how do i attach my hijack this log!!!

Unknown

It says 'invalid file type' when i try to attach it to a post :banghead:

Kwitko

Save the log, open in Notepad, then copy and paste into your post.

blackcat78

Thanks for the advice!
Ive tried taking off everything that contained the words omegasearch, but to no avail - please help!! thanks


Logfile of HijackThis v1.97.7
Scan saved at 01:07:16, on 22/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\seekadminaudio\default view.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Grant\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.short-media.com/review.php?r=235
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
F0 - system.ini: Shell=
F2 - REG:system.ini: Shell=
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5F5A1060-48D7-251A-AD8D-37481A05D0B6} - C:\PROGRA~1\MEDIAL~1\Atom drive.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Bolt up grey - {1275B163-EFAF-5997-1743-3CC5FC56F7F1} - C:\PROGRA~1\MEDIAL~1\Atom drive.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [defy4] C:\PROGRA~1\seekadminaudio\default view.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{482A3068-B121-4068-9BF0-AFE554F7AF4D}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{482A3068-B121-4068-9BF0-AFE554F7AF4D}: NameServer = 62.241.160.200 158.43.240.3

Dexter

Welcome to Short-Media

Check for the latest Omegasearch information here.

Make sure to start in SAFE MODE. Run HJT. FIX the following:


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve

F0 - system.ini: Shell=

F2 - REG:system.ini: Shell=

O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL


O2 - BHO: (no name) - {5F5A1060-48D7-251A-AD8D-37481A05D0B6} - C:\PROGRA~1\MEDIAL~1\Atom drive.dll

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: Bolt up grey - {1275B163-EFAF-5997-1743-3CC5FC56F7F1} - C:\PROGRA~1\MEDIAL~1\Atom drive.dll

O4 - HKLM\..\Run: [defy4] C:\PROGRA~1\seekadminaudio\default view.exe


O4 - Global Startup: Image Transfer.lnk = ?

O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Manually delete the following items from your hard drive:

C:\Program Files\PERFEC~1\BHO\PERFEC~1.DLL
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
C:\Program Files\MEDIAL~1\Atom drive.dll
C:\Program Files\seekadminaudio\default view.exe

Please let us know what the full name of the folders "Perfec~1" and "Medial~1" actually are.

Reboot into normal mode, and check again. Let us know if it worked. Post a new HJT log, as there are a few other items in there that someone can advise you on to help tweak your system a little.

Dexter...

Straight_Man

Dexter wrote:

Welcome to Short-Media

Check for the latest Omegasearch information here.

Make sure to start in SAFE MODE. Run HJT. FIX the following:


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve

F0 - system.ini: Shell=

F2 - REG:system.ini: Shell=

O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL


O2 - BHO: (no name) - {5F5A1060-48D7-251A-AD8D-37481A05D0B6} - C:\PROGRA~1\MEDIAL~1\Atom drive.dll

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: Bolt up grey - {1275B163-EFAF-5997-1743-3CC5FC56F7F1} - C:\PROGRA~1\MEDIAL~1\Atom drive.dll

O4 - HKLM\..\Run: [defy4] C:\PROGRA~1\seekadminaudio\default view.exe


O4 - Global Startup: Image Transfer.lnk = ?

O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Manually delete the following items from your hard drive:

C:\Program Files\PERFEC~1\BHO\PERFEC~1.DLL
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
C:\Program Files\MEDIAL~1\Atom drive.dll
C:\Program Files\seekadminaudio\default view.exe

Please let us know what the full name of the folders "Perfec~1" and "Medial~1" actually are.

Reboot into normal mode, and check again. Let us know if it worked. Post a new HJT log, as there are a few other items in there that someone can advise you on to help tweak your system a little.

Dexter...

Old versions of WordPerfect Office used to use Perfect Office for a folder name. DOS name: PERFEC~1. It had an old BHO in it, to link to Corel's old site. In this case, looks like something like that is now possibly used for spyware (or was an orphan entry from an uninstall), hoping folks will think it is WordPerfect Office. There is also a smaller and less popular product called Perfect Office. It also has webhooks in it, most of the help is online. Given that file is missing, killing it is fine, right Dexter.

Definitely would be nice to know if a Corel or off-brand office suite was uninstalled while this thread starter owned computer....

John D.

Straight_Man

Did some more browsing-- delete the folder D:\Program Files\PerfectNav if it is present. Or, for that matter, C:\Program Files\PerfectNav

Reason:

http://www.computercops.biz/print-1-33112.html

John D.