PDA

View Full Version : i need advice what to do next... here my hijack logs....



Cead
08-06-2006, 04:45 AM
Can anyone please help me what to do... I don't have any exprience on this kind of stuff about computer... >.< ... and i think this thing hijacked my homepage... advance thank you to anyone ^^

here is the logs from hijack...

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe
C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DIANEI~1\LOCALS~1\Temp\Rar$EX00.000\Hi jackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\RunOnce: [ws_uninst] C:\DOCUME~1\DIANEI~1\LOCALS~1\Temp\ws_uninst.exe -s
O4 - HKLM\..\RunOnce: [ea_cleanup] C:\DOCUME~1\DIANEI~1\LOCALS~1\Temp\ea_cleanup.exe /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ChikkaIM] C:\PROGRA~1\Chikka\Chikka.exe
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

kjaada
08-06-2006, 08:26 AM
You have at least 2 baddies but better wait for someone more experianced like
Speedy to tell you how to get rid of them.

FoxyMX
08-06-2006, 10:09 AM
You need to post the entire log and HijackThis needs to be in its own folder on the hard drive first, not in the temporary files folder.

Please try again.

SurferJoe46
08-06-2006, 11:09 AM
By the "entire log" referenced to above, include the header from HJT with the system info.

I know, it's confusing...wot?

kjaada
08-06-2006, 12:09 PM
Cm on Foxy tell us what you mean by entire log.At least 2 very nasty things are listed and more are suspect.

FoxyMX
08-06-2006, 12:51 PM
Cm on Foxy tell us what you mean by entire log.
I meant exactly what I said - post the entire log. The bits missing look like this:


Logfile of HijackThis v1.99.1
Scan saved at 15:36:59, on 27/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

kjaada
08-06-2006, 02:03 PM
It does not look as if Speedy is about so I will tell you and hope no one takes offence:
02 BHO Nothing.................
and
04HKLM..\run [alcmtr].ALCMTR.exe
are baddies
In the mean time if you tick them then click fix you may solve the problem
until your next boot but if you like to hold on then someone may tell you about
other not so bad thingos and give you advice on solutions.

Pancake
08-06-2006, 02:15 PM
Hi Cead

We need to kill this infection :
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100


Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter


This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive.This log you can close

Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.


Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.


The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually..

The tool will create a second log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with your next reply.


Download the trial version of Ewido Security Suite (http://www.ewido.net/en/download/)

When installing, under "Additional Options" uncheck "Install Background Guard" and "Install scan via context menu".

Launch Ewido Security Suite (there should be an icon on your desktop doubleclick it). The program will now go to the main screen. You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update and then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net/en/download/updates/. Do not run a scan yet.

When you have done this, boot into Safe Mode (restart your PC and keep tapping F8 while it restarts).

Run Ewido Security Suite now. Click on Scanner and click Complete System Scan and the scan will begin. During the scan it will prompt you to clean files, click OK. When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop and close Ewido Security Suite.Please post its log here along with rapport.txt and a new HJT log.

kjaada
08-06-2006, 02:54 PM
Thank goodness someone can help.

Cead
08-06-2006, 03:52 PM
thank you very much pancake....

here the rapport... i did the clean twice... so i think the rapport get replace... but the first rapport i read it and it say sumthing like this "C:\WINDOWS\System32 deleted" n there were like 4-5 of em...

SmitFraudFix v2.55

Scan done at 22:11:00.89, Wed 06/07/2006
Run from C:\Documents and Settings\Diane Ignacio\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

here is my new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 10:39:18 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\Diane Ignacio\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ChikkaIM] C:\PROGRA~1\Chikka\Chikka.exe
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

also pancake... i used the spynomore to scan my computer just in case... it say that i have trojan, adware, search hijacker, spyware, and tracking cookie... i just want to know if this is any risk to my comp... thank you again pancake your the best.

oh by the way, it took me like 10 tries to get to safe mode >.< .... XD

Cead
08-06-2006, 03:54 PM
ohhhhh almost forgot.... I HAVE MY HOMEPAGE AGAIN ON MY EXPLORER.... WHHEEEEEEEEEEEEEEE....... ^^

SurferJoe46
08-06-2006, 04:15 PM
.......something I spotted and googled:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor ones actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers.

.and some debate about whether you should remove it....but I hate things that spy on my activities.....

Reports your surfing habits to RealTek. Sneaky one.




.......and there's some debate on this next one:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

Part of windows boot..may be blocking your internet if so just kill it no real threat.........

...and another rating on it:

Dodgy entry, not part of windows, remove it!

I personally would listen to Eddie (pancake)...he's 'way up there with guys like Speedy. Anybody can Google something and get returns about things like this as I did, but those guys are really sharp.

Pancake
08-06-2006, 04:43 PM
Run HJT and fix this item and delete the (red) file and you should be good to go..

R3 - URLSearchHook: (no name) - - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


C:\WINDOWS\system32\ALCMTR.EXE



Reboot, run a full scan here with Ewido (http://www.cyberanswers.org/runtest.php) and that will clean out the cookies for you.

Cead
08-06-2006, 05:54 PM
how do i fix them...? do i just click on FIX CHECKED on the hijackthis...? cuz that what i did for the R3 n 04 you said... and also how to do i delete?

Pancake should i fix the one sufer suggested?

Pancake
08-06-2006, 06:06 PM
Sorry I should have explained better.....


Leave this one...if the file is deleted you will have big problems...
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

R3 - URLSearchHook: (no name) - - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Open Windows Explorer and delete the following highlighted file/s

C:\WINDOWS\system32\ALCMTR.EXE

Cead
09-06-2006, 12:27 AM
ummm... i'm having a problem try to find this one C:\WINDOWS\system32\ALCMTR.EXE... and this might be a stupid question but how to do you open the window explorer..?

so sorry to trouble you alot ... i really appreciated you helping me. ^^

Cead
09-06-2006, 12:32 AM
ohh almost forgot to show my next hijackthis log so here it is....

Logfile of HijackThis v1.99.1
Scan saved at 7:27:36 AM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Chikka\Chikka.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\Chikka\BnrRepo2.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Diane Ignacio\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ChikkaIM] C:\PROGRA~1\Chikka\Chikka.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

thank you again...

Pancake
09-06-2006, 01:06 AM
Hi
Your log is good,the infection gone.

To open Explorer right click Start and go to Explore in the drop menu

Pancake
09-06-2006, 01:09 AM
Just as a bit more info for you....

It is very important not only to keep Sun Java up to date but also to remove older versions which have security holes and can be exploited by malware such as Vundo .

Please follow the steps to remove older version Java components
1. Close any open programs you may have running, especially your web
browser
2. Click Start > Control Panel
* Depending on your OS or configuration, you may have to click Start
> Settings > Control Panel
3. Open Add or Remove Programs
* If you have Windows 98 or Windows 2000, open Add/Remove Programs
4. Click once on any item listing Java Runtime Environment in the name
* Not every version of Java will begin with "Java" so be sure to read each entry in the list
5. Click the Remove or Change/Remove button
6. Follow steps 4 and 5 as many times as necessary to remove all versions of Java. ** If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the removals.
7. Next, navigate to and delete:C:\Program Files\Java <<<<<<this folder if found
8. Reboot your PC once all Java components have been removed.
9. Proceed with reinstalling Java by going to This site (http://www.java.com/en/download/index.jsp) and downloading the latest version ( Version 5.0 Update 7 ) from the website.
Save it, do not run it.

When the download is complete, close the browser and install it.

Cead
09-06-2006, 02:11 AM
thank you sooo much pancake... you save my COMPUTER thank you again... i cant seem to find anything with Java, all i can see is windows xp... is that bad?

And this i keep wondering about this question.... how do you know if your computer is free of infection or viruses or any keylogger? cuz for the last few days i havent logged on to any of personal accounts...

Pancake
09-06-2006, 02:44 AM
I can see that you have jave 1.5.0 from this log entry but it should be ok and maybe just update some time later.

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll



how do you know if your computer is free of infection or viruses or any keylogger?

You can not always tell but the best indication if a real slow down of the computer on the net.Here are a few things that may help....

If you wish to do so, here are a few things that you can do that will help keep your computer a bit more clean and secure..

If you have not already done so, you might want to run Disk Cleanup and run it in each user's profile:

Run Disk Cleanup
Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
Please make sure the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
Click "OK" and Disk Cleanup will delete those files for you.


Now that you are clean its now is a good time to flush out your restored files.

To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)
Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

How Do I Protect My Computer Against Future Malware Now I'm Clean.

NOTE:You may have already taken some of these steps.

Update your anti-virus software & Windows operating system on a daily or weekly basis. Microsoft also distributes updates to its operating systems. These updates fix security holes or other problems that make a computer susceptible to security breaches. How to update your Windows operating system (http://www.windowsupdate.com/)

Know What You're Installing
Check the source.
To avoid malware, make sure your software comes from a reputable source. Be particularly suspicious of sponsored software (software that relies on advertising) or software that claims to speed up your Internet connection.

Use Custom Install.
If you feel comfortable with software installation, you can choose Custom Install (as opposed to Typical Install). Custom Install allows you to select only the software components you wish to install, and leave out others (such as potential spyware).

Modify Security Settings (Internet Explorer 6)
To reduce the risk of installing malware, you can set Internet Explorer to high security mode. To do so:

Open Internet Explorer. Go to Tools > Internet Options….
On the Internet Options screen, select the Security tab, then select the Internet icon (if it is not already selected).
Under Security level for this zone, click Default Level. Set the slider to High.
Note: You may have to lower the security level to view certain Web sites.
Next, select the Trusted Sites icon. Under Security level for this zone, click Default Level. Set the slider to Medium.
Click Apply, then OK to save the changes.

Some Recommended Protection Programs

Each tool has its own strengths for identifying and removing specific types of malware. To thoroughly check your computer, its recommend that you use more than one malware removal program. Don't forget to back up your data files before starting a scan!

Some available programs are:

Ad-Aware (http://www.lavasoft.com/)
SpyBot Search & Destroy (http://www.safer-networking.org/en/index.html)

Now that you are clean, to help protect your system I recommend that you get the following free programs:
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing.
SpywareGuard (http://www.javacoolsoftware.com/spywareguard.html) to catch and block spyware .
IESpy-Ad (http://www.aumha.org/secure.htm)to block access to malicious websites so you cannot be redirected to them from an infected site or email.
WinPatrol (http://www.winpatrol.com/) to monitor any changes that programs make to the registry.

If you do not have a firewall, here is a free one for personal use:

ZoneAlarm (http://www.zonelabs.com/)
http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads
http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?dc=12bms&ctry=US&lang=en&lid=ho_za



Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link:

http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs:

http://www.spywarewarrior.com/asw-test-guide.htm


Here is a helpful article:
"So how did I get infected in the first place?"
http://computercops.biz/postlite7736-.html

Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

Cead
09-06-2006, 06:24 AM
Thank you again and for the advices n guidance on how to prevent any future infection... i downloaded the program you suggested n they are all active ^^... oh yeah i totally forgot to go on admin when i turn off the launch system restore... is that bad if i didn't go on admin but it turned off tho...

And also, i had my comp check again this time it by trend micro or sumthing... i was surprise how many file are still infect and i think it clean it too ... OMG, will this thing ever end ='( ... i guess i'll this computer scanned ever week now, just in case ^^

So pancake is my computer ok for me to log in to any of my personals accounts?

P.S. PANCAKE YOUR THE BEST WHEEEEEEEEEEEEEEEE..... ';...;'

WHO EVER READ THIS THREAD I RECOMMAND PANCAKE TO HELP YOU!!! HE HELPED THIS NEWBIE ON HOW TO FIX INFECTED COMPUTER!!! OMG I HOPE THERE IS MORE LIKE THIS GUYS!!! AKA: PANCAKE, MY NICKNAME FOR HIM: AWESOME!!!

I guess I over did it on thank you ^^

Pancake
09-06-2006, 01:05 PM
is that bad if i didn't go on admin but it turned off tho...

No that will be fine.Thats no problem.

You are now free to leave.... :D