Please look at my hijack log.

Here we go agin. I've run adware, spybot and deleted temp and internet temp files. Please tell me what else I need to do. Thanks again, jbh


Logfile of HijackThis v1.98.0
Scan saved at 1:35:09 PM, on 7/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\wininet32.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
E:\Program Files\FlashGet\flashget.exe
C:\Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe "
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe "
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C416C60-E37D-4B77-9EF5-C3DF6E1721BA}: NameServer = 209.63.0.6 207.173.86.6

 

Hi jbh. We need to finish this time.

Download CWShredder version 1.59.1 from the link in my signature. Save it to your desktop.

Open Ad-aware and check for updates. Configure for a custom full scan and close.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
F0 - system.ini: Shell=
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)


Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode.

Now in safe mode, you will need to show hidden files and folders.

Open CWShredder and click fix.

Run Ad-aware in full scan mode. Delete all it finds.

Open C:\WINDOWS and delete the files runwin32.exe and wininet32.exe.

Open IE/tools/options/connections tab/ click on your connection settings and untick 'use a proxy server'.

Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Back in Windows, you can re-enable system restore. Then visit Windows Update. Accept all critical updates.
Reboot and go back to Windows Update until there are no more criticals offered.

Scan your PC with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.

 

Hi noahdfear,

My c drive is not the same drive I was having trouble w/before. Drive e is. I have planned on reformating, just haven't done it yet.

I've done everything you said. I did try to download windows update, didn't work because I have an invalid number.

Thanks, jbh


Logfile of HijackThis v1.98.0
Scan saved at 5:56:27 PM, on 7/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Downloads\HijackThis\HijackThis.exe

F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe "
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe "
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

RAV report

Statistics

Scanned files: 71854
Scanned directories: 5901
Scanned archives: 2642
Size of the scanned files: 1249741454
Packed files: 3281
Known viruses found: 15
Virus bodies: 7
Suspicious files: 3

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 291825
Mail files: 214




Found viruses
File: C:\Program Files\Windows Media Player\mplayer2.exe.bak
Virus: Trojan:Win32/StartPage.FA Status: Infected

File: E:\WINDOWS\dialup.exe
Virus: Trojan:Win32/Dialer.BH Status: Suspicious

File: E:\WINDOWS\system32\npk.dll
Virus: Trojan:Win32/StartPage.GV Status: Infected

File: E:\WINDOWS\system32\ppamec.dll
Virus: Trojan:Win32/StartPage.GV Status: Infected

File: E:\WINDOWS\system32\nieglc.dll
Virus: Trojan:Win32/StartPage.GV Status: Infected

File: E:\WINDOWS\system32\max8264.dll
Virus: Backdoor:Win32/Agent.AZ Status: Infected

File: E:\WINDOWS\system32\ahpbkia.dll
Virus: Trojan:Win32/StartPage.GV Status: Infected

File: E:\WINDOWS\system32\mnblkk.dll
Virus: Trojan:Win32/StartPage.GV Status: Infected

File: E:\WINDOWS\Downloaded Program Files\on-line.exe
Virus: Trojan:Win32/Dialer.BH Status: Suspicious

File: E:\Recycled\1.exe
Virus: TrojanDownloader:Win32/Small.FO Status: Suspicious

File: E:\FOUND.045\FILE0195.CHK->/exploit.htm->(SCRIPT0001)
Virus: JS/Psyme.V* Status: Infected

File: E:\FOUND.045\FILE0621.CHK->/1.htm->(OBJECT0001)
Virus: HTML/CodeBaseExec* Status: Infected

File: E:\FOUND.045\FILE2029.CHK->/x.htm->(OBJECT0000)
Virus: HTML/CodeBaseExec* Status: Infected

File: E:\FOUND.045\FILE2694.CHK
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: E:\FOUND.045\FILE2697.CHK
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: E:\FOUND.045\FILE2702.CHK
Virus: TrojanDropper:Win32/Small.gen Status: Infected

File: E:\FOUND.045\FILE3060.CHK
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: E:\hjt\backup-20040609-194337-111
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

 

Scan again with HJT and place a check next to the following. With all other windows closed, click fix.

F0 - system.ini: Shell=
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll

Try running Stinger and/or a free trial of Trojan Hunter. Maybe one of them can clean the files.

When done, do another RAV scan and post the report.

It's going to be very difficult to keep that drive clean without updates. Better at least get a firewall running.

 

I am just about ready to pull my hair out! Every time I think I have a problem fixed, it just gets worse.

I run adware. It tells me 15 new objects. Deleted. I run adware again an hour or two later, it finds 135 mew objects. Deleted. I run adware still later it says 75 new objects.

I run spybot. Fixes problems. I run spybot again the same day and it has the same problems plus sometimes more.

I was finally able to update my virus protection program. Says it found viruses, I quarantined then deleted. I run RAV it say more viruses. Doesn’t clean them.

I am so confused. What’s up with this??

Because I cannot update xp would I be better off going back to win 98se? I can keep it updated.

Here’s my reports. Thanks so much.

Logfile of HijackThis v1.98.0
Scan saved at 5:56:27 PM, on 7/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Downloads\HijackThis\HijackThis.exe

F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe "
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe "
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab


Statistics

Scanned files: 72358
Scanned directories: 5922
Scanned archives: 2645
Size of the scanned files: 1800859527
Packed files: 3286
Known viruses found: 10
Virus bodies: 6
Suspicious files: 4

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 292677
Mail files: 218




Found viruses
File: C:\RECYCLED\1.exe
Virus: TrojanDownloader:Win32/Small.FO Status: Suspicious

File: C:\Program Files\Windows Media Player\mplayer2.exe.bak
Virus: Trojan:Win32/StartPage.FA Status: Infected

File: E:\WINDOWS\dialup.exe
Virus: Trojan:Win32/Dialer.BH Status: Suspicious

File: E:\WINDOWS\system32\npk.dll.tcf
Virus: Trojan:Win32/StartPage.GV Status: Infected

File: E:\WINDOWS\system32\ahpbkia.dll.tcf
Virus: Trojan:Win32/StartPage.GV Status: Infected

File: E:\WINDOWS\system32\max8264.dll
Virus: Backdoor:Win32/Agent.AZ Status: Infected

File: E:\WINDOWS\Downloaded Program Files\on-line.exe.tcf
Virus: Trojan:Win32/Dialer.BH Status: Suspicious

File: E:\Recycled\1.exe
Virus: TrojanDownloader:Win32/Small.FO Status: Suspicious

File: E:\FOUND.045\FILE0621.CHK->/1.htm->(OBJECT0001)
Virus: HTML/CodeBaseExec* Status: Infected

File: E:\FOUND.045\FILE2694.CHK
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: E:\FOUND.045\FILE2697.CHK
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: E:\FOUND.045\FILE2702.CHK
Virus: TrojanDropper:Win32/Small.gen Status: Infected

File: E:\FOUND.045\FILE3060.CHK
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: E:\hjt\backup-20040609-194337-111
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

 

Did you run either one of the trojan scanners?

Turn off system restore and fix this entry with HJT.

O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe

Download The Killbox from here: http://tools.zerosrealm.com/killbox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\questmod.dll

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot ". On the next screen, click on the File menu and choose "Add File ". The filename and path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot ". Reboot when prompted.


Open C:\WINDOWS and delete runwin32.exe.
Delete all of the files listed in the RAV scan. If any of them will not allow deletion, install MOVE-on-Boot. You will have a new right click option to delete on the next boot. Select that option for each of the remaining files.
Run disk cleanup and reboot. Scan again with both RAV and HJT and post the logs.

 

Thanks Dave, I can't tell you how much I appreciate your help.

Yes, in answer to your question, I ran both trogan programs.


Here's my new reports. Call me stupid, but I cannot find the files that RAV reports as having viruses.


Logfile of HijackThis v1.98.0
Scan saved at 8:58:00 PM, on 7/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\wininet32.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe "
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe "
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 3.9\THGuard.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C416C60-E37D-4B77-9EF5-C3DF6E1721BA}: NameServer = 209.63.0.6 207.173.86.6




Statistics

Scanned files: 72860
Scanned directories: 5952
Scanned archives: 2684
Size of the scanned files: 1839929208
Packed files: 3291
Known viruses found: 6
Virus bodies: 3
Suspicious files: 3

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 300722
Mail files: 228




Found viruses
File: C:\RECYCLED\1.exe
Virus: TrojanDownloader:Win32/Small.FO Status: Suspicious

File: E:\WINDOWS\Downloaded Program Files\on-line.exe.tcf
Virus: Trojan:Win32/Dialer.BH Status: Suspicious

File: E:\Recycled\De2
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: E:\Recycled\1.exe
Virus: TrojanDownloader:Win32/Small.FO Status: Suspicious

File: E:\FOUND.045\FILE0621.CHK->/1.htm->(OBJECT0001)
Virus: HTML/CodeBaseExec* Status: Infected

File: E:\FOUND.045\FILE2694.CHK
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: E:\FOUND.045\FILE2697.CHK
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: E:\FOUND.045\FILE2702.CHK
Virus: TrojanDropper:Win32/Small.gen Status: Infected

File: E:\FOUND.045\FILE3060.CHK
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

 

Making progress.

Download and install Agent Ransack.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
F0 - system.ini: Shell=
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Global Startup: winlogin.exe
O15 - Trusted Zone: *.greg-search.com


Reboot to safe mode.

Open My Computer. Click tools>folder options>view tab, tick the box to show hidden files, uncheck the boxes to hide extensions for known file types and hide protected Operating system files, then apply and OK.

Open Agent Ransack, make sure it is set to search the E: drive and search for the following files, then delete. Best if you can just copy/paste these in.

on-line.exe.tcf
FILE0621.CHK
FILE2694.CHK
FILE2697.CHK
FILE2702.CHK
FILE3060.CHK
sysstartup.exe<<<<System32 folder
wininet32.exe<<<<Windows folder
winlogin.exe<<<<Startup folder

Empty the recycle bin.
Open internet options in the control panel to the programs tab and click reset web settings.(again if you already did so) On connections tab, open the settings for your connection and uncheck 'use proxy server' if checked. Check the trusted sites on security tab to be sure that entry has been removed.

Open CWShredder and click fix.

Reboot and scan again. Post the logs.

 

Dave, You are my HERO! Everythings working sooo much better!

Two files that I couldn't find even w/agent ransack were: sysstartup.exe & winlogin.exe.

After we get this done can you help me set up the computer so that I won't get this #@%* again?

Oh, and did I mention that you are my hero?


Logfile of HijackThis v1.98.0
Scan saved at 3:58:31 PM, on 7/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe "
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe "
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 3.9\THGuard.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab




Scanned files: 73375
Scanned directories: 5947
Scanned archives: 2658
Size of the scanned files: 1817706284
Packed files: 3346
Known viruses found: 0
Virus bodies: 0
Suspicious files: 2

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 295613
Mail files: 229




Found viruses
File: C:\RECYCLED\1.exe
Virus: TrojanDownloader:Win32/Small.FO Status: Suspicious

File: E:\Recycled\1.exe
Virus: TrojanDownloader:Win32/Small.FO Status: Suspicious

 

Hey great news! Still got that blasted 1.exe hanging on in the recycle bin though. Do you see it when you open the RB? Can you right click and delete?

Download and install RegSeeker. With the 'find in registry' option, search for 1.exe and delete any entries found. Empty the recycle bin, again. Then click 'clean registry'. I have never had any problems deleting everything found by RegSeeker, but one never knows, so be sure the backup box in the lower left corner is checked before deleting. I generally recommend deleting everything then running again, and delete everything. Reboot and run again, deleting all, till it comes up clean. Your PC will generally thank you for the cleanup with performance.

You might try using RegSeeker to search for those unfound files too. Great if you still don't find them.

Now, for protection. As I said previously, you are going to have several vulnerabilities that can only be fixed with updates, but here are a few things that will help.

Do you have Spybot Version 1.3? If not, download it from my signature and install. Allow it to load SD Helper. Open it up and click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install and update.
Then download and install IESpyads.

That will give you an added layer of protection against unwanted parasites.

 

Hey Dave,

I think it's fixed! It's fixed, isn't it? Look at my hijack and rav logs.

You are da man!


Logfile of HijackThis v1.98.0
Scan saved at 9:21:00 PM, on 7/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe "
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe "
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 3.9\THGuard.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C416C60-E37D-4B77-9EF5-C3DF6E1721BA}: NameServer = 209.63.0.6 207.173.86.6


Statistics

Scanned files: 72781
Scanned directories: 5950
Scanned archives: 2657
Size of the scanned files: 1803503075
Packed files: 3317
Known viruses found: 0
Virus bodies: 0
Suspicious files: 0

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 293377
Mail files: 230




Found viruses
No virus found

 

Looks good to me. Glad you got it! Happy surfin