here's my log - have i been hacked?

[deltuna]

hi please advise. when i go onto yahoo and click on my mail i get the following script below and it wont let me access my e-mail. also on the yahoo page it shows my name as martin and that i have 1 message. when i try and click on it it goes to the following script..
when i google search yahoo mail and click on it it taks me to MY inbox and lets me acces my e-mail but when i logout i get the following script again.
i am concerned whether smeone has hacked my pc and getting access to my files


<?PHP
ini_set('display_errors', 0);
$data = yahoo_reg_login_setup();

if ( $data === FALSE )
{
exit();
}
else if ( ! isset( $data['DISPLAY_FORM'] ) )
{
error_log( "yahoo_reg_login_setup didn't set the DISPLAY_FORM field" );
header( "Location: http://login.yahoo.com/");
exit();
}

$tstname = @$data['.testname'];
$src = @$data['.src'];
$partner = @$data['.partner'];
$intl = @$data['.intl'];

// This is a hack put in place so that persistancy files are
// picked from the regular html directory.
// yinst packaging didn't allow for the multiple links to be created
// with one single command.
if($tstname == "tst_pst") {
$tstname = "";
}

// Adding support for pkg using PHP
if((@$data['pkg'] != null) && (@$data['pkg'] != "" ))
{
$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${intl}_shrkwp";
$res=include("/home/y/share/pear/Yahoo/reg/logic/shrkwp.inc");
}

// Adding support for .partner via PHP
// If both .src and .partner are present, and .src=ym, then .src takes
// precedence, else .partner takes precedence. - Aanchal, Bug #368481
// Please note that if in future, a more complicated pprecednce has to
// be added, the priorityMap array from propTemplate.inc.ros and
// header.inc.ros should be used.
// Disabling the src=ym precedence over the partner user as ym is not
// converted in intls like ca and cf and users end up seeing the older
// login_verify page for ym. It is better if we show them the partner
// branding. - bug # 652617
//else if(($src != null) && ($src != "") && ($src == "ym"))
//{
//$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}";
//$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data['DISPLAY_FORM']}");
//}
else if(($partner != null) && ($partner != ""))
{
$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}";
$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}/login/${data['DISPLAY_FORM']}");
}
else if(($src != null) && ($src != ""))
{
$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}";
$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data['DISPLAY_FORM']}");
}
else
{
$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}";
$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}/login/${data['DISPLAY_FORM']}");
}

// This check is put in place to avoid showing a blank login page
// when some test is set in common_login.conf and that test package is not
// installed on the machine.
// Ideally this should not happen. - Aanchal, Feb 3, 2005
// Bug # 305858
if($res != '1')
{
if(!is_dir($data['.abs_path'])){
// reset abs_path only if it didn't exist before
// a temp fix for ym logout issue
// Bug 1146959
$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${intl}";
}
include("/home/y/share/htdocs/idaho/php/${intl}/login/${data['DISPLAY_FORM']}");
}
?>



----------------------------------------------------------

hjt log

Logfile of HijackThis v1.99.1
Scan saved at 10:38:54, on 03/07/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\AOL 9.0 VR\waol.exe
C:\Program Files\Common Files\AOL\1179923312\ee\aolsoftware.exe
C:\Program Files\AOL 9.0 VR\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Users\Claire\AppData\Local\Temp\wz0d59\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSD.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)



when running this log it came up with a couple of error reports...
1/ c:\windows\system32\drivers\etc\hosts.

2/ unexpected error occoured at procedure
error number 75

 

[khazars]

hi, welcome to TSG.


Do you have Vista as many tools are still incompatible with Vista?


Download the HostsXpert 3.7 - Hosts File Manager.

http://www.funkytoad.com/download/hoster.zip

* Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such
as C:\HostsXpert 3.7 - Hosts File Manager
* Run HostsXpert 3.7 - Hosts File Manager from its new home
* Click "Make Hosts Writable?" in the upper right corner (If available).
* Click Restore Original Hosts and then click OK.
* Click the X to exit the program.
* Note: If you were using a custom Hosts file you will need to replace
any of those entries yourself.



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.



R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

 

[deltuna]

hi there, yes i am using vista.. i will check off the ones you said on hijack.

i've done a little research and came accross this. does this help??

http://pooyak.com/blog/archives/000481.shtml

 

[khazars]

no, just carry on with the rest!

 

[deltuna]

hi i downloaded version 4 as it said 3.7 doesn't exist anymore. followed the steps you siad but it said ' cant create host c:\windows\system32\drivers\etc\hosts

thanks for your help

 

[khazars]

ho here and delete the hosts file and then go to the link below and download a new hosts file and put it back into the folder it was in!


c:\windows\system32\drivers\etc\hosts


get the hosts file from here.Unzip it to a folder!


http://www.mvps.org/winhelp2002/hosts.htm


put it into : or click the mvps bat and it should do it for you!


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS

 

[deltuna]

hi,
i've tried this but to no avail. when i sign out of yahoo i get this message
thanks

 

[khazars]

what message are you getting?

 

[khazars]

ok lets try running these tools!


download ccleaner

http://www.ccleaner.com/


* Install CCleaner
* Launch CCleaner and look in the upper right corner and click on the
"Options" button.
* Click "Advanced" and remove the check by "Only delete files in Windows
temp folders older than 48 hours".
* Click OK
* Do not run CCleaner yet. You will run it later in safe mode.

Note: If you are not instructed to boot to safe mode to run another
application, then just run ccleaner in normal mode!


Now run ccleaner.


go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.




Download Superantispyware (SAS):

http://www.superantispyware.com/supe....html?rid=3132


Once downloaded and installed update the defintions
and then run a full system scan quarantine what it finds!


* Double-click SUPERAntiSypware.exe and use the default settings for
installation.
* An icon will be created on your desktop. Double-click that icon to launch
the program.
* If asked to update the program definitions, click "Yes". If not, update
the definitions before scanning by selecting "Check for Updates". (If you
encounter any problems while downloading the updates, manually download and
unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all
others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your
computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your
computer.
* After the scan is complete, a Scan Summary box will appear with
potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete".
Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware
again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.


All tools can be downloaded at the link below and found on that page!

. SUPERAntiSpyware
. AdAware SE personal



http://www.majorgeeks.com/downloads31.html






Download AVG Anti-Spyware

http://www.ewido.net/en/


* Once you have downloaded AVG Anti-spyware, locate the icon on the desktop
and double-click it to launch the set up program.
* Once the setup is complete you will need run AVG and update the definition
files.
* On the main screen select the icon "Update" then select the "Update now"
link.
* Next select the "Start Update" button, the update will start and a
progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the
screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select
"Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"


Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that
later in safe mode.





Run AVG Anti-Spyware!

# IMPORTANT: Do not open any other windows or programs while AVG is scanning
as it may interfere with the scanning process:
# Launch AVG Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on
"Complete System Scan".
# AVG will now begin the scanning process. Be patient this may take a little
time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all
actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen
and save it to a text file on your system (make sure to remember where you
saved that file, this is important).
# Close AVG and reboot your system back into Normal Mode.





* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is
found,
click the yes button when it asks you if you want to cure it. This is only a
short scan.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
* Back at the main window, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the
files found: IPB Image
* If so, click it and then click the next icon right below and select Move
incurable as you'll see in next image:
IPB Image
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it
can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose
save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will
be moved/deleted during reboot.


post another log, the avg, the super and the dr web log!