Hi i've been out of my house for some time while a friend was waiting me at my own house while playing/using my computer. I don't like to go to certain places at IE because they are often full of spyware/adaware or some other not good stuff. But it seems that my friend do go to that places because when i went back to my house, i realized that my main page had been changed and that there were some new web sites at my "favourites" folder.
The thing is that even if i delete/change them, they will appear again after some seconds (by the way my main page is "http://rl.webtracer.cc/-/?bayzm"). I also think that im getting more pop ups because of this, and sometimes (doesn't matter in which web site i am) im redirected to "http://global-finder.com/cgi-bin/search/go.cgi". I've found some other people that have my same problem but they couldn't fix it yet.
Heres my log (by the way my windows XP its in spanish, "Archivos the programa" means "Program files") :

Logfile of HijackThis v1.99.1
Scan saved at 12:46:14 p.m., on 15/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Grisoft\AVG Free\avgcc.exe
C:\Archivos de programa\Grisoft\AVG Free\avgemc.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\$Elwin\Files and Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Startup: winupdate11100696[1].exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Archivos de programa\IrfanView\Ebay\Ebay.htm (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks in advance.

Choose Start, Run, regedit. Locate and select the key:

HKEY_CURRENT_USER\Software\Policies\ Microsoft\Internet Explorer\Control Panel

In the right hand pane, right-click underneath any entries you see there and choose New, DWORD value. Name it Homepage. Select the entry, right-click it and choose Modify. Enter a value of 1

This will lock your homepage to whatever you changed last time.... but you have spyware on your system ... run an antispyware program.

In hijackthis ... check the following entries
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
and then click fix. remember to make a backup before fixing.

I tried to go to "HKEY_CURRENT_USER\Software\Policies\ Microsoft\Internet Explorer\Control Panel" in the regedit but that folder doesnt exist, I can only go untill "HKEY_CURRENT_USER\Software\Policies\ Microsoft" then IE isnt there, should i look somewhere else?

I scanned with Ad-aware 6 and i also scaned with some other programs that only scanned, they didnt clean the files infected (i had to pay if i wanted the program to clean, pretty stupid because the program says which and where are those infected files so i go and delete em..), but they have found nothing..

I also tried to fix :
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
But i couldn't even fix O1 - Hosts: 1159680172 auto.search.msn.com because it says that i dont have the rights to write it..
I could fix the other two though (both R0's) but if i scan again they are back there again..
Should i reinstall windows?

Thanks in advance

You have the horse server infection Zingar.

Can you do the following please.

First, download HSFix from here.

After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.

Reboot into safe mode following the instructions here

Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"

A log will be produced which you can close out of.

Then run HijackThis again, close any open windows and browsers and fix these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm

O1 - Hosts: 1159680172 auto.search.msn.com

O4 - Startup: winupdate11100696[1].exe

Restart your computer into normal mode and run at least one of the following free, online virus scans:

http://housecall.trendmicro.com/hou.../start_corp.asp
http://www.pandasoftware.com/activescan...ncipal.htm
http://www3.ca.com/threatinfo/virusinfo/scan.aspx

Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt

Here is the HSFix log:

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

And here is the HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:52:43 a.m., on 17/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\$Elwin\Files and Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Startup: winupdate11100696[1].exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Archivos de programa\IrfanView\Ebay\Ebay.htm (file missing)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Did you run the HSFix in safe mode Zingar?

Let's continue on with the fix...

===============

If you don't already have it, let's go to Lavasoft's VX2 Cleaner web-page, and follow the instructions to download and install the utility.

-

Next, run AdAware SE Personal, then:

1. Click "Add-Ons".
2. Double-click "VX2 Cleaner"
3. Click "Ok", to "Execute this tool".
4. If nothing is found, click "Ok", then exit the program.

(or)

4. If [color=#ff0000VX2</font] has been found on your system, click "Clean System"
5. Then when it's complelely done, reboot your computer.
6. Repeat steps 1-4 again.

Be sure to follow any instructions it might give while using it.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm

O1 - Hosts: 1159680172 auto.search.msn.com
...(Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.)

O4 - Startup: winupdate11100696[1].exe


O19 - User stylesheet: C:\WINDOWS\stsheets.dat


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

Search for...

winupdate11100696[1].exe

...using "Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Post back a new log after rebooting and let me know how everything goes.

Yes, i did run HSFix in safe mode and I just did it again after using Ad-aware SE. Ad-aware SE did find some infected files and i deleted em all, I also used the Add-On (VX2 Cleaner), but it said I was clean. I tried to delete the file "winupdate11100696[1].exe" but i couldn't, not even at safe mode.
Hijack did nothing, I fixed all the files you told me to, but if I scan again they are there as if nothing happened.
Heres the log (i think it's pretty much the same):
Logfile of HijackThis v1.99.1
Scan saved at 02:37:28 p.m., on 17/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\$Elwin\Files and Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Startup: winupdate11100696[1].exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Archivos de programa\IrfanView\Ebay\Ebay.htm (file missing)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Let's try something else Zingar.

===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm

O1 - Hosts: 1159680172 auto.search.msn.com

O4 - Startup: winupdate11100696[1].exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
...(Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Download the Pocket KillBox
Unzip the file to your desktop.
Run Pocket Killbox and paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

C:\Documents and Settings\user name\Start Menu\Programs\Startup\winupdate11100696[1].exe

Reboot afterwards if the files are successfully deleted.

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

===============

Post back a new log after rebooting and let me know how everything goes.

I did the scan and it only found one thing that it could not dedlete it.
Name :WORM WOOTBOT.HI
Location:C:\Windows1\system32\win32resc.exeC:\Windows1\system32\win32resc.exe
I havent delted it yet, i think i should but just in case,i prefer to be certain, so you tell me what to do with it.


HijackThis never does anything, fix all yes, but if i scan again, they are there as if nothing happened.

Pocket Killbox succesfully deleted "winupdate11100696[1].exe" and now it doesnt show up anymore at the HijackThis log!!

Here's the log after reboot:

Logfile of HijackThis v1.99.1
Scan saved at 02:06:08 a.m., on 20/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\$Elwin\Files and Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Archivos de programa\IrfanView\Ebay\Ebay.htm (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

(By the way the thing "O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
" its from my ADSL thing so its safe).

You need to delete C:\Windows1\system32\win32resc.exe but why is the 1 showing up after Windows?

Download the Hoster.
Run it and press "Restore Original Hosts" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it. You can edit the host file with this program too.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm

O1 - Hosts: 1159680172 auto.search.msn.com

Make sure that you do not have any Internet Explorer windows open when fixing with hijackthis.