Hijackthis log

Discussion in 'adware, spyware & hijack cleaning' started by captain_caveman2, Mar 16, 2004.

Thread Status:
Not open for further replies.
  1. captain_caveman2

    captain_caveman2 Registered Member

    Joined:
    Mar 16, 2004
    Posts:
    1
    Hi,

    The problem that I am having is that when I try to access varied and different websites I am redirected to a website that I have not requested (its always the same one I am redirected to).

    Any assistance that is given to me as to how to resolve this will be greatly appreciated.

    Many thanks.

    Scott
     

    Attached Files:

  2. yokenny

    yokenny Registered Member

    Joined:
    Apr 8, 2003
    Posts:
    27
    Location:
    Toronto, Canada
    captain_caveman2, welcome.

    Important: Create a folder on the C: drive called C:\HJT.
    You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
    Move HijackThis.exe into this folder.

    When you run HijackThis from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

    Start HijackThis and tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked".

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 203
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk3.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = 203
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 203
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\System32\emesx.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
    O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
    O2 - BHO: (no name) - {0DAD55AB-512A-B6C3-9329-BE3BADA4E18D} - C:\WINDOWS\system32\hxktlxhy.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\hhU.dll
    O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll

    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
    O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
    O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>
    O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
    O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
    O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
    O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
    O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
    O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\</HTML>
    O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\<BODY>
    O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
    O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
    O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
    O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\</BODY>
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {0733B8F9-8B52-4693-A9FA-829E12D27F78} (preload control) - http://www.thepaymentcentre.com/build/preload2.cab


    Make sure 'show all files' is enabled:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=&docid=2002103012571948&nsf=ent-security.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

    Then reboot into Safe Mode by tapping F8 key at bootup.

    Delete:
    C:\PROGRA~1\INCRED~2\ <== folder
    C:\WINDOWS\System32\emesx.dll <== file
    C:\WINDOWS\system32\hxktlxhy.dll <== file

    Install IE-SPYAD and SpywareBlaster and update regularly.
    http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD
    http://www.javacoolsoftware.com/spywareblaster.html
     
Thread Status:
Not open for further replies.