Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis log help pls


  • Please log in to reply
5 replies to this topic

#1 Vulcan

Vulcan

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 17 March 2005 - 09:27 AM

hi, i've been hijacked by this annoying searchmaid and this is my hijackthis log. any help is greatly appreciated

Logfile of HijackThis v1.99.1
Scan saved at 12:17:57 AM, on 3/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\logonui.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\NetLimiter\NetLimiter.exe
D:\PROGRA~1\ICQ\ICQ.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINDOWS\System32\ni_nic.exe
D:\WINDOWS\System32\NMSSvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Sonique\sqstart.exe
D:\Program Files\iMesh\iMesh5\iMesh.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Eyeball\Eyeball Chat\EyeballChat.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmaid.com/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmaid.com/search.php?qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://http://www.yahoo.com
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - D:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O6 "USB001" /M "Stylus C43"
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NetLimiter] D:\Program Files\NetLimiter\NetLimiter.exe /s
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {4678B749-953F-4DD3-A82E-0AD0A1FAE20D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4678B749-953F-4DD3-A82E-0AD0A1FAE20D} - (no file) (HKCU)
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330994.exe
O16 - DPF: {22222222-2222-2222-2222-222222222222} - file://c:\x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110080257654
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel Client Instrumentation for DMI (ni_nic) - Intel® Corporation - D:\WINDOWS\System32\ni_nic.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - D:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

:thumbsup:

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:24 AM

Posted 17 March 2005 - 06:13 PM

Hi there,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmaid.com/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmaid.com/search.php?qq=%s
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - D:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {4678B749-953F-4DD3-A82E-0AD0A1FAE20D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4678B749-953F-4DD3-A82E-0AD0A1FAE20D} - (no file) (HKCU)
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330994.exe
O16 - DPF: {22222222-2222-2222-2222-222222222222} - file://c:\x.cab
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)


* Click on Fix Checked when finished and exit HijackThis.

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Vulcan

Vulcan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 19 March 2005 - 10:35 AM

hey thanks for replying :thumbsup: appreciate it. did as u told me

this is the log file for silent runners

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"notepad.exe" = "msmsgs.exe" [MS]
"notepad2.exe" = "popuper.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"EPSON Stylus C43 Series" = "D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O6 "USB001" /M "Stylus C43"" ["SEIKO EPSON CORPORATION"]
"Mirabilis ICQ" = "D:\PROGRA~1\ICQ\ICQNet.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"gcasServ" = ""D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"NetLimiter" = "D:\Program Files\NetLimiter\NetLimiter.exe /s" ["LockTime"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO"
-> resolves to: {CLSID}\InprocServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper"
-> resolves to: {CLSID}\InprocServer32\(Default) = "d:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a-48ea-486e-8937-a2a3009f31a9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "D:\WINDOWS\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "D:\WINDOWS\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "D:\WINDOWS\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "D:\WINDOWS\System32\stobject.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "NavLogon\DLLName" = "D:\WINDOWS\System32\NavLogon.dll" [null data]


Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

INFECTION WARNING! G:\AUTORUN.INF -> "OPEN=noautorun.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "D:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Application Layer Gateway Service, ALG, "D:\WINDOWS\System32\alg.exe" [MS]
Automatic Updates, wuauserv, "D:\WINDOWS\system32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\wuauserv.dll" [MS]}
COM+ Event System, EventSystem, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\es.dll" [MS]}
Computer Browser, Browser, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\browser.dll" [MS]}
Cryptographic Services, CryptSvc, "D:\WINDOWS\system32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\cryptsvc.dll" [MS]}
DefWatch, DefWatch, "D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe" ["Symantec Corporation"]
DHCP Client, Dhcp, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks, "D:\WINDOWS\system32\svchost.exe -k netsvcs" {"D:\WINDOWS\system32\trkwks.dll" [MS]}
DNS Client, Dnscache, "D:\WINDOWS\System32\svchost.exe -k NetworkService" {"D:\WINDOWS\System32\dnsrslvr.dll" [MS]}
EPSON Printer Status Agent2, EPSONStatusAgent2, "D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
Error Reporting Service, ERSvc, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "D:\WINDOWS\system32\services.exe" [MS]
Fast User Switching Compatibility, FastUserSwitchingCompatibility, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\shsvcs.dll" [MS]}
Help and Support, helpsvc, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
Intel Client Instrumentation for DMI, ni_nic, "D:\WINDOWS\System32\ni_nic.exe" ["Intel® Corporation"]
Intel® NMS, NMSSvc, "D:\WINDOWS\System32\NMSSvc.exe" ["Intel Corporation"]
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS), SharedAccess, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\ipnathlp.dll" [MS]}
IPSEC Services, PolicyAgent, "D:\WINDOWS\System32\lsass.exe" [MS]
Logical Disk Manager, dmserver, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\dmserver.dll" ["Microsoft Corp."]}
Messenger, Messenger, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\msgsvc.dll" [MS]}
Network Connections, Netman, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\mswsock.dll" [MS]}
NVIDIA Display Driver Service, NVSvc, "D:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Plug and Play, PlugPlay, "D:\WINDOWS\system32\services.exe" [MS]
Portable Media Serial Number, WmdmPmSp, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\mspmspsv.dll" [MS]}
Print Spooler, Spooler, "D:\WINDOWS\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "D:\WINDOWS\system32\lsass.exe" [MS]
Remote Access Auto Connection Manager, RasAuto, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\rasauto.dll" [MS]}
Remote Access Connection Manager, RasMan, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "D:\WINDOWS\system32\svchost -k rpcss" {"D:\WINDOWS\system32\rpcss.dll" [MS]}
Remote Registry, RemoteRegistry, "D:\WINDOWS\system32\svchost.exe -k LocalService" {"D:\WINDOWS\system32\regsvc.dll" [MS]}
Secondary Logon, seclogon, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "D:\WINDOWS\system32\lsass.exe" [MS]
Server, lanmanserver, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\shsvcs.dll" [MS]}
SSDP Discovery Service, SSDPSRV, "D:\WINDOWS\System32\svchost.exe -k LocalService" {"D:\WINDOWS\System32\ssdpsrv.dll" [MS]}
System Event Notification, SENS, "D:\WINDOWS\system32\svchost.exe -k netsvcs" {"D:\WINDOWS\system32\sens.dll" [MS]}
System Restore Service, srservice, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\srsvc.dll" [MS]}
Task Scheduler, Schedule, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "D:\WINDOWS\System32\svchost.exe -k LocalService" {"D:\WINDOWS\System32\lmhsvc.dll" [MS]}
Telephony, TapiSrv, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\tapisrv.dll" [MS]}
Terminal Services, TermService, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\termsrv.dll" [MS]}
Themes, Themes, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\shsvcs.dll" [MS]}
Upload Manager, uploadmgr, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
WebClient, WebClient, "D:\WINDOWS\System32\svchost.exe -k LocalService" {"D:\WINDOWS\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\audiosrv.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "D:\WINDOWS\System32\svchost.exe -k imgsvc" {"D:\WINDOWS\system32\wiaservc.dll" [MS]}
Windows Management Instrumentation, winmgmt, "D:\WINDOWS\system32\svchost.exe -k netsvcs" {"D:\WINDOWS\system32\wbem\WMIsvc.dll" [MS]}
Windows Time, W32Time, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\w32time.dll" [MS]}
Wireless Zero Configuration, WZCSVC, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\wzcsvc.dll" [MS]}
Workstation, lanmanworkstation, "D:\WINDOWS\System32\svchost.exe -k netsvcs" {"D:\WINDOWS\System32\wkssvc.dll" [MS]}

#4 Vulcan

Vulcan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 19 March 2005 - 10:41 AM

hey i'm just curious... i understand all this spyware bleep and everything related to it is for advertising purpose (correct me if i'm wrong)...it annoys the hell out of people and the person who gets infected will not even look at the ads least to say click on them....so which means that their advertising is not working...then why are they still doing it? whats the motivation? and who funds the idiots who spend time doing all this malicious stuff?

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:24 AM

Posted 19 March 2005 - 10:53 AM

hey i'm just curious... i understand all this spyware bleep and everything related to it is for advertising purpose (correct me if i'm wrong)...it annoys the hell out of people and the person who gets infected will not even look at the ads least to say click on them....so which means that their advertising is not working...then why are they still doing it? whats the motivation? and who funds the idiots who spend time doing all this malicious stuff?

Believe me, a lot of persons DO click on the ads, especially when it says: Free antivirus, Free antispywarescanner and Free popupblocker.

Anyway.. can you post another hijackthislog too?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:24 AM

Posted 19 March 2005 - 01:01 PM

Well, i can let you do next already too..

Open notepad and copy and paste next content in the white field in it:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-

Save this as fix.reg
Choose to save as *all files and place it on your desktop.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

* Reboot into Safe Mode`:
°To get into Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.


Now, find and delete next files if present:

msmsgs.exe <== this is not the msmsgs.exe that is present in your C:\Program Files\Messenger !! The file you have to delete must be present in your Windows or System32-folder
popuper.exe <== this one is probably also present in your Windows or System32-folder.

Doubleclick on fix.reg and when it asks you to add the contents to the registry, click yes/ok.

Reboot back to normal mode and post a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users