HijackThis Log

Welcome to MGs Sarcha! Next time please wait until someone requests that you post a HijackThis log. I'm looking at your log now. It will take a few minutes. Stick around.

 

Do you know what the below item is that loads at startup:

O4 - Startup: Rain.lnk = C:\Rain\Rain.exe

Also do you use Viewpoint Manager?

Your OS and IE versions are way out of date and represent a major security risk to you. You must get updated when we fix your current problems.

 

After running the READ ME! Follow the steps below.

Download SpSeHjfix to your desktop and then right click a blank part of desktop & select new folder, call it spfix

Unzip the file into that folder

Disconnect from the internet and Close ALL OPEN PROGRAMS.

Run 'SpSeHjfix'. and click on "Start Disinfection".

When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder we created.
If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run CWShredder - Hit The FIX button!

Now get a new HJT log and come back here and attach it to a message along with the log that was created by 'SpSeHjfix'.

 

Here are your version numbers:
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Windows XP is up to SP2. Plain old WinXP is way out of date. At an absolute minimum you must be at SP1a level. Same type logic goes for IE. But again wait until we fix your current problems. These will be rather large updates. I hope you are not on dial up.

Are you killing any process at startup? It is rather strange that certain files that normally show as running related to the hijacker do not exist.

If you do not use Viewpoint Manager, goto Add/Remove programs and uninstall it. It is just crap that AOL sneaks into you PC without asking.

 

Are you running IE at startup on purpose:
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE

Please do the below:
1) go here and download Registrar lite and install it: http://www.majorgeeks.com/download469.html
2) Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls and tell me exactly what you see in the Value field:

 

Please do not use msconfig to stop anything. I need to see everything that loads. Also if anything loads at startup that you know is bad, do not kill it. I need to see items in your HJT log so I can work up a proper fix. For items like Iexplorer.exe loading at startup we will fix it permanently.

These hijacker problems normally have a few hidden DLL or EXE files associated with them along with the visible problems. That's what I'm trying to locate. The hijacker also can mutate and spread on reboots. So the fix I'm giving you below may not apply anymore because the items in your log may have renamed. You should be able to figure out which lines they have change to by comparing old an new logs (that is if it is necessary).

What type of connection do you have (dial-up, cable, DSL)?

Okay let's try the cleaning procedure below!

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 26.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right nowDO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gsbzk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gsbzk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gsbzk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gsbzk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gsbzk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gsbzk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gsbzk.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9ABBF8BA-C35E-205B-6D84-95401DED6DAD} - C:\WINDOWS\system32\msue32.dll
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Then exit HJT after clicking FIX


Run Windows Explorer and look for and try to delete:
C:\WINDOWS\system32\gsbzk.dll
C:\WINDOWS\system32\msue32.dll
C:\Program Files\WebSavingsfromEbates <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- If any of the file above that I ask you to delete could not be delete. Try deleting them now.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

Now we need to Reset Web Settings (please leave your start page set to majorgeeks for now):
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

You're log is clean now. For the above problem, you may be able to get more help on that in the software forum.

But first you MUST perform ALL the steps not yet performed in the below link:

How to Protect yourself from malware!

The first step there is to get your Windows Updates! You must do this!!!!

You also have to get a firewall install ASAP.

You should be able to delete the file (C:\FOUND.004. file.chk ) you mentioned.

 

You're welcome.
ZoneAlarm did not appear to be installed. You can try using Sygate. It is less PC resource intense.