Hijthis Log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

COPE

Thread Starter
Joined
Sep 9, 2004
Messages
48
Hi,
I am new here so bear with me please.I have been having problems with my p.c.I am running windows xp home eddition.
On my brower at the bottom of the page I keep getting some type of search bar.I dont know what this is and dont know how to get it off my p.c.I also, have the problem of my home page constantly getting jacked.I have ran updated versions of Adaware and Spy Bot and it still continues.I have ran HiJThis.I wanted to know if I could post my HJThis log here or not and if someone could look at my log and tell me what may be wrong.Thank you for your help!!!!
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,672
Please go ahead and post your Hijack This log.
 

COPE

Thread Starter
Joined
Sep 9, 2004
Messages
48
ok heres my HJACKTHIS Log:


Logfile of HijackThis v1.98.2
Scan saved at 10:08:58 AM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\kdx\KHost.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Lance\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.aqtfhpvahdhac.uk/MWXhDWDyETtDv41kzea32IoLGKCA_7Itke0vyJPalfKS6uEPHU/bKwiDtISANGD1.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.cmioifiqigl.com/MWXhDWDyETu4wJ44VqnXx_DFax4roVggQb0uO7NHPw8.htm");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Lance\Application Data\Mozilla\Profiles\default\s5r9tnte.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4118E335-89C0-9D33-F6FC-9D9069B5415F} - C:\PROGRA~1\CHINBA~1\Anti Flap.exe
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll (file missing)
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Trust Stop] C:\PROGRA~1\THISGP~1\BUILD SHOW.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [BirdRealDefaultBarb] C:\Documents and Settings\All Users\Application Data\BORE EQ BIRD REAL\ExtraSoftware.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a2571ca3/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/racing/dodgespeedway/microsoft/wtinst.cab
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,672
Before you proceed with those instructions, please move Hijack This into its own folder in program files or my documents but not in the temporary files or on the desktop, so it can create proper back-ups and restore them if necessary.

Turn off system restore. On the desktop, right-click on My Computer, click properties, click system restore tab, check turn off system restore, click apply and then OK. Restart your computer. Once your system is clean you will turn it back on and create a new restore point.

Go to Control Panel - Add/Remove programs and remove:

WindowsSA

Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.aqtfhpvahdhac.uk/MWXhDWD...iDtISANGD1.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.cmioifiqigl.com/MWXhDWDyETu4wJ44VqnXx_DFax4roVggQb0uO7NHPw8.htm");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Lance\Application Data\Mozilla\Profiles\default\s5r9tnte.slt\prefs.js)

O2 - BHO: (no name) - {4118E335-89C0-9D33-F6FC-9D9069B5415F} - C:\PROGRA~1\CHINBA~1\Anti Flap.exe

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll (file missing)

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)

O4 - HKLM\..\Run: [Trust Stop] C:\PROGRA~1\THISGP~1\BUILD SHOW.exe

O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [BirdRealDefaultBarb] C:\Documents and Settings\All Users\Application
Data\BORE EQ BIRD REAL\ExtraSoftware.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.8.cab

O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/...soft/wtinst.cab


Then boot to safe mode (see how below), locate and delete these files and/or folders:

C:\Windows\System32\wsaupdater.exe - file
C:\PROGRA~1\CHINBA~1\Anti Flap.exe - folder (the name will start with CHINBA and it will contain the Anti Flap.exe file)
C:\PROGRA~1\THISGP~1\BUILD SHOW.exe - folder (the name will start with THISGP and it will contain the BUILD SHOW.exe file)
C:\Program Files\WindowsSA - folder
C:\Documents and Settings\All Users\ApplicationData\BORE EQ BIRD REAL - folder

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Then reboot and post another log please.
 

COPE

Thread Starter
Joined
Sep 9, 2004
Messages
48
Ok I Have Serious Problems Now.when I Try To Log In On My P.c. It Automatically Logs Me Off....i Deleted The Things But I Didnt Click System Restore And I Didnt Put Hjt In My Documents I Have Tried To Pull It Up In Safe Mode Still Same Automatically Logs Me Off....please Help!!!!!!thx!!!!
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,672
Are you able to get into safe mode at all? What exactly happens?
 

COPE

Thread Starter
Joined
Sep 9, 2004
Messages
48
Ok I had ran HIJTHIS and I know that I didnt put HJTHIS in my documents like you said and I didnt turn system restore on.I was trying to log into my p.c. It would log me in but then it would log me right out.I put in my xp install disk and tried to get it to run windows repair mode instead I screwed up and ran the install.I couldn't get the install to finish therefore it ran.I try to log into my p.c. now and it ask me to set up windows.I rebooted and went f8 then I tried to get into the repair it ask to run set up or r for repair I press r for repair.From what I remember it should ask me to run automatic repair but it doesnt....thx for your help...
 

COPE

Thread Starter
Joined
Sep 9, 2004
Messages
48
OK I ran my restore disk.I originally ran a borrowed copy restore disck which installed the drivers and screwed evrything up.All in all I have reinsatlled xp and lost everything on my hard drive...luckily nothing major that I had to have on my hd.Big lesson for me though....Thanks for all your help....
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,672
You're welcome.

I also recommend downloading SPYWAREBLASTER & SPYWAREGUARD, for added protection.

http://www.javacoolsoftware.com/spywareblaster.html

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html

I’m closing this thread now as it has been solved. If you have more problems related to this thread and need it reopened, please PM a Moderator.

ANYONE ONE ELSE WITH A SIMILAR PROBLEM PLEASE START A NEW THREAD.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top