WINDOWS\inf>>>>>>
if exist C:\contents.txt del C:\contents.txt
echo ************************************>> C:\contents.txt
echo **These are the hidden files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:h >> c:\contents.txt
echo ************************************>> C:\contents.txt
echo **These are the system files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:s >> C:\contents.txt
attrib /d /s -s -r -h -a
start notepad c:\contents.txt
exit


Then doubleclick that file and when it is done it will open a text file showing all hidden and system files in that folder. Post the contents of that file in a reply to this thread along with a new HijackThis log.

I will need a current HijackThis log so please do not reboot after posting the new log.
Or if you have to, post a new log when you get back.

Regards,
  • 0

#4
indian2003us2003

indian2003us2003

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Metallica Thanks for the reply...

Actually I did some Clean up while Im waiting for the reply, Now when I run ewido Im able to see virtu monde spyware infected cathard.dll...

Here is the log file which I have generated now only...pls go through it...And pls advice me now do I need to do all the steps u told or not? bcoz I ran some anti spyware and im able to see only virtumonde spyware (visible to me)..

Once again thanks for the help and waiting for the reply from you..


Logfile of HijackThis v1.99.1
Scan saved at 4:53:03 PM, on 7/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Netropa\Multimedia

Keyboard\nhksrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Soft\Trials\SunWebServer61ASP\bin\https\bin\webse

rvd-wdog.exe
C:\Soft\Trials\SunWebServer61ASP\bin\https\bin\webse

rvd.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\Multimedia

Keyboard\MMKeybd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mmtask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Google\Gmail

Notifier\G001-1.0.24.0\gnotify.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP

Scheduler.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Soft\Yahoo!\Messenger\ypager.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft

AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security

suite\SecuritySuite.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Documents and

Settings\MadhuSiva\Desktop\Spyware\hijackthis\Hijack

This.exe

R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection

Wizard,ShellNext = http://www.dell4me.com/myway
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Inter

net Settings,ProxyServer =

socks=wren.state.mo.us:1080
R0 - HKCU\Software\Microsoft\Internet

Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7:

user_pref("browser.startup.homepage",

"http://www.google.com/"); (C:\Documents and

Settings\MadhuSiva\Application

Data\Mozilla\Profiles\default\4v9lzb5o.slt\prefs.js)
N3 - Netscape 7:

user_pref("browser.search.defaultengine",

"engine://C%3A%5CSoft%5CFree%5CNetscape%5CNetscape%5

Csearchplugins%5CSBWeb_01.src"); (C:\Documents and

Settings\MadhuSiva\Application

Data\Mozilla\Profiles\default\4v9lzb5o.slt\prefs.js)
O1 - Hosts: 216.239.37.99 google.com
O1 - Hosts: 216.239.37.99 google.co.uk
O1 - Hosts: 216.239.37.99 google.ca
O1 - Hosts: 216.239.37.99 google.es
O1 - Hosts: 216.239.37.99 google.de
O1 - Hosts: 216.239.37.99 google.fr
O1 - Hosts: 216.239.37.99 google.com.au
O1 - Hosts: 216.109.118.79 yahoo.com
O1 - Hosts: 207.68.173.254 msn.com
O2 - BHO: MSEvents Object -

{7697DB96-5DA3-44F2-BC97-AD35E5F4CEDC} -

C:\WINDOWS\inf\cathard.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program

Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program

Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LXSUPMON]

C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [mmtask] C:\Program

Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program

Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [vptray] C:\Program

Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run:

[{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program

Files\Google\Gmail

Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program

Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program

Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AOLDialer] C:\Program

Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]

"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP

Scheduler.exe"
O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
O4 - HKLM\..\Run: [gcasServ] "C:\Program

Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager]

C:\Soft\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program

Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &AOL Toolbar search -

res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download with &DAP -

C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP

- C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download all by Net

Transport - C:\Soft\Free\NetTransport

2\NTAddList.html
O8 - Extra context menu item: Download by Net

Transport - C:\Soft\Free\NetTransport

2\NTAddLink.html
O8 - Extra context menu item: Read By Natural Voice

Reader - C:\Soft\Free\read.html
O8 - Extra context menu item: Sothink SWF Catcher -

C:\Program Files\Common Files\SourceTec\SWF

Catcher\InternetExplorer.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Natural Reader -

{0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} -

C:\Soft\Free\read.html
O9 - Extra button: Run WinHTTrack -

{36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program

Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack -

{36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program

Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher -

{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program

Files\Common Files\SourceTec\SWF

Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher -

{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program

Files\Common Files\SourceTec\SWF

Catcher\InternetExplorer.htm
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE}

(TDServer Control) -

http://www.telugutor...om/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation Tool) -

http://go.microsoft....d=39204&clcid=0

x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3}

(EPUImageControl Class) -

http://tools.ebayimg...ex/EPUWALContro

l_v1-0-3-17.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084}

(IBM Access Support) -

https://www.pc.ibm.c...er/IbmEgath.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}

(Java Runtime Environment 1.4.2) -
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C}

(Snapfish File Upload ActiveX Control) -

http://www.snapfish....pfishUpload.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47}

(Webshots Photo Uploader) -

http://community.web...PhotoUploader.C

AB
O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} -

http://www.riversoftware.net/x0ff.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999}

(YAddBook Class) -

http://us.dl1.yimg.c....com/dl/install

s/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A}

(Yahoo! Photos Easy Upload Tool Class) -

http://us.dl1.yimg.c....com/dl/install

s/ydropper/ydropper1_2us.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{8F436D2E-F569-40D

5-AFE1-9BF4F9050550}: NameServer =

204.127.202.4,216.148.227.68
O18 - Protocol: alp -

{D7F12BDE-1092-11D5-999A-0040332BA2EA} -

C:\PROGRA~1\NEWOBJ~1\ALP\iewebsrv.dll
O18 - Protocol: alpdump -

{D7F12BDE-1092-11D5-999A-0040332BA2EA} -

C:\PROGRA~1\NEWOBJ~1\ALP\iewebsrv.dll
O20 - Winlogon Notify: cathard -

C:\WINDOWS\inf\cathard.dll
O20 - Winlogon Notify: NavLogon -

C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring -

C:\WINDOWS\System32\LgNotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) -

America Online, Inc. -

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DefWatch - Symantec Corporation -

C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido

networks - C:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido

networks - C:\Program Files\ewido\security

suite\ewidoguard.exe
O23 - Service: Sun ONE Web Server 6.1 Administration

Server (https-admserv61) - Sun Microsystems, Inc. -

C:\Soft\Trials\SunWebServer61ASP\bin\https\bin\webse

rvd-wdog.exe
O23 - Service: Sun ONE Web Server 6.1

(https-DREAMS1) (https-DREAMS1) - Sun Microsystems,

Inc. -

C:\Soft\Trials\SunWebServer61ASP\bin\https\bin\webse

rvd-wdog.exe
O23 - Service: IBM HTTP Administration 1.3.26

(IBMHTTPAdministration1.3.26) - Unknown owner -

C:\Soft\IBMHttpServer\apache.exe" --ntservice (file

missing)
O23 - Service: IBM HTTP Server 1.3.26

(IBMHTTPServer1.3.26) - Unknown owner -

C:\Soft\IBMHttpServer\apache.exe" --ntservice (file

missing)
O23 - Service: IBM WebSphere Application Server V5 -

server1 (IBMWAS5Service - server1) - Unknown owner -

C:\Soft\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: Iomega App Services - Iomega

Corporation -

C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark

International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service -

Macromedia - C:\Program Files\Common

Files\Macromedia Shared\Service\Macromedia

Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) -

Intel® Corporation - C:\Program

Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown

owner - C:\Program Files\Netropa\Multimedia

Keyboard\nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton

AntiVirus Server) - Symantec Corporation -

C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc)

- NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation -

C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0

(experimental) (rpcapd) - Unknown owner -

%ProgramFiles%\WinPcap\rpcapd.exe" -d -f

"%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor

(S24EventMonitor) - Intel Corporation -

C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WAN Miniport (ATW) Service

(WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Yes. Please follow the procedure exactly as I described to.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP