1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

here's my log - have i been hacked?

Discussion in 'Virus & Other Malware Removal' started by deltuna, Jul 3, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. deltuna

    deltuna Thread Starter

    Joined:
    Jan 15, 2007
    Messages:
    15
    hi please advise. when i go onto yahoo and click on my mail i get the following script below and it wont let me access my e-mail. also on the yahoo page it shows my name as martin and that i have 1 message. when i try and click on it it goes to the following script..
    when i google search yahoo mail and click on it it taks me to MY inbox and lets me acces my e-mail but when i logout i get the following script again.
    i am concerned whether smeone has hacked my pc and getting access to my files


    <?PHP
    ini_set('display_errors', 0);
    $data = yahoo_reg_login_setup();

    if ( $data === FALSE )
    {
    exit();
    }
    else if ( ! isset( $data['DISPLAY_FORM'] ) )
    {
    error_log( "yahoo_reg_login_setup didn't set the DISPLAY_FORM field" );
    header( "Location: http://login.yahoo.com/");
    exit();
    }

    $tstname = @$data['.testname'];
    $src = @$data['.src'];
    $partner = @$data['.partner'];
    $intl = @$data['.intl'];

    // This is a hack put in place so that persistancy files are
    // picked from the regular html directory.
    // yinst packaging didn't allow for the multiple links to be created
    // with one single command.
    if($tstname == "tst_pst") {
    $tstname = "";
    }

    // Adding support for pkg using PHP
    if((@$data['pkg'] != null) && (@$data['pkg'] != "" ))
    {
    $data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${intl}_shrkwp";
    $res=include("/home/y/share/pear/Yahoo/reg/logic/shrkwp.inc");
    }

    // Adding support for .partner via PHP
    // If both .src and .partner are present, and .src=ym, then .src takes
    // precedence, else .partner takes precedence. - Aanchal, Bug #368481
    // Please note that if in future, a more complicated pprecednce has to
    // be added, the priorityMap array from propTemplate.inc.ros and
    // header.inc.ros should be used.
    // Disabling the src=ym precedence over the partner user as ym is not
    // converted in intls like ca and cf and users end up seeing the older
    // login_verify page for ym. It is better if we show them the partner
    // branding. - bug # 652617
    //else if(($src != null) && ($src != "") && ($src == "ym"))
    //{
    //$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}";
    //$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data['DISPLAY_FORM']}");
    //}
    else if(($partner != null) && ($partner != ""))
    {
    $data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}";
    $res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}/login/${data['DISPLAY_FORM']}");
    }
    else if(($src != null) && ($src != ""))
    {
    $data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}";
    $res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data['DISPLAY_FORM']}");
    }
    else
    {
    $data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}";
    $res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}/login/${data['DISPLAY_FORM']}");
    }

    // This check is put in place to avoid showing a blank login page
    // when some test is set in common_login.conf and that test package is not
    // installed on the machine.
    // Ideally this should not happen. - Aanchal, Feb 3, 2005
    // Bug # 305858
    if($res != '1')
    {
    if(!is_dir($data['.abs_path'])){
    // reset abs_path only if it didn't exist before
    // a temp fix for ym logout issue
    // Bug 1146959
    $data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${intl}";
    }
    include("/home/y/share/htdocs/idaho/php/${intl}/login/${data['DISPLAY_FORM']}");
    }
    ?>



    ----------------------------------------------------------

    hjt log

    Logfile of HijackThis v1.99.1
    Scan saved at 10:38:54, on 03/07/2007
    Platform: Unknown Windows (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Launch Manager\LaunchAp.exe
    C:\Program Files\Launch Manager\HotkeyApp.exe
    C:\Program Files\Launch Manager\OSD.exe
    C:\Program Files\Launch Manager\WButton.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\AOL 9.0 VR\waol.exe
    C:\Program Files\Common Files\AOL\1179923312\ee\aolsoftware.exe
    C:\Program Files\AOL 9.0 VR\shellmon.exe
    C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Users\Claire\AppData\Local\Temp\wz0d59\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
    O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
    O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSD.exe"
    O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
    O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)



    when running this log it came up with a couple of error reports...
    1/ c:\windows\system32\drivers\etc\hosts.

    2/ unexpected error occoured at procedure
    error number 75
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.


    Do you have Vista as many tools are still incompatible with Vista?


    Download the HostsXpert 3.7 - Hosts File Manager.

    http://www.funkytoad.com/download/hoster.zip

    * Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such
    as C:\HostsXpert 3.7 - Hosts File Manager
    * Run HostsXpert 3.7 - Hosts File Manager from its new home
    * Click "Make Hosts Writable?" in the upper right corner (If available).
    * Click Restore Original Hosts and then click OK.
    * Click the X to exit the program.
    * Note: If you were using a custom Hosts file you will need to replace
    any of those entries yourself.



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.



    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
     
  3. deltuna

    deltuna Thread Starter

    Joined:
    Jan 15, 2007
    Messages:
    15
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    no, just carry on with the rest!
     
  5. deltuna

    deltuna Thread Starter

    Joined:
    Jan 15, 2007
    Messages:
    15
    hi i downloaded version 4 as it said 3.7 doesn't exist anymore. followed the steps you siad but it said ' cant create host c:\windows\system32\drivers\etc\hosts

    thanks for your help
     
  6. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    ho here and delete the hosts file and then go to the link below and download a new hosts file and put it back into the folder it was in!


    c:\windows\system32\drivers\etc\hosts


    get the hosts file from here.Unzip it to a folder!


    http://www.mvps.org/winhelp2002/hosts.htm


    put it into : or click the mvps bat and it should do it for you!


    Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
    Win 98\ME = C:\WINDOWS
     
  7. deltuna

    deltuna Thread Starter

    Joined:
    Jan 15, 2007
    Messages:
    15
    hi,
    i've tried this but to no avail. when i sign out of yahoo i get this message
    thanks
     
  8. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    what message are you getting?
     
  9. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    ok lets try running these tools!


    download ccleaner

    http://www.ccleaner.com/


    * Install CCleaner
    * Launch CCleaner and look in the upper right corner and click on the
    "Options" button.
    * Click "Advanced" and remove the check by "Only delete files in Windows
    temp folders older than 48 hours".
    * Click OK
    * Do not run CCleaner yet. You will run it later in safe mode.

    Note: If you are not instructed to boot to safe mode to run another
    application, then just run ccleaner in normal mode!


    Now run ccleaner.


    go to this site and download these tools and once you get both
    adaware Se 1.6 and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk
    entries". Click next to start the scan. Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.




    Download Superantispyware (SAS):

    http://www.superantispyware.com/supe....html?rid=3132


    Once downloaded and installed update the defintions
    and then run a full system scan quarantine what it finds!


    * Double-click SUPERAntiSypware.exe and use the default settings for
    installation.
    * An icon will be created on your desktop. Double-click that icon to launch
    the program.
    * If asked to update the program definitions, click "Yes". If not, update
    the definitions before scanning by selecting "Check for Updates". (If you
    encounter any problems while downloading the updates, manually download and
    unzip them from here.)

    http://www.superantispyware.com/definitions.html

    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all
    others unchecked):
    o Close browsers before scanning.
    o Scan for tracking cookies.
    o Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your
    computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your
    computer.
    * After the scan is complete, a Scan Summary box will appear with
    potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete".
    Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware
    again.
    o Click Preferences, then click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o If there are several logs, click the current dated log and press View log.
    A text file will open in your default text editor.
    o Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.


    All tools can be downloaded at the link below and found on that page!

    . SUPERAntiSpyware
    . AdAware SE personal



    http://www.majorgeeks.com/downloads31.html






    Download AVG Anti-Spyware

    http://www.ewido.net/en/


    * Once you have downloaded AVG Anti-spyware, locate the icon on the desktop
    and double-click it to launch the set up program.
    * Once the setup is complete you will need run AVG and update the definition
    files.
    * On the main screen select the icon "Update" then select the "Update now"
    link.
    * Next select the "Start Update" button, the update will start and a
    progress bar will show the updates being installed.
    * Once the update has completed select the "Scanner" icon at the top of the
    screen, then select the "Settings" tab.
    * Once in the Settings screen click on "Recommended actions" and then select
    "Delete"
    * Under "Reports"
    * Select "Automatically generate report after every scan"
    * Un-Select "Only if threats were found"


    Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that
    later in safe mode.





    Run AVG Anti-Spyware!

    # IMPORTANT: Do not open any other windows or programs while AVG is scanning
    as it may interfere with the scanning process:
    # Launch AVG Anti-spyware by double-clicking the icon on your desktop.
    # Select the "Scanner" icon at the top and then the "Scan" tab then click on
    "Complete System Scan".
    # AVG will now begin the scanning process. Be patient this may take a little
    time.
    Once the scan is complete do the following:
    # If you have any infections you will prompted, then select "Apply all
    actions"
    # Next select the "Reports" icon at the top.
    # Select the "Save report as" button in the lower left hand of the screen
    and save it to a text file on your system (make sure to remember where you
    saved that file, this is important).
    # Close AVG and reboot your system back into Normal Mode.





    * Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

    * Doubleclick the drweb-cureit.exe file and Allow to run the express scan
    * This will scan the files currently running in memory and when something is
    found,
    click the yes button when it asks you if you want to cure it. This is only a
    short scan.
    * Once the short scan has finished, Click Options > Change settings
    * Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
    * Back at the main window, mark the drives that you want to scan.
    * Select all drives. A red dot shows which drives have been chosen.
    * Click the green arrow at the right, and the scan will start.
    * Click 'Yes to all' if it asks if you want to cure/move the file.
    * When the scan has finished, look if you can click next icon next to the
    files found: IPB Image
    * If so, click it and then click the next icon right below and select Move
    incurable as you'll see in next image:
    IPB Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it
    can't be cured. (this in case if we need samples)
    * After selecting, in the Dr.Web CureIt menu on top, click file and choose
    save report list
    * Save the report to your desktop. The report will be called DrWeb.csv
    * Close Dr.Web Cureit.
    * Reboot your computer!! Because it could be possible that files in use will
    be moved/deleted during reboot.


    post another log, the avg, the super and the dr web log!
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/591241

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice