• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
a_fahmy

HIJACKED

10 posts in this topic

hey been hijacked after being infected by trojans that i removed using avast

 

can someone help me

 

 

here is my log file

 

 

Logfile of HijackThis v1.97.7

Scan saved at 12:31:08 ?, on 10/06/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\WINDOWS\System32\wnscptr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Documents and Settings\home\My Documents\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#22776

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#22776

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#22776

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#22776

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#22776

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\home\Application Data\msry\msry.dll

O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\home\Application Data\msry\apixh32.dll

O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\home\Application Data\msry\mfcqo.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [image] rundll32 C:\WINDOWS\javahd32.dll,Install

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [Csso] C:\Documents and Settings\home\Application Data\aaee.exe

O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscptr.exe

O4 - HKCU\..\Run: [Alarm Clock Reminders] C:\Program Files\Lyttlesoft Alarm Clock Reminders\alarm clock reminders.exe /startup

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\RunServices: [image] rundll32 C:\WINDOWS\javahd32.dll,Install

O4 - Startup: Aquarius Soft PC Alarm Clock Pro.lnk = C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSxdm158

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083838197449

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_cst.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} (PatchCtl Class) - file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7790.5139699074

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C66DAD27-A471-40BB-A9FB-64F1F74BA0A9}: NameServer = 213.131.65.20 213.131.66.246

 

 

 

i have a start up list too here it is:

 

StartupList report, 10/06/2004, 12:28:11 ?

StartupList version: 1.52

Started from : C:\Documents and Settings\home\My Documents\HijackThis.EXE

Detected: Windows XP (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 (6.00.2600.0000)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\WINDOWS\System32\wnscptr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\home\My Documents\HijackThis.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\home\Start Menu\Programs\Startup]

Aquarius Soft PC Alarm Clock Pro.lnk = C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe

MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

MyWebSearch Email Plugin = C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

ashMaiSv = C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

Image = rundll32 C:\WINDOWS\javahd32.dll,Install

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

Csso = C:\Documents and Settings\home\Application Data\aaee.exe

WNSI = C:\WINDOWS\System32\wnscptr.exe

Alarm Clock Reminders = C:\Program Files\Lyttlesoft Alarm Clock Reminders\alarm clock reminders.exe /startup

MyWebSearch Email Plugin = C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

 

Image = rundll32 C:\WINDOWS\javahd32.dll,Install

 

--------------------------------------------------

 

Load/Run keys from C:\WINDOWS\WIN.INI:

 

load=

run=C:\windows\system32\yahooprogss.exe

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=Explorer.exe C:\windows\system32\yahooprogss.exe

SCRNSAVE.EXE=

drivers=

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\LIVING~1.SCR

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

. - C:\Documents and Settings\home\Application Data\msry\msry.dll - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B}

ShowSearch module - C:\Documents and Settings\home\Application Data\msry\apixh32.dll - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C}

(no name) - C:\Documents and Settings\home\Application Data\msry\mfcqo.dll - {FD9BC004-8331-4457-B830-4759FF704C22}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[{11111111-1111-1111-1111-111111111157}]

CODEBASE = ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[MSSecurityAdvisor Class]

InProcServer32 = C:\WINDOWS\System32\mssecadv.dll

CODEBASE = http://download.microsoft.com/download/0/5...b?1083838197449

 

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]

CODEBASE = http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

 

[{2119776A-F1AD-4FCD-9548-F1E1C615350C}]

CODEBASE = http://www.stop-sign.com/pub/download/stop-sign_cst.cab

 

[YInstStarter Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll

CODEBASE = http://download.yahoo.com/dl/installs/yinst0309.cab

 

[EARTPatchX Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\EARTPX.dll

CODEBASE = http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

 

[PatchCtl Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\patchx.dll

CODEBASE = file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab

 

[MediaTicketsInstaller Control]

InProcServer32 = C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX

CODEBASE = http://www.mt-download.com/MediaTicketsInstaller.cab

 

[update Class]

InProcServer32 = C:\WINDOWS\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7790.5139699074

 

[{B9191F79-5613-4C76-AA2A-398534BB8999}]

CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

CODEBASE = http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

 

[CRegistryDownload Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\RegDload.dll

CODEBASE = http://download.paltalk.com/download/0.x/regdload.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

System: C:\WINDOWS\system32\system32.dll

 

--------------------------------------------------

End of report, 9,338 bytes

Report generated in 0.078 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

 

thanks

Share this post


Link to post
Share on other sites

Hi,

Uninstall via Add Remove the following:

MyWebSearch Email Plugin

MediaTickets

Stop-Sign

 

Download CWShredder v1.58.0

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Unzip and run (double-click) CWShredder.exe, click "Fix->"

 

Then reboot and then ...

 

Download: SpyBot-Search & Destroy 1.3

http://majorgeeks.com/download2471.html

 

Run a scan, "fix" everything marked in red and reboot.

 

After the above ...

 

Important!

Your system is severly out of date! (and one of the reasons you were hijacked!)

Visit Windows Update and install all the "Critical Updates"

http://v4.windowsupdate.microsoft.com/en/default.asp

 

After the above post a fresh log ...

Share this post


Link to post
Share on other sites

hi thanks, i think it worked . but first wanna say that:

 

i didn't find any program named stop sign or mywebsearch email plugin , ohh may be because i used spybot and cwshredder after i posted the above topic. there's a also a problem that in my program folders there is yahoo mail folder which can't be removed by add/remove and there's an icon saying yahoo messenger though i uninstalled it and i can't remove it because of "COULD NOT OPEN INSTALL.LOG:. anyway concerning hijacked i think it's over , here is my log file now :

 

 

Logfile of HijackThis v1.97.7

Scan saved at 06:00:05 ?, on 11/06/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\WINDOWS\System32\wnscptr.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\home\My Documents\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [Csso] C:\Documents and Settings\home\Application Data\aaee.exe

O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscptr.exe

O4 - HKCU\..\Run: [Alarm Clock Reminders] C:\Program Files\Lyttlesoft Alarm Clock Reminders\alarm clock reminders.exe /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: Aquarius Soft PC Alarm Clock Pro.lnk = C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083838197449

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_cst.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} (PatchCtl Class) - file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7790.5139699074

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C66DAD27-A471-40BB-A9FB-64F1F74BA0A9}: NameServer = 213.131.65.20 213.131.66.246

 

 

here is my startup list if u needed :

 

StartupList report, 11/06/2004, 06:01:14 ?

StartupList version: 1.52

Started from : C:\Documents and Settings\home\My Documents\HijackThis.EXE

Detected: Windows XP (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 (6.00.2600.0000)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\WINDOWS\System32\wnscptr.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\home\My Documents\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\home\Start Menu\Programs\Startup]

Aquarius Soft PC Alarm Clock Pro.lnk = C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

ashMaiSv = C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

Csso = C:\Documents and Settings\home\Application Data\aaee.exe

WNSI = C:\WINDOWS\System32\wnscptr.exe

Alarm Clock Reminders = C:\Program Files\Lyttlesoft Alarm Clock Reminders\alarm clock reminders.exe /startup

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

 

--------------------------------------------------

 

Load/Run keys from C:\WINDOWS\WIN.INI:

 

load=

run=C:\windows\system32\yahooprogss.exe

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=Explorer.exe C:\windows\system32\yahooprogss.exe

SCRNSAVE.EXE=

drivers=

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\LIVING~1.SCR

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[{11111111-1111-1111-1111-111111111157}]

CODEBASE = ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[MSSecurityAdvisor Class]

InProcServer32 = C:\WINDOWS\System32\mssecadv.dll

CODEBASE = http://download.microsoft.com/download/0/5...b?1083838197449

 

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]

CODEBASE = http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

 

[{2119776A-F1AD-4FCD-9548-F1E1C615350C}]

CODEBASE = http://www.stop-sign.com/pub/download/stop-sign_cst.cab

 

[YInstStarter Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll

CODEBASE = http://download.yahoo.com/dl/installs/yinst0309.cab

 

[EARTPatchX Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\EARTPX.dll

CODEBASE = http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

 

[PatchCtl Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\patchx.dll

CODEBASE = file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab

 

[MediaTicketsInstaller Control]

InProcServer32 = C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX

CODEBASE = http://www.mt-download.com/MediaTicketsInstaller.cab

 

[update Class]

InProcServer32 = C:\WINDOWS\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7790.5139699074

 

[{B9191F79-5613-4C76-AA2A-398534BB8999}]

CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

CODEBASE = http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

 

[CRegistryDownload Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\RegDload.dll

CODEBASE = http://download.paltalk.com/download/0.x/regdload.cab

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute = autocheck autochk *

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: C:\DOCUME~1\home\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\home\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\home\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\home\LOCALS~1\Temp\_iu14D2N.tmp||C:\DOCUME~1\home\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\home\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\home\LOCALS~1\Temp\GLB1A2B.EXE|||L

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

 

--------------------------------------------------

End of report, 8,958 bytes

Report generated in 0.046 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

 

 

i will install the critical updates now

many thanks

Share this post


Link to post
Share on other sites

Hi,

there is yahoo mail folder which can't be removed by add/remove

Delete the existing folder from Windows Explorer.

 

Next: Start | Run (type) regedit

Navigate to the following location:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

 

Expand the "+Uninstall" key, scroll down the list (left pane)

Locate "Yahoo Mail" or whatever is listed there?

Right-click the entry, select: Delete, Ok the prompt, and close Regedit.

 

As for your HijackThis log ...

 

First thing to do is ...

 

Reconfigure Windows Explorer to show Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

 

Click the "Apply to all Folders" button. Close Windows Explorer.

 

Next:

 

Close all open windows, except for HijackThis place a check in each of the following:

Then click "Fix checked".

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049

O4 - HKCU\..\Run: [Csso] C:\Documents and Settings\home\Application Data\aaee.exe

O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscptr.exe

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_cst.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

 

Then reboot, on restart, restart in Safe Mode (see "How To" below)

 

Run CWShredder click "Fix->" and then ...

 

Open Windows Explorer locate and delete the following:

 

C:\WINDOWS\System32\wnscptr.exe <--this file

C:\Documents and Settings\home\Application Data\aaee.exe <--this file

 

Restart normally, open SpyBot, update and rescan, then reboot.

 

After the above post a fresh log ...

 

Note: this concerns me a little (from your Startup list)

 

Shell=Explorer.exe C:\windows\system32\yahooprogss.exe

 

Is "yahooprogss.exe" some kind of screensaver? (looks like it)

Are you still using it?

Share this post


Link to post
Share on other sites

hi sorry didn't proceed yet with fixing the thing but i don't understand the the first line about deleting the folder?

 

what u mean explorer , u mean searching for it , ok i did -it';s not a folder by the way sorry , it's yet listed in the add/remove programs as a program??? i searched for its name and found files with that name in documents and settings directory?

 

i prefered not to proceed with the other things u told me untill i fix this first problem

 

oh by the way ,yes it is a screen saver and i think i deleted it today after i posted the last post and before u reply

 

thanks

Share this post


Link to post
Share on other sites

Hi,

there is yahoo mail folder which can't be removed by add/remove

Is there an actual folder for Yahoo Mail or is this an icon you see in Add Remove?

To remove the Add Remove entry (that can't be removed) then proceed with the above instructions for "Regedit".

i searched for its name and found files with that name in documents and settings directory?

I have no idea what files get installed with Yahoo Mail ... if you are not sure just leave them.

 

Then proceed with the HijackThis instructions.

Edited by WinHelp2002

Share this post


Link to post
Share on other sites

hi sorry didn't proceed yet with fixing the thing but i don't understand the the first line about deleting the folder?

 

what u mean explorer , u mean searching for it , ok i did -it';s not a folder by the way sorry , it's yet listed in the add/remove programs as a program

 

i used search for files and found files with this name but in documents and settings directory??

 

so what sould i do now about this first thing?

 

btw yes it is a a screensaver and i think i deleted it today after posting the last post and before u reply?

thanks anyway

 

can u help me???

Share this post


Link to post
Share on other sites

hi thanks guys , i think it's working but i still find the yahooprgss in my start up list , any way here r my log file and start up list:

 

 

Logfile of HijackThis v1.97.7

Scan saved at 02:59:40 ?, on 12/06/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\home\My Documents\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [Alarm Clock Reminders] C:\Program Files\Lyttlesoft Alarm Clock Reminders\alarm clock reminders.exe /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083838197449

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} (PatchCtl Class) - file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7790.5139699074

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C66DAD27-A471-40BB-A9FB-64F1F74BA0A9}: NameServer = 213.131.65.20 213.131.66.246

 

and the startup list:

 

StartupList report, 12/06/2004, 02:59:49 ?

StartupList version: 1.52

Started from : C:\Documents and Settings\home\My Documents\HijackThis.EXE

Detected: Windows XP (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 (6.00.2600.0000)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\home\My Documents\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

ashMaiSv = C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

Alarm Clock Reminders = C:\Program Files\Lyttlesoft Alarm Clock Reminders\alarm clock reminders.exe /startup

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

 

--------------------------------------------------

 

Load/Run keys from C:\WINDOWS\WIN.INI:

 

load=

run=C:\windows\system32\yahooprogss.exe

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=Explorer.exe C:\windows\system32\yahooprogss.exe

SCRNSAVE.EXE=

drivers=

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\LIVING~1.SCR

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[MSSecurityAdvisor Class]

InProcServer32 = C:\WINDOWS\System32\mssecadv.dll

CODEBASE = http://download.microsoft.com/download/0/5...b?1083838197449

 

[YInstStarter Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll

CODEBASE = http://download.yahoo.com/dl/installs/yinst0309.cab

 

[EARTPatchX Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\EARTPX.dll

CODEBASE = http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

 

[PatchCtl Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\patchx.dll

CODEBASE = file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab

 

[update Class]

InProcServer32 = C:\WINDOWS\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7790.5139699074

 

[{B9191F79-5613-4C76-AA2A-398534BB8999}]

CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

CODEBASE = http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

 

[CRegistryDownload Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\RegDload.dll

CODEBASE = http://download.paltalk.com/download/0.x/regdload.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

 

--------------------------------------------------

End of report, 7,565 bytes

Report generated in 0.047 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

Hi,

Your log looks clean now ... however

 

Important!

Your system is severly out of date!

Visit Windows Update and install all the "Critical Updates"

http://v4.windowsupdate.microsoft.com/en/default.asp

 

As for "yahooprogss.exe"

Start | Run (type) system.ini

 

Remove any reference to the above (if exists)

 

Start | Run (type) win.ini

 

Remove any reference to the above (if exists)

 

 

Start | Run (type) control.ini

 

Remove any reference to the above (if exists)

 

Start | Run (type) regedit

 

Click Edit > Find

Remove any reference to the above (if exists)

Note: press "F3" to continue searching until you see the "completed" message.

Close Regedit and reboot.

 

Other than that you are good to go ... :wave:

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0