22-02-2005, 11:44 AM
|
#1 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
how do U read this?
people i wana ask U a very simple question ..how to U read & identify errors in the hijack thing!!
plzz tell me how U people understand those number things ..with port number & all tht stuff??
I'm curious abt it 
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
Advertisements. Register and be a member of the community to get rid of them.
|
|
Advertisement
|
|
|
22-02-2005, 02:42 PM
|
#2 (permalink)
|
|
Human Spambot
Join Date: Mar 2004
Location: India
Posts: 2,033
|
do u mean HiajckThis Lof file?
__________________
http://swatrant.blogspot.com/
|
|
|
|
|
22-02-2005, 02:44 PM
|
#3 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
Exactly tht Swat .. explain it yaar plzz!
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
|
22-02-2005, 03:04 PM
|
#4 (permalink)
|
|
Human Spambot
Join Date: Mar 2004
Location: India
Posts: 2,033
|
well....First few entries in HijackThis (HJT) Log file is the Background Running Processes/ Here u check the files or processes which have suspecious looking names like Expl0rer.ex (has Zero instead of O) or winupdt.exe (windows doents have this file, but the user is tricked by the name) or some random names like sdfrw3345sdf.exe or something.Then we to delete those fiels.
Netx, in HJT log u will have entries preceded by R0, R1, R2, these entries list IE Startup Page, Search Page and Default update page. If the Browser is
hijacked, these links will be changed to some unknown underground websites or some AD websites. Default entries r contains links to msn, microsoft, wwindowsupadte.microsoft like that...
Next, u will have entries precede by F0, F1, These list the Programas that run at Startup. Here also u have look at the Filenames which is suspecious in nature.
then there r entries preceded by o1, o2, o3 up to o23, all these may not be in a single log file....
Important ones are:-
O2 - Browser Helper Objects (BHO)
O3 - Internet Explorer toolbars (like Google Toolbar)
O4 - Autoloading programs from Registry
O8 - Extra items in IE right-click menu (Added Context menu items)
O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu (Added buttons like FlashGet or DAP buttons)
O12 - IE plugins (Lists all the Plugins of IE installed)
O15 - Unwanted site in Trusted Zone (Trusted Zone ideally lists WindowsUpdate Site, but some Spyware adds sites like Ad-sites, Warez site etc to it, HJT list all the sites here)
O16 - ActiveX Objects (aka Downloaded Program Files) (lists all ActiveX components, like Java, Flash plugin and any possible spyware)
O17 - Lop.com domain hijackers (LOP.COM is one Spyware/ADware site, which when infects a system, it places Icons like Poker, Travel, Bingo etc on Desktop and these can not be deleted)
HJT lists ALL entries of above fields, but we have to filter out the bad ones out of these and remove them....
common methods to identify bad things r:-
1]Suspicious looking or randome looking filename
2]Non default IE startup/search page.
3]Suspicious DLL files that too residing in Temp folders.
4]AdWare (like IEPlugin, Aureate, Go!zilla etc) based buttons / toolbars in IE.
__________________
http://swatrant.blogspot.com/
|
|
|
|
|
22-02-2005, 06:59 PM
|
#5 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
thanks! a lot .. Swat .. i'll try it on my ow & will ask further queries if any comes! 
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
|
22-02-2005, 10:07 PM
|
#6 (permalink)
|
|
Just Do It
Join Date: Feb 2005
Location: Bangalore
Posts: 2,126
|
Re: how do U read this?
Quote:
|
Originally Posted by yehmeriidhain
people i wana ask U a very simple question ..how to U read & identify errors in the hijack thing!!
plzz tell me how U people understand those number things ..with port number & all tht stuff??
I'm curious abt it |
swat is the right person,dr.grudge.ennonmai tooo .i got a .lot of probs solved by them....... It's free advice
|
|
|
|
|
23-02-2005, 11:27 AM
|
#7 (permalink)
|
|
Human Spambot
Join Date: Feb 2004
Location: Mumbai
Posts: 2,653
|
Cool short tutoral swatkat 
But besides the knowledge about these entries, you even need some more general knowledge about the known viruses, trojans, worms to be able to locate their existence in the log.
__________________
:: Free hosting and free domain names available in special cases. Conditions apply ::
|
|
|
|
|
23-02-2005, 01:18 PM
|
#8 (permalink)
|
|
Alpha Geek
Join Date: Apr 2004
Location: United States
Posts: 624
|
Nice info swatkat!
__________________
Be not Thou far from me o Lord....o my strength....haste Thee to help me.
|
|
|
|
|
23-02-2005, 03:45 PM
|
#9 (permalink)
|
|
Coming back to life ..
Join Date: Nov 2003
Location: A bit closer to heaven
Posts: 1,997
|
Have a look at this page too ..
The new HijackThis (1.99) have the option 023 for Services in WinXP ...
__________________
Sleight of hand and twist of fate...
On a bed of nails she makes me wait...
And I wait without you ...
With or without you ..
----
Batty = Too Busy Now !!!
|
|
|
|
|
24-02-2005, 11:09 AM
|
#10 (permalink)
|
|
Human Spambot
Join Date: Feb 2004
Location: Mumbai
Posts: 2,653
|
That was a pretty useful link. Thanks.
__________________
:: Free hosting and free domain names available in special cases. Conditions apply ::
|
|
|
|
|
24-02-2005, 12:27 PM
|
#11 (permalink)
|
|
In The Zone
Join Date: Nov 2003
Location: Ghaziabad
Posts: 227
|
Very Informative.
Thanks for the info swatkat.
Thanks yehmeriidhain
for asking for the information.
|
|
|
|
|
24-02-2005, 04:38 PM
|
#12 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
Thanks! it_waaznt_me tht was great! link ..thanks! man! 
Tell me one more thing! ..to which extent this hijack thing is useful!
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
|
25-02-2005, 09:54 PM
|
#13 (permalink)
|
|
Wise Old Owl
Join Date: Oct 2004
Location: Parked diagonally in a parallel universe
Posts: 1,304
|
Its useful to the extent of finding out what processes are currently running on your computer, what processes autoload and what programs are associated with your browser like helper apps, plugins and basically all the stuff that swatkat listed in his post. It cannot help you fix internal Windows problems like corrupted files, startup/boot troubles and pretty much anything outside the browser environment.
And considering that most people are just infected with spyware/viruses, its dead useful, basically a way of narrowing down the problem.
__________________
Face it, kid! Provoking a reaction isn't the same thing as saying something significant - Calvin
A64 3000+@2.4G/Asus A8V-DLX/1G DDR400/BBA X800 XT PE/320G HGST SATA2
Playing FEAR XP/LSW2
|
|
|
|
|
26-02-2005, 12:49 AM
|
#14 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
thanks! enoonmai! great ..
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
|
27-02-2005, 08:55 PM
|
#15 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
here is my system log .. i didn't find nething! suspicious can U people help me in this ..
Quote:
Logfile of HijackThis v1.99.0
Scan saved at 8:46:47 PM, on 2/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
E:\Set Ups\Yz Dock\YzDock.exe
C:\Program Files\foobar2000\foobar2000.exe
E:\Set Ups\buddy\BuddyOnlineCheckerV2.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
E:\Set Ups\buddy\BuddyOnlineCheckerV2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\Set Ups\Softwares\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Upcoming Storm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://www.iiita.ac.in/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 172.31.1.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O17 - HKLM\System\CCS\Services\Tcpip\..\{17A4555B-650A-45C5-9EEA-814BD4A62437}: NameServer = 172.31.1.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{17A4555B-650A-45C5-9EEA-814BD4A62437}: NameServer = 172.31.1.30
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
|
Thanks ! in advance!
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
|
28-02-2005, 01:56 AM
|
#16 (permalink)
|
|
Human Spambot
Join Date: Mar 2004
Location: India
Posts: 2,033
|
Quote:
|
Originally Posted by yehmeriidhain
here is my system log .. i didn't find nething! suspicious can U people help me in this ..
Quote:
Logfile of HijackThis v1.99.0
Scan saved at 8:46:47 PM, on 2/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
E:\Set Ups\Yz Dock\YzDock.exe
C:\Program Files\foobar2000\foobar2000.exe
E:\Set Ups\buddy\BuddyOnlineCheckerV2.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
E:\Set Ups\buddy\BuddyOnlineCheckerV2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\Set Ups\Softwares\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Upcoming Storm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://www.iiita.ac.in/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 172.31.1.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O17 - HKLM\System\CCS\Services\Tcpip\..\{17A4555B-650A-45C5-9EEA-814BD4A62437}: NameServer = 172.31.1.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{17A4555B-650A-45C5-9EEA-814BD4A62437}: NameServer = 172.31.1.30
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
|
Thanks ! in advance! |
u have NewDotNet hijacker in ur PC....and that O10 entry says that ur WinSock has been hijacked by NewDotNet and u have to fix ur WinSock Layer by using tools like LSPFix or WinSockFix....
First, uninstall these softwares if u find them in Add/Remove programs:-
1]QuickSearchBar
After this, in HijackThis, Check the red entries above and click Fix.
Then restart in safe mode, and delete the files:-
1]newdotnet3_88.dll
2]QuickSearchBar1_27.dll
and also the folders containing these files....
download LSPFix and run it....
http://www.cexx.org/lspfix.htm
__________________
http://swatrant.blogspot.com/
|
|
|
|
|
28-02-2005, 08:54 AM
|
#17 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
hey! Swat! Y did U said newdot is a virus ..or either Y did U asked me to uninstall it! ... wat is new.net & Y was it suspicious .....
plus tht LSPfix can be unstable with Ad-Aware utilities it says .. still i have run it & this is my new log do U still find this suspicious somewhere ??
& this Quicksearch bar .dll might be a file of Quicktime player or sth like tht ..dunt U feel .. Y did ya marked these two dll's as red!
Can U plzz tell me! thx! a lot for ur help!
Quote:
Logfile of HijackThis v1.99.0
Scan saved at 8:57:09 AM, on 2/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
E:\Set Ups\Yz Dock\YzDock.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Set Ups\Softwares\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Upcoming Storm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://www.iiita.ac.in/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 172.31.1.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{17A4555B-650A-45C5-9EEA-814BD4A62437}: NameServer = 172.31.1.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{17A4555B-650A-45C5-9EEA-814BD4A62437}: NameServer = 172.31.1.30
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
|
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
|
28-02-2005, 03:00 PM
|
#18 (permalink)
|
|
Wise Old Owl
Join Date: Oct 2004
Location: Parked diagonally in a parallel universe
Posts: 1,304
|
NewDotNet is not a virus, its what is known as "malware", a malicious BHO that downloads and silently executes code from its servers and overrides your system settings without your knowledge or permission. It comes in three variants 'New.net domains (B variant), ‘FirstLook’ (FirstLook variant) and ‘QuickSearch Toolbar’ (QuickSearch variant). So, you see, QuickSearch toolbar doesnt have anything to do with QuickTime. What NewDotNet does is override the DNS queries for Top Level Domains (TLD) with its own new.net subdomains, so that whenever you type in a address/query into the browser address bar, the system sends a query to a DNS server to figure out where it should take you. This BHO makes sure you're only taken to its subdomains.
NewDotNet uses a Winsock2 Layered Service Provider (LSP) and a Browser Helper Object (BHO) that redirects searches from the browser’s address bar to NewDotNet’s search engines at qsrch.com and the popup-filled search.findsall.info. It also downloads updates from its controlling server at client.new.tech (aka client.new.tech.new.net) or upgrade.new.tech (upgrade.new.tech.new.net, upgrade.newdotnet.net).
Now you see why he asked you to remove the entries in red and asked you to run LSPFix. Because it hijacks the LSP, if you carelessly remove it, you run the risk of totally disconnecting yourself from the Internet, since simply put, the Windows Sockets layer (WinSock) is what allows you to connect in the first place to the Internet.
BTW, your new log is clean. Download Spybot S&D and leave its TeaTimer protection turned on at all times.
http://www.safer-networking.org/en/download/
__________________
Face it, kid! Provoking a reaction isn't the same thing as saying something significant - Calvin
A64 3000+@2.4G/Asus A8V-DLX/1G DDR400/BBA X800 XT PE/320G HGST SATA2
Playing FEAR XP/LSW2
|
|
|
|
|
28-02-2005, 03:50 PM
|
#19 (permalink)
|
|
Human Spambot
Join Date: Mar 2004
Location: India
Posts: 2,033
|
yeah...enoonmai has told u everything...NewDotNet is a Adware/Malware....and QuickSearchBar is affiliated to it....
now ur log is clean!!!
__________________
http://swatrant.blogspot.com/
|
|
|
|
|
28-02-2005, 06:55 PM
|
#20 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
|
01-03-2005, 04:17 PM
|
#21 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
here is one more! log of my frd i did some work although but still advice me again .. if U dunt mind :roll: ....
Quote:
Logfile of HijackThis v1.99.0
Scan saved at 2:46:33 PM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\QuickTime\qttask.exe
C:\WINDOWS\explorer.exe
D:\foobar\foobar2000.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Setups\Softwares\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://www.iiita.ac.in/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 172.31.1.1:8080
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_ 12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_ 12_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AC84CF2-368B-47D6-ABD9-79BD3A28F7E0}: NameServer = 172.31.1.30,172.31.1.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{D26B15BA-D961-4DF3-86FD-F7DF75B6824B}: NameServer = 172.31.1.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB4814C9-0EFA-4911-A08B-FB292C39F172}: NameServer = 172.31.1.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{4AC84CF2-368B-47D6-ABD9-79BD3A28F7E0}: NameServer = 172.31.1.30,172.31.1.31
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
|
Am I correct this time or wrong again somewhere? :roll:
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
|
01-03-2005, 04:30 PM
|
#22 (permalink)
|
|
Wise Old Owl
Join Date: Oct 2004
Location: Parked diagonally in a parallel universe
Posts: 1,304
|
Yes, you've identified the spyware, now all you have to do is fix it. There you go, that wasn't so difficult now, was it?
And BTW, this isnt really malicious or spyware
O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
All you have to do is go to the QuickTime preferences in the Control Panel and uncheck the "Show icon in the taskbar" or go to regedit and
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and delete the qttask.exe entry.
__________________
Face it, kid! Provoking a reaction isn't the same thing as saying something significant - Calvin
A64 3000+@2.4G/Asus A8V-DLX/1G DDR400/BBA X800 XT PE/320G HGST SATA2
Playing FEAR XP/LSW2
|
|
|
|
|
01-03-2005, 06:44 PM
|
#23 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
Thanks! enoonmai yep! tht was easy i suppose :roll: i'll do wat U have said! thanks! a lot mate!
now for my accuracy one more computer's log .. this might be my last learning step bcz it looked complex to me ..... 
Quote:
Logfile of HijackThis v1.99.0
Scan saved at 6:51:15 PM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
C:\windows\system32\VTTimer.exe
C:\windows\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\windows\system32\nutsrv4.exe
C:\program files\winsys180\saap.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Yahoo!\Messenger\Y!Multi-Gold.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
C:\windows\system32\wscntfy.exe
C:\windows\explorer.exe
C:\Documents and Settings\bhupendra\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://www.iiita.ac.in/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 172.31.1.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = windowsupdate.microsoft.com;v4.windowsupdate.micro soft.com;download.windowsupdate.com
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv .exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [saap] c:\program files\winsys180\saap.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKCU\..\Run: [Rowo] C:\Documents and Settings\bhupendra\Application Data\i??e?.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: &WordWeb... - res://C:\windows\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22544ea5...p/RdxIE601.cab....
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096534301078
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4EEE3B4-E361-4877-8C70-C2345BA01758}: NameServer = 172.31.1.1,172.31.1.30
O23 - Service: Apache - Unknown - C:\PROGRA~1\EASYPH~1\Apache\apache.exe
O23 - Service: Kerio Personal Firewall 4 - Unknown - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe (file missing)
O23 - Service: MySql - Unknown - C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
O23 - Service: NuTCRACKER Service - DataFocus, Inc. - C:\windows\system32\nutsrv4.exe
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
|
can U do it one last time ?? 
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
|
02-03-2005, 12:58 AM
|
#24 (permalink)
|
|
Human Spambot
Join Date: Mar 2004
Location: India
Posts: 2,033
|
u left this one, related to 180SearchAssistant!
Quote:
C:\program files\winsys180\saap.exe
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
|
and u marked these legit ones as bad:-
Quote:
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv .exe (this related to NutCracker Software)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22544ea5c0daf79da420/netzip/RdxIE601.cab....(Real Player Web)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (related Real Player Updater)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?
linkid=34738&clcid=0x409 (Windows Update)
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab (Yahoo Messesnger)
|
hey....u can get info abt files unknown or suspecious to u here....
http://www.iamnotageek.com/a/file_info.php
__________________
http://swatrant.blogspot.com/
|
|
|
|
|
02-03-2005, 03:02 AM
|
#25 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
Thanks! mate .. Swat !! .. although i marked red entry specified by U as red .. check it
newayzz thanks! a lot mates! .... this failure gives me one more assignment to finish accurately ..
People U have to do it once again! sorry! for inconvienience! :roll:
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
|
02-03-2005, 12:38 PM
|
#26 (permalink)
|
|
In The Zone
Join Date: Aug 2004
Location: ..:::In Beautiful Hearts:::....
Posts: 339
|
What does swat cat do ! He appears a better lecturer than mine at the college ! THX for the detailed info .
|
|
|
|
|
02-03-2005, 07:08 PM
|
#27 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
People U have helped me a lot ... till now .. just verify me this last time ...
Quote:
Logfile of HijackThis v1.99.0
Scan saved at 9:54:40 PM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MYWEBS~1\bar\a.bin\mwsoemon.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\Y!Multi-Gold.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pankaj\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://www.iiita.ac.in/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 172.31.1.1:8080
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\7.bin\MWSSRCAS.DLL
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\lsasrv.exe
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\a.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\a.bin\MWSBAR.DLL
O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4b\NHelper.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv .exe
O4 - HKLM\..\Run: [Logon Loader] "C:\Program Files\Logon Loader\LogonLoader.exe" -minimized
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\System32\lsasrv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\a.bin\mwsoemon.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\a.bin\mwsoemon.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\a.bin\MWSOEMON.EXE
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\a.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\Program Files\Lycos\Sidesearch\sidesearch.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Flyswat - {E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16} - C:\PROGRA~1\flyswat\Flylib.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11D01E78-29AB-45F5-A8E7-825C085E77BD}: NameServer = 172.31.1.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{C203C4AE-5411-4842-BCCC-7ADA8172C34D}: NameServer = 172.31.1.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{11D01E78-29AB-45F5-A8E7-825C085E77BD}: NameServer = 172.31.1.30
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: MySql - Unknown - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NuTCRACKER Service - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
|
can U help me once again .. this probably is my final attempt ... to this hijack thing! .. plz ?
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
|
02-03-2005, 07:13 PM
|
#28 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
& Swat wat's ur Yahoo! id ... ??
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
|
02-03-2005, 08:52 PM
|
#29 (permalink)
|
|
Human Spambot
Join Date: Mar 2004
Location: India
Posts: 2,033
|
Quote:
|
Originally Posted by yehmeriidhain
People U have helped me a lot ... till now .. just verify me this last time ...
Quote:
Logfile of HijackThis v1.99.0
Scan saved at 9:54:40 PM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MYWEBS~1\bar\a.bin\mwsoemon.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\Y!Multi-Gold.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pankaj\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://www.iiita.ac.in/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 172.31.1.1:8080
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\7.bin\MWSSRCAS.DLL
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\lsasrv.exe
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\a.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\a.bin\MWSBAR.DLL
O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4b\NHelper.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime<===QuickTime, good one!!!
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv .exe
O4 - HKLM\..\Run: [Logon Loader] "C:\Program Files\Logon Loader\LogonLoader.exe" -minimized
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\System32\lsasrv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot<===Real Player Updater, good one!!!
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\a.bin\mwsoemon.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\a.bin\mwsoemon.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\a.bin\MWSOEMON.EXE
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe<===Konfabulator, good one!!
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\a.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\Program Files\Lycos\Sidesearch\sidesearch.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll<===Java RunTime, good one, they dont have name!
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Flyswat - {E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16} - C:\PROGRA~1\flyswat\Flylib.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11D01E78-29AB-45F5-A8E7-825C085E77BD}: NameServer = 172.31.1.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{C203C4AE-5411-4842-BCCC-7ADA8172C34D}: NameServer = 172.31.1.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{11D01E78-29AB-45F5-A8E7-825C085E77BD}: NameServer = 172.31.1.30
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: MySql - Unknown - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NuTCRACKER Service - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
|
can U help me once again .. this probably is my final attempt ... to this hijack thing! .. plz ? |
no probs abt helping ....
this comp is having a lot of pests!!!!!
here blue are bad ones u left!!!!!
and u also indicated some good processes like QuickTime and Real UPadter as bad ones....
u can get a good info abt Spywares/Adwares/Viruese/Worms here....
http://www3.ca.com/securityadvisor/pest/
__________________
http://swatrant.blogspot.com/
|
|
|
|
|
02-03-2005, 09:05 PM
|
#30 (permalink)
|
|
In The Zone
Join Date: Nov 2004
Posts: 322
|
Thanks! Swat again! ..
__________________
At times in ur life just to do things right U have to be steady & sacrifice sth which u want the most.....even ur dreamzz tooo....
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
