hijackthis log - please help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

holula

Thread Starter
Joined
Sep 7, 2004
Messages
2
Before scanning with HijackThis, I ran Spybot S&D, Ad-Aware and CW Shredder. This is a copy of the log I got:

Logfile of HijackThis v1.98.2
Scan saved at 00:13:14, on 08/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\mssp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\rmctrl.exe
D:\Program Files\Grisoft\AVG6\avgcc32.exe
D:\Program Files\Google\Gmail Notifier\gnotify.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
D:\PROGRA~1\AIM95\aim.exe
C:\WINDOWS\System32\xhu.exe
C:\Program Files\Indicator\SDCardIndicator.exe
C:\Program Files\Indicator\SMCardIndicator.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Webshots\WebshotsTray.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Holly\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://www-cache.freeserve.com:8080;http=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 49.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 49.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [regsrv] scvhost.exe
O4 - HKLM\..\Run: [Config33.exe] Config33.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [EWqusg] C:\documents and settings\holly\local settings\temp\EWqusg.exe
O4 - HKLM\..\Run: [AVG_CC] D:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [4s2V3nU] tsagl.exe
O4 - HKLM\..\Run: [SysA] C:\windows\system32\winurh32.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] d:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ICV_2] D:\Program Files\Aladdin Systems\Internet Cleanup\icadwrmv.exe
O4 - HKLM\..\Run: [Sys29] c:\windows\system32\winbsr32.exe
O4 - HKLM\..\RunServices: [Config33.exe] Config33.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Tvsxxb] C:\WINDOWS\System32\xhu.exe
O4 - HKCU\..\Run: [LBt9RhY9e] lpkllstyle.exe
O4 - HKCU\..\Run: [Uhcs] C:\Documents and Settings\Holly\Application Data\osri.exe
O4 - HKCU\..\Run: [Spyware Begone] d:\freescan\freescan.exe -FastScan
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: IC Task Manager.lnk = D:\Program Files\Aladdin Systems\Internet Cleanup\ONICTASK.exe
O4 - Global Startup: SD Access Indicator.lnk = ?
O4 - Global Startup: SM Access Indicator.lnk = ?
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7e302932b2ac:e499d6ceeb9210b67f4b7fd0ca72c814
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/NPC/MaxisHotDateTeleX.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.com/teleport/vacation/MaxisVacationTeleX.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unleashed/LOT/MaxisUnleashedLotTeleX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://palantir.citylink.co.nz//AxisCamControl.ocx
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn163.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gbn163.exe

Could someone help with what stuff to fix? Thanks.
 
Joined
Jul 26, 2002
Messages
46,349
Hi holula

Welcome to TSG! :)

Go to Add/Remove programs and uninstall WindowsSA.

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

R3 - Default URLSearchHook is missing

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 49.dll

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 49.dll

O4 - HKLM\..\Run: [regsrv] scvhost.exe

O4 - HKLM\..\Run: [Config33.exe] Config33.exe

O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

O4 - HKLM\..\Run: [EWqusg] C:\documents and settings\holly\local settings\temp\EWqusg.exe

O4 - HKLM\..\Run: [4s2V3nU] tsagl.exe

O4 - HKLM\..\Run: [SysA] C:\windows\system32\winurh32.exe

O4 - HKLM\..\Run: [Sys29] c:\windows\system32\winbsr32.exe

O4 - HKLM\..\RunServices: [Config33.exe] Config33.exe

O4 - HKCU\..\Run: [Tvsxxb] C:\WINDOWS\System32\xhu.exe

O4 - HKCU\..\Run: [LBt9RhY9e] lpkllstyle.exe

O4 - HKCU\..\Run: [Uhcs] C:\Documents and Settings\Holly\Application Data\osri.exe

O4 - HKCU\..\Run: [Spyware Begone] d:\freescan\freescan.exe -FastScan

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f... b7fd0ca72c814

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab

O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn163.exe

O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gbn163.exe


Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

scvhost.exe
tsagl.exe
Config33.exe
lpkllstyle.exe

C:\windows\system32\winurh32.exe
c:\windows\system32\winbsr32.exe
C:\WINDOWS\System32\xhu.exe
C:\Documents and Settings\Holly\Application Data\osri.exe

Delete this folder:

C:\Program Files\WindowsSA

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Holly\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin


Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

When you are sure you are clean turn it back on and create a restore point.


Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the exact file name and file location so you can delete it yourself.
 

holula

Thread Starter
Joined
Sep 7, 2004
Messages
2
flrman1 said:
Go to Add/Remove programs and uninstall WindowsSA.
I went to Add/Remove programs but don't have anything called WindowsSA installed. I *do* have something called Windows SR 2.0 though.
 
Joined
Jul 26, 2002
Messages
46,349
Uninstall Windows SR 2.0 and the follow the rest of my recommendations.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top