Jump to content


Photo

HIJACKED


  • Please log in to reply
9 replies to this topic

#1 a_fahmy

a_fahmy

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 09 June 2004 - 04:33 PM

hey been hijacked after being infected by trojans that i removed using avast

can someone help me


here is my log file


Logfile of HijackThis v1.97.7
Scan saved at 12:31:08 ?, on 10/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\wnscptr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\home\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#22776
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\home\Application Data\msry\msry.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\home\Application Data\msry\apixh32.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\home\Application Data\msry\mfcqo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\javahd32.dll,Install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Csso] C:\Documents and Settings\home\Application Data\aaee.exe
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscptr.exe
O4 - HKCU\..\Run: [Alarm Clock Reminders] C:\Program Files\Lyttlesoft Alarm Clock Reminders\alarm clock reminders.exe /startup
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\javahd32.dll,Install
O4 - Startup: Aquarius Soft PC Alarm Clock Pro.lnk = C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSxdm158
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.bi....chm::/load.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1083838197449
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...op-sign_cst.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} (PatchCtl Class) - file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7790.5139699074
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C66DAD27-A471-40BB-A9FB-64F1F74BA0A9}: NameServer = 213.131.65.20 213.131.66.246



i have a start up list too here it is:

StartupList report, 10/06/2004, 12:28:11 ?
StartupList version: 1.52
Started from : C:\Documents and Settings\home\My Documents\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\wnscptr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\home\My Documents\HijackThis.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\home\Start Menu\Programs\Startup]
Aquarius Soft PC Alarm Clock Pro.lnk = C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe
MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
MyWebSearch Email Plugin = C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
ashMaiSv = C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
Image = rundll32 C:\WINDOWS\javahd32.dll,Install

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
Csso = C:\Documents and Settings\home\Application Data\aaee.exe
WNSI = C:\WINDOWS\System32\wnscptr.exe
Alarm Clock Reminders = C:\Program Files\Lyttlesoft Alarm Clock Reminders\alarm clock reminders.exe /startup
MyWebSearch Email Plugin = C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

Image = rundll32 C:\WINDOWS\javahd32.dll,Install

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=C:\windows\system32\yahooprogss.exe

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe C:\windows\system32\yahooprogss.exe
SCRNSAVE.EXE=
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\LIVING~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
. - C:\Documents and Settings\home\Application Data\msry\msry.dll - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B}
ShowSearch module - C:\Documents and Settings\home\Application Data\msry\apixh32.dll - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C}
(no name) - C:\Documents and Settings\home\Application Data\msry\mfcqo.dll - {FD9BC004-8331-4457-B830-4759FF704C22}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{11111111-1111-1111-1111-111111111157}]
CODEBASE = ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.bi....chm::/load.exe

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.micr...b?1083838197449

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://ak.imgfarm.co...etup1.0.0.8.cab

[{2119776A-F1AD-4FCD-9548-F1E1C615350C}]
CODEBASE = http://www.stop-sign...op-sign_cst.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yaho...s/yinst0309.cab

[EARTPatchX Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EARTPX.dll
CODEBASE = http://files.ea.com/...h/v2/EARTPX.cab

[PatchCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\patchx.dll
CODEBASE = file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab

[MediaTicketsInstaller Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX
CODEBASE = http://www.mt-downlo...tsInstaller.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7790.5139699074

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.c...utocomplete.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
CODEBASE = http://us.dl1.yimg.c...ebio5_1_6_0.cab

[CRegistryDownload Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RegDload.dll
CODEBASE = http://download.palt....x/regdload.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
System: C:\WINDOWS\system32\system32.dll

--------------------------------------------------
End of report, 9,338 bytes
Report generated in 0.078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

thanks

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 09 June 2004 - 06:21 PM

Hi,
Uninstall via Add Remove the following:
MyWebSearch Email Plugin
MediaTickets
Stop-Sign

Download CWShredder v1.58.0
http://www.spywarein.../cwshredder.zip
Unzip and run (double-click) CWShredder.exe, click "Fix->"

Then reboot and then ...

Download: SpyBot-Search & Destroy 1.3
http://majorgeeks.co...wnload2471.html

Run a scan, "fix" everything marked in red and reboot.

After the above ...

Important!
Your system is severly out of date! (and one of the reasons you were hijacked!)
Visit Windows Update and install all the "Critical Updates"
http://v4.windowsupd.../en/default.asp

After the above post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 a_fahmy

a_fahmy

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 11 June 2004 - 10:02 AM

hi thanks, i think it worked . but first wanna say that:

i didn't find any program named stop sign or mywebsearch email plugin , ohh may be because i used spybot and cwshredder after i posted the above topic. there's a also a problem that in my program folders there is yahoo mail folder which can't be removed by add/remove and there's an icon saying yahoo messenger though i uninstalled it and i can't remove it because of "COULD NOT OPEN INSTALL.LOG:. anyway concerning hijacked i think it's over , here is my log file now :


Logfile of HijackThis v1.97.7
Scan saved at 06:00:05 ?, on 11/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\wnscptr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\home\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Csso] C:\Documents and Settings\home\Application Data\aaee.exe
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscptr.exe
O4 - HKCU\..\Run: [Alarm Clock Reminders] C:\Program Files\Lyttlesoft Alarm Clock Reminders\alarm clock reminders.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Aquarius Soft PC Alarm Clock Pro.lnk = C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.bi....chm::/load.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1083838197449
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...op-sign_cst.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} (PatchCtl Class) - file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7790.5139699074
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C66DAD27-A471-40BB-A9FB-64F1F74BA0A9}: NameServer = 213.131.65.20 213.131.66.246


here is my startup list if u needed :

StartupList report, 11/06/2004, 06:01:14 ?
StartupList version: 1.52
Started from : C:\Documents and Settings\home\My Documents\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\wnscptr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\home\My Documents\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\home\Start Menu\Programs\Startup]
Aquarius Soft PC Alarm Clock Pro.lnk = C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
ashMaiSv = C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
Csso = C:\Documents and Settings\home\Application Data\aaee.exe
WNSI = C:\WINDOWS\System32\wnscptr.exe
Alarm Clock Reminders = C:\Program Files\Lyttlesoft Alarm Clock Reminders\alarm clock reminders.exe /startup
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=C:\windows\system32\yahooprogss.exe

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe C:\windows\system32\yahooprogss.exe
SCRNSAVE.EXE=
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\LIVING~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{11111111-1111-1111-1111-111111111157}]
CODEBASE = ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.bi....chm::/load.exe

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.micr...b?1083838197449

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://ak.imgfarm.co...etup1.0.0.8.cab

[{2119776A-F1AD-4FCD-9548-F1E1C615350C}]
CODEBASE = http://www.stop-sign...op-sign_cst.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yaho...s/yinst0309.cab

[EARTPatchX Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EARTPX.dll
CODEBASE = http://files.ea.com/...h/v2/EARTPX.cab

[PatchCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\patchx.dll
CODEBASE = file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab

[MediaTicketsInstaller Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX
CODEBASE = http://www.mt-downlo...tsInstaller.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7790.5139699074

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.c...utocomplete.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
CODEBASE = http://us.dl1.yimg.c...ebio5_1_6_0.cab

[CRegistryDownload Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RegDload.dll
CODEBASE = http://download.palt....x/regdload.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\home\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\home\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\home\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\home\LOCALS~1\Temp\_iu14D2N.tmp||C:\DOCUME~1\home\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\home\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\home\LOCALS~1\Temp\GLB1A2B.EXE|||L

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 8,958 bytes
Report generated in 0.046 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


i will install the critical updates now
many thanks

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 11 June 2004 - 11:05 AM

Hi,

there is yahoo mail folder which can't be removed by add/remove

Delete the existing folder from Windows Explorer.

Next: Start | Run (type) regedit
Navigate to the following location:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

Expand the "+Uninstall" key, scroll down the list (left pane)
Locate "Yahoo Mail" or whatever is listed there?
Right-click the entry, select: Delete, Ok the prompt, and close Regedit.

As for your HijackThis log ...

First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
O4 - HKCU\..\Run: [Csso] C:\Documents and Settings\home\Application Data\aaee.exe
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscptr.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.bi....chm::/load.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...op-sign_cst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Run CWShredder click "Fix->" and then ...

Open Windows Explorer locate and delete the following:

C:\WINDOWS\System32\wnscptr.exe <--this file
C:\Documents and Settings\home\Application Data\aaee.exe <--this file

Restart normally, open SpyBot, update and rescan, then reboot.

After the above post a fresh log ...

Note: this concerns me a little (from your Startup list)

Shell=Explorer.exe C:\windows\system32\yahooprogss.exe

Is "yahooprogss.exe" some kind of screensaver? (looks like it)
Are you still using it?
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 a_fahmy

a_fahmy

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 11 June 2004 - 05:31 PM

hi sorry didn't proceed yet with fixing the thing but i don't understand the the first line about deleting the folder?

what u mean explorer , u mean searching for it , ok i did -it';s not a folder by the way sorry , it's yet listed in the add/remove programs as a program??? i searched for its name and found files with that name in documents and settings directory?

i prefered not to proceed with the other things u told me untill i fix this first problem

oh by the way ,yes it is a screen saver and i think i deleted it today after i posted the last post and before u reply

thanks

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 11 June 2004 - 06:36 PM

Hi,

there is yahoo mail folder which can't be removed by add/remove

Is there an actual folder for Yahoo Mail or is this an icon you see in Add Remove?
To remove the Add Remove entry (that can't be removed) then proceed with the above instructions for "Regedit".

i searched for its name and found files with that name in documents and settings directory?

I have no idea what files get installed with Yahoo Mail ... if you are not sure just leave them.

Then proceed with the HijackThis instructions.

Edited by WinHelp2002, 11 June 2004 - 06:37 PM.

Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 a_fahmy

a_fahmy

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 11 June 2004 - 07:22 PM

hi sorry didn't proceed yet with fixing the thing but i don't understand the the first line about deleting the folder?

what u mean explorer , u mean searching for it , ok i did -it';s not a folder by the way sorry , it's yet listed in the add/remove programs as a program

i used search for files and found files with this name but in documents and settings directory??

so what sould i do now about this first thing?

btw yes it is a a screensaver and i think i deleted it today after posting the last post and before u reply?
thanks anyway

can u help me???

#8 a_fahmy

a_fahmy

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 12 June 2004 - 07:37 AM

hi thanks guys , i think it's working but i still find the yahooprgss in my start up list , any way here r my log file and start up list:


Logfile of HijackThis v1.97.7
Scan saved at 02:59:40 ?, on 12/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\home\My Documents\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Alarm Clock Reminders] C:\Program Files\Lyttlesoft Alarm Clock Reminders\alarm clock reminders.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1083838197449
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} (PatchCtl Class) - file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7790.5139699074
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C66DAD27-A471-40BB-A9FB-64F1F74BA0A9}: NameServer = 213.131.65.20 213.131.66.246

and the startup list:

StartupList report, 12/06/2004, 02:59:49 ?
StartupList version: 1.52
Started from : C:\Documents and Settings\home\My Documents\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\home\My Documents\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
ashMaiSv = C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
Alarm Clock Reminders = C:\Program Files\Lyttlesoft Alarm Clock Reminders\alarm clock reminders.exe /startup
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=C:\windows\system32\yahooprogss.exe

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe C:\windows\system32\yahooprogss.exe
SCRNSAVE.EXE=
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\LIVING~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.micr...b?1083838197449

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yaho...s/yinst0309.cab

[EARTPatchX Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EARTPX.dll
CODEBASE = http://files.ea.com/...h/v2/EARTPX.cab

[PatchCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\patchx.dll
CODEBASE = file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7790.5139699074

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.c...utocomplete.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
CODEBASE = http://us.dl1.yimg.c...ebio5_1_6_0.cab

[CRegistryDownload Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RegDload.dll
CODEBASE = http://download.palt....x/regdload.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,565 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#9 a_fahmy

a_fahmy

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 12 June 2004 - 08:06 AM

ding dong

#10 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 12 June 2004 - 08:31 AM

Hi,
Your log looks clean now ... however

Important!
Your system is severly out of date!
Visit Windows Update and install all the "Critical Updates"
http://v4.windowsupd.../en/default.asp

As for "yahooprogss.exe"
Start | Run (type) system.ini

Remove any reference to the above (if exists)

Start | Run (type) win.ini

Remove any reference to the above (if exists)


Start | Run (type) control.ini

Remove any reference to the above (if exists)

Start | Run (type) regedit

Click Edit > Find
Remove any reference to the above (if exists)
Note: press "F3" to continue searching until you see the "completed" message.
Close Regedit and reboot.

Other than that you are good to go ... :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button