my hijack.log

Discussion in 'adware, spyware & hijack cleaning' started by Tomy2, Jun 12, 2004.

Thread Status:
Not open for further replies.
  1. Tomy2

    Tomy2 Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    9
    please help me about my hijack.log
    I have serious problems with popups and spywares


    StartupList report, 2004/06/13, 12:59:40 ق.ظ
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Siavash\My Documents\HijackThis.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Siavash\My Documents\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    LogitechGalleryRepair = C:\Program Files\Logitech\ImageStudio\ISStart.exe
    svchost = C:\WINDOWS\svchost.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\WINDOWS\System32\ahbmjpb.dll - {610E7B47-40DA-438B-91FA-01F0DB88DE7B}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    PCHealth Scheduler for Data Collection.job
    Uninstall Expiration Reminder.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Win32 Classes]

    [{11111111-1111-1111-1111-111111111111}]
    CODEBASE = mhtml:file://C:NXSFT.MHT!http://66.117.37.5:80/iex/ofile.exe?url=http://66.117.37.5:80/dexAE116.exe

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38134.3186111111

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 4,382 bytes
    Report generated in 2.063 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  2. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Tomy !

    Welcome to Wilders ! :)

    Tomy, First Go here and do an online virus scan:

    http://housecall.trendmicro.com/

    Be sure and put a check in the box by Auto Clean before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    IMPORTANT!: I highly recommend that you go to Windows update ( Click on Start-->Windows upate) and install all "Critical Updates and Service Packs". This will patch numerous security holes in IE and Windows.

    Secondly, you're running older version of Hijackthis. You need to install the latest Hijackthis from here.. http://www.zerosrealm.com/downloads/hjt.zip/

    Go there and download the zip file to it own permanent folder (i.e. C:\Hijack This\hjt.zip). Please not download the same either at desktop or in temp folder. This will allow it to make back-ups of any changes you make. This is important in the event you need to restore items you chose to fix with Hijack This.

    Now Unzip the file and double click on the HijackThis.exe icon. When finished loading click on the Scan button. Next click on the Save Log button.

    Now, copy the contents and paste them in a reply to be checked. Please do not fix anything yet as most of what it shows is either necessary or harmless.

    Someone here on the board will check it for you...

    With Thanks !
    Newkid !
     
  3. Tomy2

    Tomy2 Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    9
    thanks newkid the antivirus was very useful
    &
    this is the log(last version)

    StartupList report, 2004/06/13, 10:28:44 ق.ظ
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Siavash\My Documents\HijackThis.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\khxeeg.exe
    C:\Documents and Settings\Siavash\My Documents\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    LogitechGalleryRepair = C:\Program Files\Logitech\ImageStudio\ISStart.exe
    fyplqvtfbvpi = C:\WINDOWS\System32\khxeeg.exe
    svchost = C:\WINDOWS\svchost.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\WINDOWS\twaintec.dll - {000020DD-C72E-4113-AF77-DD56626C6C42}
    (no name) - C:\WINDOWS\System32\ahbmjpb.dll - {610E7B47-40DA-438B-91FA-01F0DB88DE7B}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    PCHealth Scheduler for Data Collection.job
    Uninstall Expiration Reminder.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Win32 Classes]

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38134.3186111111

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\DOCUME~1\Siavash\LOCALS~1\Temp\instttpo.exe


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 4,819 bytes
    Report generated in 0.170 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Tomy !

    Sorry, I couldn't see the startup list version. Please show us the normal hijackthis log not startup list log. We already went thru it last time when you posted.

    With Thanks !
    Newkid !
     
  5. Tomy2

    Tomy2 Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    9
    oh...sorry



    Logfile of HijackThis v1.97.7
    Scan saved at 07:48:57 ب.ظ, on 2004/06/13
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\khxeeg.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Siavash\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ahbmjpb.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ahbmjpb.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ahbmjpb.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ahbmjpb.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ahbmjpb.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#22776
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#22776
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ahbmjpb.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/3535/search.php?qq=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.148.246.69:8000
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {610E7B47-40DA-438B-91FA-01F0DB88DE7B} - C:\WINDOWS\System32\ahbmjpb.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [fyplqvtfbvpi] C:\WINDOWS\System32\khxeeg.exe
    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: Win32 Classes -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38134.3186111111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7FB4D8E4-EABA-4E10-BAB4-DC8BDB049D0C}: NameServer = 217.24.152.2 80.191.36.3


    you know I have a spyware that sticked into yahoo messenger
    and opening popups from the link "vn.msie.tv" & "c1dcon.ewizard.cc"
    also it changes my homepage to about:blank..but truly its not blank
     
  6. Tomy2

    Tomy2 Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    9
    so what happened to help? :( :'(
     
  7. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Tomy,

    Can you download :

    http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice but on the root drive, most likely C:\

    Run start.bat and press option 1. A search will start, let it finish
    At the end a output.txt file will be created in the newly made folder.

    Copypaste the complete contents of output.txt here pelase..

    Newkid !

    Note : Tomy, we all working here as a volunteer from different parts of world. As you see clearly, we are continously touched with you. So, please don't be out of patience. Weekend is not only made for you, It made for us as well.
     
  8. Tomy2

    Tomy2 Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    9
    here is that text file::
    --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Mon 06/14/2004
    11:10 AM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "MAIN DISK" (2771:1CDC) - FS:FAT clusters:4k
    Total: 6 140 452 864 [5.7G] - Free: 1 910 792 192 [1.8G]


    *IE version and Service packs:
    6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
    *Notepad version :
    ? C:\WINDOWS\system32\notepad.exe
    5.1.2600.0 C:\WINDOWS\notepad.exe
    *Media Player version :
    8.0.0.4477 C:\Program Files\Windows Media Player\wmplayer.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings



    Locked or 'Suspect' file(s) found...
    These may be other files that Dllfix doesnt target.
    \\?\C:\WINDOWS\System32\COMIEG.DLL +++ File read error
    \\?\C:\WINDOWS\System32\COMIEG.DLL +++ File read error


    Scanning for main Hijacker:
    File found was C:\WINDOWS\System32\KOGCJDB.DLL
    Md5 tested As CD8433B54AA9E1C386F9A99DB2A29499

    known baddies are:
    0758CF635DF08AC381962F74832B6484
    C87354D67A8B9828F483C6F90C496972
    4E24A18F3A557AF479219E47E27B8B59


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C9F38F5-21F9-4CCE-82AC-4CCADB196E2F}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{9E02DCDF-7013-4E55-9182-0BC66C3BA1E8}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{9E02DCDF-7013-4E55-9182-0BC66C3BA1E8}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls REG_SZ

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM
    ----------------------------------------------------------------------
    and please do somthing about this yahoo messenger popups
     
  9. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Tomy,

    Delete the file C:\WINDOWS\System32\COMIEG.DLL from recovery console.

    How to use and install the recovery console in windows XP ?

    Then reboot your machine and boot it normaly.

    Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/

    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.

    Now do the following:

    - Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
    check: "Unload recognized processes during scanning."

    - Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
    Check: Let Windows remove files in use after reboot.

    Press Scan Now

    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press Next to let Ad-aware scan your drives... It will find a number of bad files and registry keys. Right-click in that pane and choose select all Now press Next again. It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot. That ought to get rid of most of your spyware.

    When you've done all that, restart your computer, re-run Hijack This, and show us a fresh log. There will be more to do!

    With Thanks !
    Newkid !
     
  10. Tomy2

    Tomy2 Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    9
    there is no comieg.dll in my system32 folder :eek: I searched there many times
    I already have ad aware 6.0 but it cant find this yahoo messenger stuff
    --------------
    and can you give me a link for downloading sophos anti virus trial?I mean free trial
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Tomy2,

    You can search all you want. As long as the file is active, you will never find it through Windows. That is why Newkid advised using the Recovery Console.

    Regards,

    Pieter
     
  12. Tomy2

    Tomy2 Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    9
    hi
    I was in vacation since last two weeks.sorry

    well,,let me tell you something
    i found out my problem is "homeoldsp" in registry & the file "sp.html" in temp folder
    i tried with dllfixer...ad aware 5.0..spy sweeper..registry mechanic...sophos antivirus & other stuffs
    they had nothing to say ..detected nothing..
    I tried remove them manually but every time i delete them they just fix themeselves and back where they were!
    now i know i should delete which files in hijackthis but every time i delete them they return back
    its seriuos problem..i'm so hopeless aout this..i thing there is not any fixer aout this **** :'(
    I just did one thing
    i deleted the sp.html in temp folder and made a sp.html manually and the "about:blank"s became "about:navigation failure"
    but the problem with home page and the yahoo popups is still alive& I'm so sick about fighting with this spyware may be I should mutate myself with this
    -----
    so is there any cure or not friends?
     
  13. Tomy2

    Tomy2 Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    9
    i'm not out of patient but I think you are much hopless than me
     
    Last edited: Jul 7, 2004
  14. Tomy2

    Tomy2 Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    9
    hello?
     
Thread Status:
Not open for further replies.