Help needed to remove Desktop Hijacker from my PC....

Status
Not open for further replies.
Yoda

Yoda

Journeyman
Hi,

Last week I visited an Bad Website and immediately a Desktop Hijacker sat on my desktop.

Then I used..

Ad-Aware SE Professional 1.05 (With latest definitions)

and

Webroot SpySweeper (Latest Version) (with Latest Definitions)

and

Spybot Search & Destroy 1.3 (with Latest Definitions)


After using these 3 softwares I was able to remove that "AD" that appeared in the desktop but I couldn't remove the Blank screen of that Hijacker.

The blank screen changes between 2 colors. "White" and "cement" color every 20 seconds in the desktop automatically.

And I coundn't right-click the desktop. I tried even changing the wallpaper but no way. The hijacker blank screen remains.


You can see the images of my desktop. The BG of the desktop is the "background" of the hijacker.


*img21.exs.cx/img21/9017/pic15lp.jpg

*img116.exs.cx/img116/9312/pic28ss.jpg


Where is the file of this desktop hijacker stored in the PC. So that I can deleted myself and remove that irritating BG of the hijacker ? :(

How to get rid of this problem... :(

Thanx in Advance
Arsenal.
 
D

digen

Youngling
Maybe you can try this,

Right-click on your desktop>Properties>Desktop>Customize Desktop>Web>Uncheck entries which have not been set by you[mostly malicious].
 
OP
Yoda

Yoda

Journeyman
Right-click on your desktop>Properties>Desktop>Customize Desktop>Web>Uncheck entries which have not been set by you[mostly malicious]
Click to expand...


I'm unable to do this also. in right-click>Properties

i get this window

*img35.exs.cx/img35/219/pic39cn.jpg


i searched even the "desktop.html" file in WINNT directory and search tool but no use. there is no such file, but the properties button shows.


i will send the Log file soon.

Thanx
Arsenal.
 
OP
Yoda

Yoda

Journeyman
Log File "indrajit"

heres the Log file "indrajit"


Logfile of HijackThis v1.99.0
Scan saved at 4:57:15 PM, on 1/17/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\SYSTEM32\DWRCST.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
C:\PROGRA~1\Zinio\ZDLM.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\ABK\abk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\Documents and Settings\opac\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 3.174.26.70:8080
R3 - Default URLSearchHook is missing
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRA~1\DAP\dapbho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C2260B66-CCA5-E059-DB8C-90ABA1040794} - C:\WINNT\system32\peksvrb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Z1DSPW5] c:\documents and settings\opac\local settings\temp\Z1DSPW5.exe
O4 - HKLM\..\Run: [BITzop9] c:\documents and settings\opac\local settings\temp\BITzop9.exe
O4 - HKLM\..\Run: [6vG9AP702] c:\documents and settings\opac\local settings\temp\6vG9AP702.exe
O4 - HKLM\..\Run: [gB2LV] c:\documents and settings\opac\local settings\temp\gB2LV.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4\THGuard.exe"
O4 - HKLM\..\Run: [Spy Watcher] "C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe" -S
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Instant Messenger - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - *cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?*cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: Gexus - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no file)
O9 - Extra 'Tools' menuitem: Gexus - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\WINNT\System32\shdocvw.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .zip: C:\PROGRA~1\PKWARE\PKZIPP\nppkzip.dll
O14 - IERESET.INF: START_PAGE_URL=*crd.home.ge.com/
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: (HKLM)
O16 - DPF: {0036F389-FEF8-43AC-9220-16430E0012ED} - *naupoint.com/toolbar/installer/iEBINST5.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - *crdquickplace02.ge.com/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - *go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} (VacPro.russia_ver3) - *advnt01.com/dialer/russia.CAB
O16 - DPF: {426F81A5-0B8C-4948-8115-11606FD3F389} - *www.serialspot.com/serials/serials.cab
O16 - DPF: {60261C06-81B0-4DE0-9313-E5BA203A64E9} - *216.195.35.10/pdfmgr_s.cab
O16 - DPF: {68E53982-CCCE-48C2-89B9-C3C97638F9B4} (CActSetupObj Object) - *www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - *pacioli.crd.ge.com/oa/US/jinit11816.exe
O16 - DPF: {9BBC1154-218D-453C-97F6-A06582224D81} - *www.shifen.com/update/moon/install.cab
O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} - *hkmeeting01c.ge.com/sametime/STMeetingRoomClient/STJNILoader.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - *bar.baidu.com/update/IESearch.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - *deposito.hostance.net/dialer/1014061.exe
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - *www.35mb.com/downloadapplet.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = crd.ge.com,ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O18 - Protocol: mp3 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
O23 - Service: AutoComplete Service - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown - c:\oracle\ora81\BIN\ONRSD.EXE
Click to expand...



Thanx in Advance
Arsenal
 
D

digen

Youngling
As I had suggested earlier your desktop has been hijacked by replacing it with a webpage.
Try scanning under safe mode & see if the anti-spyware software detect anything till someone goes through the log file & posts back.[/code]
 
T

theraven

Technomancer
win 98 eh ?
first goto control panel then display properties
and fromtone of those tabs disable yout active desktop and remove the "Active desktop item" from the list

as for the hijackthis logfile
this is my first attempt since bats away (raven will play)

Code: 
C:\WINNT\SYSTEM32\DWRCS.EXE   <-- unknown
C:\WINNT\SYSTEM32\DWRCST.exe <-- unknown
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe <-- unknown
C:\Program Files\Lotus\Sametime Client\Connect.exe <-- unknown
C:\Program Files\ABK\abk.exe <-- unknown

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 3.174.26.70:8080 <-- This page could possibly be nasty.   If you do not know the entry '3.174.26.70:8080', delete it. 

O2 - BHO: (no name) - {C2260B66-CCA5-E059-DB8C-90ABA1040794} - C:\WINNT\system32\peksvrb.dll (file missing)   
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([C2260B66-CCA5-E059-DB8C-90ABA1040794] - Result: ) has been checked. Hit rate: -1 %   Unknown application.
Unnecessary (deactivated) entry that can be fixed. 

O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" <--unknown

O4 - HKLM\..\Run: [Z1DSPW5] c:\documents and settings\opac\local settings\temp\Z1DSPW5.exe   <--Unknown application. 
  O4 - HKLM\..\Run: [BITzop9] c:\documents and settings\opac\local settings\temp\BITzop9.exe   <-- Unknown application. 
  O4 - HKLM\..\Run: [6vG9AP702] c:\documents and settings\opac\local settings\temp\6vG9AP702.exe   <--  Unknown application. 
  O4 - HKLM\..\Run: [gB2LV] c:\documents and settings\opac\local settings\temp\gB2LV.exe <--  Unknown application. 

  O9 - Extra button: Instant Messenger - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - *cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?*cn.messenger.yahoo.c om/ (file missing)   
Unnecessarily   The entry Instant Messenger has been identified as safe.   If the entry 'Instant Messenger ' is not needed anymore, it should be fixed.
Unnecessary (deactivated) entry that can be fixed. 
  O9 - Extra button: Gexus - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no file)   
Unnecessarily   Unknown buttons or entries in the 'Extras'-menu should be fixed.   To be fixed if the entry 'Gexus ' is unknown.
Unnecessary (deactivated) entry that can be fixed. 
  O9 - Extra 'Tools' menuitem: Gexus - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no file)   
Unnecessarily   Unknown buttons or entries in the 'Extras'-menu should be fixed.   To be fixed if the entry 'Gexus ' is unknown.
Unnecessary (deactivated) entry that can be fixed. 

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE   
Nasty      This entry should be fixed by HijackThis! 

O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\WINNT\System32\shdocvw.dll   
Possibly nasty   Unknown buttons or entries in the 'Extras'-menu should be fixed.   To be fixed if the entry '@C:\Program Files\Failsafe\GuardIE\PnIE.dll,' is unknown. 
  O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\WINNT\System32\shdocvw.dll   
Possibly nasty   Unknown buttons or entries in the 'Extras'-menu should be fixed.   To be fixed if the entry '@C:\Program Files\Failsafe\GuardIE\PnIE.dll,' is unknown. 

O14 - IERESET.INF: START_PAGE_URL=*crd.home.ge.com/   
Possibly nasty   This entry should be fixed if this address does not belong to your PC-manufacturer or your 'Internet-Service-Provider (ISP)'.   This entry should be fixed if '*crd.home.ge.com/' is not your PC-manufacturer or your 'Internet-Service-Provider (ISP)'. 
  O15 - Trusted Zone: *.skoobidoo.com   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted Zone: *.slotchbar.com   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted Zone: *.windupdates.com   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted Zone: *.skoobidoo.com (HKLM)   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted Zone: *.slotchbar.com (HKLM)   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted Zone: *.windupdates.com (HKLM)   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted IP range: 67.19.185.246   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted IP range: (HKLM)   
Possibly nasty   If you did not add these pages to your trusted pages, they should be fixed.   If you didn't add '(HKLM)' to your trusted pages, it should be fixed. 
  O16 - DPF: {0036F389-FEF8-43AC-9220-16430E0012ED} - *naupoint.com/toolbar/installer/iEBINST5.cab   
Nasty   This entry is possibly nasty.   Should be fixed. 
  O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - *crdquickplace02.ge.com/qp2.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 

O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} (VacPro.russia_ver3) - *advnt01.com/dialer/russia.CAB   
Nasty   This entry is possibly nasty.   Should be fixed. 
  O16 - DPF: {426F81A5-0B8C-4948-8115-11606FD3F389} - *www.serialspot.com/serials/serials.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 
  O16 - DPF: {60261C06-81B0-4DE0-9313-E5BA203A64E9} - *216.195.35.10/pdfmgr_s.cab   
Nasty   This entry is possibly nasty.   Should be fixed. 
  O16 - DPF: {68E53982-CCCE-48C2-89B9-C3C97638F9B4} (CActSetupObj Object) - *www.odysseusmarketing.com/actsetup.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 
  O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - *pacioli.crd.ge.com/oa/US/jinit11816.exe   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 
  O16 - DPF: {9BBC1154-218D-453C-97F6-A06582224D81} - *www.shifen.com/update/moon/install.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 
  O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} - *hkmeeting01c.ge.com/sametime/STMeetingRoomClient/STJNILoader.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 
  O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - *bar.baidu.com/update/IESearch.cab   
Nasty   This entry is possibly nasty.   Should be fixed. 
  O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - *deposito.hostance.net/dialer/1014061.exe   
Nasty   This entry is possibly nasty.   Should be fixed. 
  O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - *www.35mb.com/downloadapplet.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com   
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'grmsasia.grms.ge.com'? If not, fix this entry. 
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = crd.ge.com,ge.com   
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'crd.ge.com,ge.com'? If not, fix this entry. 
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com   
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'grmsasia.grms.ge.com'? If not, fix this entry. 
  O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com   
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'grmsasia.grms.ge.com'? If not, fix this entry. 
  O18 - Protocol: mp3 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)   
Nasty   Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.   Should be fixed. 
  O23 - Service: AutoComplete Service - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe   
Unknown   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.   Unknown service. (autocomp.exe) 

O23 - Service: DameWare Mini Remote Control - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE   
Unknown   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.   Unknown service. (DWRCS.EXE) 

  O23 - Service: OracleOraHome81ClientCache - Unknown - c:\oracle\ora81\BIN\ONRSD.EXE   
Unknown   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.   Unknown service. (ONRSD.EXE)

check all these and click on fix selected
 
OP
Yoda

Yoda

Journeyman
Very Many Thanks for you guys.

Thank you very much "The Raven" and "Digen Verma".

I disabled the active desktop item and it worked.


I fixed some of them using HijackThis as suggested by "Raven".

I will also do a TEST in "Safe Mode" and see whether is there any left outs of the Hijacker.

Thanks once again "Raven" :D :D :D


Arsenal.
 
Status
Not open for further replies.
Top Bottom