Stucked with Spywares.. Pls help

Status
Not open for further replies.
V

vickymustdie

Broken In
Hi Guys.....

Get stucked with my PC again....

I've cleared my entire system with ADAWARE and CCLEANER....

But when I surfing online ' i get lot of AD and everything goes wild pop up.

I can't see any other banners on any website except the Spyware banners that has effected on my machine.

Please help me... I'm really gone mad with my system...

Posting here the HIJACK THIS info
=========================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:46 PM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\System32\database.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe
C:\Documents and Settings\Administrator\WINDOWS\system\winsystem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\EXF9D6.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\vicky\Desktop\TAble.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = *us.rd.yahoo.com/customize/ycomp/defaults/sb/**www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = *us.rd.yahoo.com/customize/ycomp/defaults/sp/**www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = *www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = *www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = *us.rd.yahoo.com/customize/ycomp/defaults/su/**www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.65.166.4:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;97.*;*.relianceada.com;*.reliancecapital.*;vodimages.bigflicks.com, rental.bigflicks.com, kiosknew.bigflicks.com;<local>;*.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\System32\database.exe,
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Touchstone - {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe
O4 - HKLM\..\Run: [winsystem] C:\Documents and Settings\Administrator\WINDOWS\system\winsystem.exe
O4 - HKLM\..\Run: [BM8bc837cc] Rundll32.exe "C:\WINDOWS\system32\vxqejdyn.dll",s
O4 - HKLM\..\Run: [88fb0450] rundll32.exe "C:\WINDOWS\system32\tyvagfag.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\vicky\Desktop\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\vicky\Desktop\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=*intranet.reliancecapital.co.in
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - *www.ipix.com/download/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RELIANCECAPITAL.COM
O17 - HKLM\Software\..\Telephony: DomainName = RELIANCECAPITAL.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{909DBE4F-B153-437C-AF95-155E9A733129}: NameServer = 10.65.166.2,202.138.96.2,202.138.100.103
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RELIANCECAPITAL.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RELIANCECAPITAL.COM
O23 - Service: Apache - Unknown owner - C:\PROGRA~1\EASYPH~1\Apache\apache.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySql - Unknown owner - C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 9212 bytes


=========================================================
 
dheeraj_kumar

dheeraj_kumar

Legen-wait for it-dary!
^^Google it. "HijackThis"
First, install nod32, spybot and run both.
Second, restart in safe mode, and do all these stuff...

C:\Program Files\System32\database.exe
delete
C:\Documents and Settings\Administrator\WINDOWS\system\winsystem.ex e
delete
C:\WINDOWS\TEMP\EXF9D6.EXE
delete
C:\Documents and Settings\vicky\Desktop\TAble.exe
dunno what this is, if it something you ran, leave it. else delete.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = *us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = *us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *securityresponse.symantec.com.../fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = *www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = *www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = *us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 10.65.166.4:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 10.*;97.*;*.relianceada.com;*.reliancecapital.*;vo dimages.bigflicks.com, rental.bigflicks.com, kiosknew.bigflicks.com;<local>;*.local

reset all these stuff. that means, navigate to those registry values, make the values blank.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Progr am Files\System32\database.exe,
delete the line, using start->run "msconfig" and then delete the files specified by the line too.

O4 - HKLM\..\Run: [winsystem] C:\Documents and Settings\Administrator\WINDOWS\system\winsystem.ex e
O4 - HKLM\..\Run: [BM8bc837cc] Rundll32.exe "C:\WINDOWS\system32\vxqejdyn.dll",s
O4 - HKLM\..\Run: [88fb0450] rundll32.exe "C:\WINDOWS\system32\tyvagfag.dll",b
delete the files, but dont delete rundll32.exe

O14 - IERESET.INF: START_PAGE_URL=*intranet.reliancecapital.co.in
change this if you didnt set this. not really necessary but you might want to do it.

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - *www.ipix.com/download/ipixx.cab
search for that thing within {} in registry, and delete

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RELIANCECAPITAL.COM
O17 - HKLM\Software\..\Telephony: DomainName = RELIANCECAPITAL.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{909DBE4F-B153-437C-AF95-155E9A733129}: NameServer = 10.65.166.2,202.138.96.2,202.138.100.103
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RELIANCECAPITAL.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RELIANCECAPITAL.COM
if you set these, fine, else, delete.

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
i dont like this... keep it if you like.
same for this too:
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
C:\Program Files\Kontiki\KService.exe
 
infra_red_dude

infra_red_dude

Wire muncher!
Suspicious items:

vickymustdie said:
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\Program Files\System32\database.exe
C:\Documents and Settings\Administrator\WINDOWS\system\winsystem.exe
C:\WINDOWS\TEMP\EXF9D6.EXE
C:\Documents and Settings\vicky\Desktop\TAble.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\System32\database.exe,
O4 - HKLM\..\Run: [winsystem] C:\Documents and Settings\Administrator\WINDOWS\system\winsystem.exe
O4 - HKLM\..\Run: [BM8bc837cc] Rundll32.exe "C:\WINDOWS\system32\vxqejdyn.dll",s
O4 - HKLM\..\Run: [88fb0450] rundll32.exe "C:\WINDOWS\system32\tyvagfag.dll",b
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
Click to expand...
 
J

JackyB

Right off the assembly line
hey
I'm using a couple of spyware programs that are both free
*www.spywareterminator.com/
*www.spybot.info/en/download/index.html
I use spywareterminator more often for a quick scan. When i first got it, it scanned my PC and found a lot of rubbish. Spybot is good, but i feel that it takes a lot of time to scan and slows my machine down a bit.

Hope you get rid of that spyware. I feel your pain
 
Status
Not open for further replies.
Top Bottom