home page changes to http://195.95.218.172/index.php

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

patelkumar

Thread Starter
Joined
Jul 5, 2005
Messages
16
Please Help !

I am getting this problem since 3 days and its causing a pain in my a**, when ever i open internet explorer the home page resets to http://195.95.218.172/index.php and cool web search.


Hijack This log

Logfile of HijackThis v1.99.1
Scan saved at 10:13:44 PM, on 7/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\scheduler.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\Njekmn32.exe
C:\WINDOWS\msmsgrxp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\paytime.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Kumar\Desktop\wokdofoh\castlecop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
F2 - REG:system.ini: Shell=Explorer.exe green.exe
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 topsearch10.com
O1 - Hosts: 127.0.0.3 www.topsearch10.com
O1 - Hosts: 127.0.0.3 statscash.biz
O1 - Hosts: 127.0.0.3 www.statscash.biz
O1 - Hosts: 127.0.0.3 vxiframe.biz
O1 - Hosts: 127.0.0.3 www.vxiframe.biz
O1 - Hosts: 127.0.0.3 crazy-toolbar.com
O1 - Hosts: 127.0.0.3 www.crazy-toolbar.com
O1 - Hosts: 127.0.0.3 topcash.biz
O1 - Hosts: 127.0.0.3 www.topcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 txiframe.biz
O1 - Hosts: 127.0.0.3 www.txiframe.biz
O1 - Hosts: 127.0.0.3 procounter.biz
O1 - Hosts: 127.0.0.3 www.procounter.biz
O1 - Hosts: 127.0.0.3 advadmin.biz
O1 - Hosts: 127.0.0.3 www.advadmin.biz
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Service Scheduler] scheduler.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [_Cat3] C:\WINDOWS\msmsgrxp.exe
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitejzz32.exe
O4 - HKLM\..\RunServices: [Service Scheduler] scheduler.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: iexplore - 0\FOf.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: FCEEBFJD - {03F94F3C-5C3B-6199-2259-2BBC321C6714} - C:\WINDOWS\System32\Ecanhc32.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Service Scheduler - Unknown owner - C:\WINDOWS\System32\scheduler.exe" -service (file missing)
 
Joined
Jul 1, 2005
Messages
43
1. Download Spybot - Search and Destory, Update it, go to Mode -> Advanced Mode -> Tools and check everything and run a scan.
http://www.safer-networking.org/en/download/index.html

2. Download Ad-Aware SE, update it and run a FULL system scan.
http://www.lavasoftusa.com/software/adaware/

3. Download Microsoft Anti-Spyware Beta, update it, and again run a FULL system scan.
http://www.microsoft.com/downloads/...A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

4. Download Spywareblaster, and update it.
http://www.javacoolsoftware.com/spywareblaster.html

5. Post another HJT log.
 

patelkumar

Thread Starter
Joined
Jul 5, 2005
Messages
16
new log file

Logfile of HijackThis v1.99.1
Scan saved at 2:31:20 PM, on 7/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\scheduler.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\msmsgrxp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\WINDOWS\System32\Njekmn32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kumar\Desktop\softwares\wokdofoh\castlecop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about blank
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Service Scheduler] scheduler.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [_Cat3] C:\WINDOWS\msmsgrxp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [Service Scheduler] scheduler.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O17 - HKLM\System\CCS\Services\Tcpip\..\{17522099-B704-4072-B8F7-E9287B5679A1}: NameServer = 202.56.230.5 202.56.240.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{17522099-B704-4072-B8F7-E9287B5679A1}: NameServer = 202.56.230.5 202.56.240.5
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: iexplore - 0\FOf.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: FCEEBFJD - {03F94F3C-5C3B-6199-2259-2BBC321C6714} - C:\WINDOWS\System32\Ecanhc32.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Service Scheduler - Unknown owner - C:\WINDOWS\System32\scheduler.exe" -service (file missing)
 
Joined
Jul 1, 2005
Messages
43
Now run HJT, and delete these:

O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz

O20 - Winlogon Notify: iexplore - 0\FOf.dll (file missing)
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

O4 - HKLM\..\Run: [_Cat3] C:\WINDOWS\msmsgrxp.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

There's probably more, but I'm not experienced enough to know them.
 

patelkumar

Thread Starter
Joined
Jul 5, 2005
Messages
16
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll is not going its comming up again & again. awaiting your views ?

new log
Logfile of HijackThis v1.99.1
Scan saved at 11:30:27 AM, on 7/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\scheduler.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\WINDOWS\System32\Njekmn32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mshearts.exe
C:\Documents and Settings\Kumar\Desktop\softwares\wokdofoh\castlecop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about blank
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Service Scheduler] scheduler.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [Service Scheduler] scheduler.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{17522099-B704-4072-B8F7-E9287B5679A1}: NameServer = 202.56.230.5 202.56.240.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{17522099-B704-4072-B8F7-E9287B5679A1}: NameServer = 202.56.230.5 202.56.240.5
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: FCEEBFJD - {03F94F3C-5C3B-6199-2259-2BBC321C6714} - C:\WINDOWS\System32\Ecanhc32.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Service Scheduler - Unknown owner - C:\WINDOWS\System32\scheduler.exe" -service (file missing)
 
Joined
Jul 1, 2005
Messages
43
Now get rid of these:

O23 - Service: Service Scheduler - Unknown owner - C:\WINDOWS\System32\scheduler.exe" -service (file missing)

O17- HKLM\System\CS1\Services\Tcpip\..\{17522099-B704-4072-B8F7-E9287B5679A1}: NameServer = 202.56.230.5 202.56.240.5

O17 - HKLM\System\CCS\Services\Tcpip\..\{17522099-B704-4072-B8F7-E9287B5679A1}: NameServer = 202.56.230.5 202.56.240.5

O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about blank
 

patelkumar

Thread Starter
Joined
Jul 5, 2005
Messages
16
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll is not going its comming up again & again. awaiting your views ?

new log :
Logfile of HijackThis v1.99.1
Scan saved at 2:48:46 PM, on 7/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\Njekmn32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Kumar\Desktop\softwares\wokdofoh\castlecop\HijackThis.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Service Scheduler] scheduler.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [Service Scheduler] scheduler.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: FCEEBFJD - {03F94F3C-5C3B-6199-2259-2BBC321C6714} - C:\WINDOWS\System32\Ecanhc32.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
 
Joined
Jul 1, 2005
Messages
43
"O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll is not going its comming up again & again. awaiting your views ?"

It's most likely gone.

Now 1 more step, and your good.

Download CCleaner from here:
http://www.ccleaner.com/ccdownload.asp

After installation, go to Run Cleaner, then go down to issues then go to scan for issues and fix everything.
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,569
It's not "most likely gone" if it's still showing in the log. RockmanX34 please leave the Hijack This logs to the experts.


Go here to download CCleaner.
  • Install CCleaner
  • Launch CCleaner and look in the upper right corner and click on the "Options" button.
  • Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
  • Click OK
  • Do not run CCleaner yet. You will run it later in safe mode.


Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.

Click here for info on how to boot to safe mode if you don't already know how.


Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


Restart your computer into safe mode now. Perform the following steps in safe mode:


* Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop.

Start CCleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Restart back into Windows normally now.

Please do a Panda Active Scan. Be sure to save the log it creates.


Come back here and post a new HijackThis log, as well as the logs from the Ewido and Panda scans.
 
Joined
Jul 1, 2005
Messages
43
"It's not "most likely gone" if it's still showing in the log."

He just said it's not coming back in the log.
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,569
I think you misread what patelkumar said.
 

patelkumar

Thread Starter
Joined
Jul 5, 2005
Messages
16
New Log

Logfile of HijackThis v1.99.1
Scan saved at 12:53:00 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\mszx23.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kumar\Desktop\softwares\wokdofoh\castlecop\HijackThis.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Service Scheduler] scheduler.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [Service Scheduler] scheduler.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{17522099-B704-4072-B8F7-E9287B5679A1}: NameServer = 202.56.230.5 202.56.240.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{17522099-B704-4072-B8F7-E9287B5679A1}: NameServer = 202.56.230.5 202.56.240.5
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: FCEEBFJD - {03F94F3C-5C3B-6199-2259-2BBC321C6714} - C:\WINDOWS\System32\Ecanhc32.dll (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
 

patelkumar

Thread Starter
Joined
Jul 5, 2005
Messages
16
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:40:00 PM, 7/10/2005
+ Report-Checksum: 4535E234

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{FF8DA190-3574-11D4-8068-0060082AE372} -> Spyware.BingoFun : Cleaned with backup
C:\Documents and Settings\Kumar\Local Settings\Temp\msldf.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Kumar\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Kumar\Local Settings\Temp\xwxload.exe -> TrojanDownloader.Small.Fo : Cleaned with backup
C:\loader.exe -> TrojanDownloader.Small.bas : Cleaned with backup
C:\WINDOWS\msmsgrxp.exe -> TrojanDownloader.Small.ahg : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\012ZWXU7\istdownload[1].exe -> TrojanDownloader.IstBar.ju : Cleaned with backup
C:\WINDOWS\system32\cz.dll -> Backdoor.Haxdoor.cn : Cleaned with backup
C:\WINDOWS\system32\Djmdpbpj.dll -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\drct16.dll -> Backdoor.Haxdoor.cn : Error during cleaning
C:\WINDOWS\system32\Ecanhc32.dll -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\hz.sys -> Backdoor.Haxdoor : Cleaned with backup
C:\WINDOWS\system32\msdirectx.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\WINDOWS\system32\mszx23.exe -> Backdoor.Haxdoor.cn : Error during cleaning
C:\WINDOWS\system32\scheduler.exe -> Backdoor.Agobot : Cleaned with backup
C:\WINDOWS\system32\vdmt16.sys -> Backdoor.Haxdoor : Cleaned with backup


::Report End
 

patelkumar

Thread Starter
Joined
Jul 5, 2005
Messages
16
Incident Status Location

Virus:Bck/Haxdoor.AW Disinfected Operating system
Adware:Adware/ISearch No disinfected C:\WINDOWS\tool2.exe
Adware:Adware/EliteBar No disinfected Windows Registry
Virus:Bck/Haxdoor.AW Disinfected Operating system
Virus:Trj/Qukart.I Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\27F2D566-BFF7-4783-8CB2-F0288D\BFE7F17B-5A8D-4D48-A08A-49672E
Virus:Trj/Qhost.Q Disinfected C:\WINDOWS\hosts
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9ABKLAB\xxxxxxxxxx[1]
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9ABKLAB\xxxxxxxxxx[2]
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9ABKLAB\xxxxxxxxxx[3]
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9ABKLAB\xxxxxxxxxx[5]
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9ABKLAB\xxxxxxxxxx[6]
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9ABKLAB\xxxxxxxxx[1]
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9ABKLAB\xxxxxxxxx[2]
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9ABKLAB\xxxxxxxxx[3]
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9ABKLAB\xxxxxxxxx[4]
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9ABKLAB\xxxxxxxxx[5]
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9ABKLAB\xxxxxxxxx[6]
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9ABKLAB\xxxxxxxxx[7]
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9ABKLAB\xxxxxxxxx[9]
Virus:Bck/Haxdoor.AW Disinfected C:\WINDOWS\system32\drct16.dll
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:Trj/Qhost.Q Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050703-235516.backup
Virus:Trj/Qhost.Q Disinfected C:\WINDOWS\system32\drivers\etc\hosts.bak
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\fsb.exe
Virus:Trj/Clicker.GX Disinfected C:\WINDOWS\system32\green.exe
Virus:Bck/Haxdoor.CF Disinfected C:\WINDOWS\system32\mszx23.exe
Virus:Bck/Webber.BG Disinfected C:\WINDOWS\system32\Nedbhcld.exe
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\system32\Njekmn32.exe
Adware:Adware/SpywareNo No disinfected C:\WINDOWS\tool2.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,569
Click here to download CWShredder.

Close all browser windows, open cwshredder.exe then click Fix and let it run.

Then restart your computer.

Click Here and download Killbox and save it to your desktop but don’t run it yet.



Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


O4 - HKLM\..\RunServices: [Service Scheduler] scheduler.exe

O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe

O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

O21 - SSODL: FCEEBFJD - {03F94F3C-5C3B-6199-2259-2BBC321C6714} - C:\WINDOWS\System32\Ecanhc32.dll (file missing)


Then boot to safe mode:


How to restart to safe mode


Now configure your computer to show all hidden files and folders like so:

Go to Start - Search and under "More advanced search options", make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders."

Next, click on My Computer, Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders." Click "Apply" and then "OK."


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.


C:\WINDOWS\System32\mszx23.exe

C:\WINDOWS\tool2.exe

C:\WINDOWS\SYSTEM32\drct16.dll

C:\WINDOWS\System32\Ecanhc32.dll

C:\WINDOWS\System32\scheduler.exe


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

Reboot and post another log please.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top