17-01-2005, 11:50 AM
|
#1 (permalink)
|
|
In The Zone
Join Date: Jul 2004
Posts: 211
|
Help needed to remove Desktop Hijacker from my PC....
Hi,
Last week I visited an Bad Website and immediately a Desktop Hijacker sat on my desktop.
Then I used..
Ad-Aware SE Professional 1.05 (With latest definitions)
and
Webroot SpySweeper (Latest Version) (with Latest Definitions)
and
Spybot Search & Destroy 1.3 (with Latest Definitions)
After using these 3 softwares I was able to remove that "AD" that appeared in the desktop but I couldn't remove the Blank screen of that Hijacker.
The blank screen changes between 2 colors. "White" and "cement" color every 20 seconds in the desktop automatically.
And I coundn't right-click the desktop. I tried even changing the wallpaper but no way. The hijacker blank screen remains.
You can see the images of my desktop. The BG of the desktop is the "background" of the hijacker.
Where is the file of this desktop hijacker stored in the PC. So that I can deleted myself and remove that irritating BG of the hijacker ? 
How to get rid of this problem...
Thanx in Advance
Arsenal.
|
|
|
|
Advertisements. Register and be a member of the community to get rid of them.
|
|
Advertisement
|
|
|
17-01-2005, 02:17 PM
|
#2 (permalink)
|
|
Broken In
Join Date: May 2004
Location: Kolkata
Posts: 197
|
Post your HijacThis log file here
__________________
Hard work never killed anybody..........But why take the RISK
|
|
|
|
|
17-01-2005, 02:39 PM
|
#3 (permalink)
|
|
Alpha Geek
Join Date: Feb 2004
Location: Belgaum
Posts: 745
|
Maybe you can try this,
Right-click on your desktop>Properties>Desktop>Customize Desktop>Web>Uncheck entries which have not been set by you[mostly malicious].
__________________
The protection of a machine is a process & not a given -Duane Arnold.
www.Oobertech.net
Look ma my blog http://techhub.blogspot.com/
|
|
|
|
|
17-01-2005, 03:40 PM
|
#4 (permalink)
|
|
In The Zone
Join Date: Jul 2004
Posts: 211
|
Quote:
|
Right-click on your desktop>Properties>Desktop>Customize Desktop>Web>Uncheck entries which have not been set by you[mostly malicious]
|
I'm unable to do this also. in right-click>Properties
i get this window
i searched even the "desktop.html" file in WINNT directory and search tool but no use. there is no such file, but the properties button shows.
i will send the Log file soon.
Thanx
Arsenal.
|
|
|
|
|
17-01-2005, 05:00 PM
|
#5 (permalink)
|
|
In The Zone
Join Date: Jul 2004
Posts: 211
|
Log File "indrajit"
heres the Log file "indrajit"
Quote:
Logfile of HijackThis v1.99.0
Scan saved at 4:57:15 PM, on 1/17/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\SYSTEM32\DWRCST.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
C:\PROGRA~1\Zinio\ZDLM.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\ABK\abk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\Documents and Settings\opac\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 3.174.26.70:8080
R3 - Default URLSearchHook is missing
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRA~1\DAP\dapbho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C2260B66-CCA5-E059-DB8C-90ABA1040794} - C:\WINNT\system32\peksvrb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Z1DSPW5] c:\documents and settings\opac\local settings\temp\Z1DSPW5.exe
O4 - HKLM\..\Run: [BITzop9] c:\documents and settings\opac\local settings\temp\BITzop9.exe
O4 - HKLM\..\Run: [6vG9AP702] c:\documents and settings\opac\local settings\temp\6vG9AP702.exe
O4 - HKLM\..\Run: [gB2LV] c:\documents and settings\opac\local settings\temp\gB2LV.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4\THGuard.exe"
O4 - HKLM\..\Run: [Spy Watcher] "C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe" -S
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Instant Messenger - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - http://cn.rd.yahoo.com/home/messenge...ger.yahoo.com/ (file missing)
O9 - Extra button: Gexus - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no file)
O9 - Extra 'Tools' menuitem: Gexus - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\WINNT\System32\shdocvw.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdspl ay.dll
O12 - Plugin for .zip: C:\PROGRA~1\PKWARE\PKZIPP\nppkzip.dll
O14 - IERESET.INF: START_PAGE_URL=http://crd.home.ge.com/
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: (HKLM)
O16 - DPF: {0036F389-FEF8-43AC-9220-16430E0012ED} - http://naupoint.com/toolbar/installer/iEBINST5.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://crdquickplace02.ge.com/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} (VacPro.russia_ver3) - http://advnt01.com/dialer/russia.CAB
O16 - DPF: {426F81A5-0B8C-4948-8115-11606FD3F389} - http://www.serialspot.com/serials/serials.cab
O16 - DPF: {60261C06-81B0-4DE0-9313-E5BA203A64E9} - http://216.195.35.10/pdfmgr_s.cab
O16 - DPF: {68E53982-CCCE-48C2-89B9-C3C97638F9B4} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://pacioli.crd.ge.com/oa/US/jinit11816.exe
O16 - DPF: {9BBC1154-218D-453C-97F6-A06582224D81} - http://www.shifen.com/update/moon/install.cab
O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} - http://hkmeeting01c.ge.com/sametime/...TJNILoader.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1014061.exe
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://www.35mb.com/downloadapplet.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = crd.ge.com,ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O18 - Protocol: mp3 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
O23 - Service: AutoComplete Service - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown - c:\oracle\ora81\BIN\ONRSD.EXE
|
Thanx in Advance
Arsenal
|
|
|
|
|
17-01-2005, 05:30 PM
|
#6 (permalink)
|
|
Alpha Geek
Join Date: Feb 2004
Location: Belgaum
Posts: 745
|
As I had suggested earlier your desktop has been hijacked by replacing it with a webpage.
Try scanning under safe mode & see if the anti-spyware software detect anything till someone goes through the log file & posts back.[/code]
__________________
The protection of a machine is a process & not a given -Duane Arnold.
www.Oobertech.net
Look ma my blog http://techhub.blogspot.com/
|
|
|
|
|
17-01-2005, 10:16 PM
|
#7 (permalink)
|
|
Human Spambot
Join Date: May 2004
Location: off to "never ever" land
Posts: 2,912
|
win 98 eh ?
first goto control panel then display properties
and fromtone of those tabs disable yout active desktop and remove the "Active desktop item" from the list
as for the hijackthis logfile
this is my first attempt since bats away (raven will play)
Code:
C:\WINNT\SYSTEM32\DWRCS.EXE <-- unknown
C:\WINNT\SYSTEM32\DWRCST.exe <-- unknown
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe <-- unknown
C:\Program Files\Lotus\Sametime Client\Connect.exe <-- unknown
C:\Program Files\ABK\abk.exe <-- unknown
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 3.174.26.70:8080 <-- This page could possibly be nasty. If you do not know the entry '3.174.26.70:8080', delete it.
O2 - BHO: (no name) - {C2260B66-CCA5-E059-DB8C-90ABA1040794} - C:\WINNT\system32\peksvrb.dll (file missing)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([C2260B66-CCA5-E059-DB8C-90ABA1040794] - Result: ) has been checked. Hit rate: -1 % Unknown application.
Unnecessary (deactivated) entry that can be fixed.
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" <--unknown
O4 - HKLM\..\Run: [Z1DSPW5] c:\documents and settings\opac\local settings\temp\Z1DSPW5.exe <--Unknown application.
O4 - HKLM\..\Run: [BITzop9] c:\documents and settings\opac\local settings\temp\BITzop9.exe <-- Unknown application.
O4 - HKLM\..\Run: [6vG9AP702] c:\documents and settings\opac\local settings\temp\6vG9AP702.exe <-- Unknown application.
O4 - HKLM\..\Run: [gB2LV] c:\documents and settings\opac\local settings\temp\gB2LV.exe <-- Unknown application.
O9 - Extra button: Instant Messenger - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.c om/ (file missing)
Unnecessarily The entry Instant Messenger has been identified as safe. If the entry 'Instant Messenger ' is not needed anymore, it should be fixed.
Unnecessary (deactivated) entry that can be fixed.
O9 - Extra button: Gexus - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no file)
Unnecessarily Unknown buttons or entries in the 'Extras'-menu should be fixed. To be fixed if the entry 'Gexus ' is unknown.
Unnecessary (deactivated) entry that can be fixed.
O9 - Extra 'Tools' menuitem: Gexus - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no file)
Unnecessarily Unknown buttons or entries in the 'Extras'-menu should be fixed. To be fixed if the entry 'Gexus ' is unknown.
Unnecessary (deactivated) entry that can be fixed.
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
Nasty This entry should be fixed by HijackThis!
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\WINNT\System32\shdocvw.dll
Possibly nasty Unknown buttons or entries in the 'Extras'-menu should be fixed. To be fixed if the entry '@C:\Program Files\Failsafe\GuardIE\PnIE.dll,' is unknown.
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\WINNT\System32\shdocvw.dll
Possibly nasty Unknown buttons or entries in the 'Extras'-menu should be fixed. To be fixed if the entry '@C:\Program Files\Failsafe\GuardIE\PnIE.dll,' is unknown.
O14 - IERESET.INF: START_PAGE_URL=http://crd.home.ge.com/
Possibly nasty This entry should be fixed if this address does not belong to your PC-manufacturer or your 'Internet-Service-Provider (ISP)'. This entry should be fixed if 'http://crd.home.ge.com/' is not your PC-manufacturer or your 'Internet-Service-Provider (ISP)'.
O15 - Trusted Zone: *.skoobidoo.com
Nasty If you did not add these pages to your trusted pages, they should be fixed.
O15 - Trusted Zone: *.slotchbar.com
Nasty If you did not add these pages to your trusted pages, they should be fixed.
O15 - Trusted Zone: *.windupdates.com
Nasty If you did not add these pages to your trusted pages, they should be fixed.
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.
O15 - Trusted Zone: *.slotchbar.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.
O15 - Trusted Zone: *.windupdates.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.
O15 - Trusted IP range: 67.19.185.246
Nasty If you did not add these pages to your trusted pages, they should be fixed.
O15 - Trusted IP range: (HKLM)
Possibly nasty If you did not add these pages to your trusted pages, they should be fixed. If you didn't add '(HKLM)' to your trusted pages, it should be fixed.
O16 - DPF: {0036F389-FEF8-43AC-9220-16430E0012ED} - http://naupoint.com/toolbar/installer/iEBINST5.cab
Nasty This entry is possibly nasty. Should be fixed.
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://crdquickplace02.ge.com/qp2.cab
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} (VacPro.russia_ver3) - http://advnt01.com/dialer/russia.CAB
Nasty This entry is possibly nasty. Should be fixed.
O16 - DPF: {426F81A5-0B8C-4948-8115-11606FD3F389} - http://www.serialspot.com/serials/serials.cab
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
O16 - DPF: {60261C06-81B0-4DE0-9313-E5BA203A64E9} - http://216.195.35.10/pdfmgr_s.cab
Nasty This entry is possibly nasty. Should be fixed.
O16 - DPF: {68E53982-CCCE-48C2-89B9-C3C97638F9B4} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://pacioli.crd.ge.com/oa/US/jinit11816.exe
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
O16 - DPF: {9BBC1154-218D-453C-97F6-A06582224D81} - http://www.shifen.com/update/moon/install.cab
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} - http://hkmeeting01c.ge.com/sametime/STMeetingRoomClient/STJNILoader.cab
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
Nasty This entry is possibly nasty. Should be fixed.
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1014061.exe
Nasty This entry is possibly nasty. Should be fixed.
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://www.35mb.com/downloadapplet.cab
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'grmsasia.grms.ge.com'? If not, fix this entry.
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = crd.ge.com,ge.com
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'crd.ge.com,ge.com'? If not, fix this entry.
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'grmsasia.grms.ge.com'? If not, fix this entry.
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'grmsasia.grms.ge.com'? If not, fix this entry.
O18 - Protocol: mp3 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
Nasty Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed. Should be fixed.
O23 - Service: AutoComplete Service - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. Unknown service. (autocomp.exe)
O23 - Service: DameWare Mini Remote Control - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. Unknown service. (DWRCS.EXE)
O23 - Service: OracleOraHome81ClientCache - Unknown - c:\oracle\ora81\BIN\ONRSD.EXE
Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. Unknown service. (ONRSD.EXE)
check all these and click on fix selected
__________________
No Mercy, No Limits.
Oobertech.net - Keeping Knowledge Free
|
|
|
|
|
18-01-2005, 10:45 AM
|
#8 (permalink)
|
|
In The Zone
Join Date: Jul 2004
Posts: 211
|
Very Many Thanks for you guys.
Thank you very much "The Raven" and "Digen Verma".
I disabled the active desktop item and it worked.
I fixed some of them using HijackThis as suggested by "Raven".
I will also do a TEST in "Safe Mode" and see whether is there any left outs of the Hijacker.
Thanks once again "Raven" 
Arsenal.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
