0

Hi i've been out of my house for some time while a friend was waiting me at my own house while playing/using my computer. I don't like to go to certain places at IE because they are often full of spyware/adaware or some other not good stuff. But it seems that my friend do go to that places because when i went back to my house, i realized that my main page had been changed and that there were some new web sites at my "favourites" folder.
The thing is that even if i delete/change them, they will appear again after some seconds (by the way my main page is "http://rl.webtracer.cc/-/?bayzm"). I also think that im getting more pop ups because of this, and sometimes (doesn't matter in which web site i am) im redirected to "http://global-finder.com/cgi-bin/search/go.cgi". I've found some other people that have my same problem but they couldn't fix it yet.
Heres my log (by the way my windows XP its in spanish, "Archivos the programa" means "Program files") :

Logfile of HijackThis v1.99.1
Scan saved at 12:46:14 p.m., on 15/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Grisoft\AVG Free\avgcc.exe
C:\Archivos de programa\Grisoft\AVG Free\avgemc.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\$Elwin\Files and Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Startup: winupdate11100696[1].exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Archivos de programa\IrfanView\Ebay\Ebay.htm (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks in advance.

9
Contributors
36
Replies
37
Views
12 Years
Discussion Span
Last Post by DMR
0

Choose Start, Run, regedit. Locate and select the key:

HKEY_CURRENT_USER\Software\Policies\ Microsoft\Internet Explorer\Control Panel

In the right hand pane, right-click underneath any entries you see there and choose New, DWORD value. Name it Homepage. Select the entry, right-click it and choose Modify. Enter a value of 1

This will lock your homepage to whatever you changed last time.... but you have spyware on your system ... run an antispyware program.

In hijackthis ... check the following entries
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
and then click fix. remember to make a backup before fixing.

0

I tried to go to "HKEY_CURRENT_USER\Software\Policies\ Microsoft\Internet Explorer\Control Panel" in the regedit but that folder doesnt exist, I can only go untill "HKEY_CURRENT_USER\Software\Policies\ Microsoft" then IE isnt there, should i look somewhere else?

I scanned with Ad-aware 6 and i also scaned with some other programs that only scanned, they didnt clean the files infected (i had to pay if i wanted the program to clean, pretty stupid because the program says which and where are those infected files so i go and delete em..), but they have found nothing..

I also tried to fix :
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
But i couldn't even fix O1 - Hosts: 1159680172 auto.search.msn.com because it says that i dont have the rights to write it..
I could fix the other two though (both R0's) but if i scan again they are back there again.. :(
Should i reinstall windows?

Thanks in advance

0

You have the horse server infection Zingar.

Can you do the following please.

First, download HSFix from here.

After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.

Reboot into safe mode following the instructions here

Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"

A log will be produced which you can close out of.

Then run HijackThis again, close any open windows and browsers and fix these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm

O1 - Hosts: 1159680172 auto.search.msn.com

O4 - Startup: winupdate11100696[1].exe

Restart your computer into normal mode and run at least one of the following free, online virus scans:

http://housecall.trendmicro.com/hou.../start_corp.asp
http://www.pandasoftware.com/activescan...ncipal.htm
http://www3.ca.com/threatinfo/virusinfo/scan.aspx

Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt

0

Here is the HSFix log:

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

And here is the HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:52:43 a.m., on 17/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\$Elwin\Files and Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Startup: winupdate11100696[1].exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Archivos de programa\IrfanView\Ebay\Ebay.htm (file missing)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

0

Did you run the HSFix in safe mode Zingar?

Let's continue on with the fix...

===============

If you don't already have it, let's go to [b]Lavasoft's[/b] LavaSoft's VX2 Cleaner web-page, and follow the instructions to download and install the utility.

-

Next, run AdAware SE Personal, then:

  1. Click "Add-Ons".
  2. Double-click "VX2 Cleaner"
  3. Click "Ok", to "Execute this tool".
  4. If nothing is found, click "Ok", then exit the program.

    (or)

  5. If VX2 has been found on your system, click "Clean System"

  6. Then when it's complelely done, reboot your computer.
  7. Repeat steps 1-4 again.

Be sure to follow any instructions it might give while using it.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm

O1 - Hosts: 1159680172 auto.search.msn.com
...(Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.)

O4 - Startup: winupdate11100696[1].exe

O19 - User stylesheet: C:\WINDOWS\stsheets.dat

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

Search for...

winupdate11100696[1].exe

...using "Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "safe mode

===============

Post back a new log after rebooting and let me know how everything goes.

Edited by Reverend Jim: Fixed formatting

0

Yes, i did run HSFix in safe mode and I just did it again after using Ad-aware SE. Ad-aware SE did find some infected files and i deleted em all, I also used the Add-On (VX2 Cleaner), but it said I was clean. I tried to delete the file "winupdate11100696[1].exe" but i couldn't, not even at safe mode.
Hijack did nothing, I fixed all the files you told me to, but if I scan again they are there as if nothing happened.
Heres the log (i think it's pretty much the same):
Logfile of HijackThis v1.99.1
Scan saved at 02:37:28 p.m., on 17/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\$Elwin\Files and Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Startup: winupdate11100696[1].exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Archivos de programa\IrfanView\Ebay\Ebay.htm (file missing)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

0

Let's try something else Zingar.

===============

Go to www.trendmicro.com, and then:

  1. Click "Free Online Scan".
  2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

  1. Select all available drives.
  2. Check(tick) "Auto Clean".
  3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm 


 O1 - Hosts: 1159680172 auto.search.msn.com 


 O4 - Startup: winupdate11100696[1].exe 


 O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245 
...(Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.)

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Download the Pocket KillBox
Unzip the file to your desktop.
Run Pocket Killbox and paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

C:\Documents and Settings\user name\Start Menu\Programs\Startup\winupdate11100696[1].exe

Reboot afterwards if the files are successfully deleted.

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

===============

Post back a new log after rebooting and let me know how everything goes.

Edited by Nick Evan: Fixed formatting

0

I did the scan and it only found one thing that it could not dedlete it.
Name :WORM WOOTBOT.HI
Location:C:\Windows1\system32\win32resc.exeC:\Windows1\system32\win32resc.exe
I havent delted it yet, i think i should but just in case,i prefer to be certain, so you tell me what to do with it.


HijackThis never does anything, fix all yes, but if i scan again, they are there as if nothing happened.

Pocket Killbox succesfully deleted "winupdate11100696[1].exe" and now it doesnt show up anymore at the HijackThis log!! :D

Here's the log after reboot:

Logfile of HijackThis v1.99.1
Scan saved at 02:06:08 a.m., on 20/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\$Elwin\Files and Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Archivos de programa\IrfanView\Ebay\Ebay.htm (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

(By the way the thing "O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
" its from my ADSL thing so its safe).

0

You need to delete C:\Windows1\system32\win32resc.exe but why is the 1 showing up after Windows?

Download the Hoster.
Run it and press "Restore Original Hosts" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it. You can edit the host file with this program too.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm

O1 - Hosts: 1159680172 auto.search.msn.com

Make sure that you do not have any Internet Explorer windows open when fixing with hijackthis.

0

Delted it but HijackThis still does nothing, they keep appearing again, maybe i just should reinstall windows? or they will be still there?

0

Did you run the Hoster yet? Please post a new log after running it. Remember to close all browser windows before scanning with HJT or fixing anything with it.

0

Yea i did, here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 01:33:52 p.m., on 23/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\userinit32.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\$Elwin\Files and Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O1 - Hosts: 1159680172 auto.search.msn.com
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Archivos de programa\IrfanView\Ebay\Ebay.htm (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

0

Let's try the Registry Editor again (regedit).

Before you manually edit the Registry, you should create a backup. At the top of the Registry window, click on the Registry menu, click Export Registry File. In the Export range panel, click All, then save your registry as Backup. This way, if the operating of your PC is affected, you have a way to restore it.

Also set a System Restore point.

In the Registry Editor, click on the + next to HKEY_CURRENT_USER, and then the + next to Software, the + next to Microsoft, and then the + next to Internet Explorer. Find the folder that says Main and click on it; in the right-hand pane, find Start Page; right-click on it and select Modify. In the Value data field, delete whatever is there and replace it with http://www.google.com/ (you can change this to whatever you wish now, or change it later).

Go to HKEY_LOCAL_MACHINE and follow the same path and make the same change.

Close the editor, close all browser windows, scan with HJT, and have it fix:

F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O1 - Hosts: 1159680172 auto.search.msn.com

Reboot, close all browser windows, scan with HJT, and post a new log please.

0

I did all that you said, the home page seemed to work right, but once i rebooted it went back to "http://rl.webtracer.cc/-/?bayzm" ...
And by the way, to fix "O1 - Hosts: 1159680172 auto.search.msn.com" i needed to reboot and put safe mode, still once i rebooted again, it was as if i did nothing.
Here's the log, still the same i think...

Logfile of HijackThis v1.99.1
Scan saved at 01:27:38 a.m., on 24/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\$Elwin\Files and Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Archivos de programa\IrfanView\Ebay\Ebay.htm (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

0

Something is causing this to be recreated but it's not showing in your HJT log (or if it is, I'm overlooking it). I'd like to suggest another program for you to try, I've found it can find things most other programs can't.

It's called CounterSpy and you can get it from here:

http://www.download.com/3000-8022_4-10337358.html

It has a 15-day free trial which will be plenty of time to get your system cleaned up, or you can purchase it for $20 (US). After you download it, install it; when asked for a registration number, just click next.

Before scanning the first time, make the following adjustments to the settings:

CounterSpy Settings

At the very top, click on File, and then Check for updates
When it’s finished updating, click the ‘Close’ button

Under ‘Spyware Scan’ on the left, click on ‘Run a spyware scan’
In the left pane, click on ‘Scan Options’
Mark ‘Full system scan’
Check all boxes under ‘Full system scan,’ including ‘Save these options’
In the right pane, near the bottom, click ‘Manage Schedule’
On the left side, select your preferred schedule options
On the right side, under ‘Scheduled Scan Options,’ check:
‘Always run a deep scan’
‘Automatically remove spyware cookies’
Click the ‘Update Schedule’ button

At the top, click on ‘System Tools’
Double-click on ‘History Cleaner’
Check the following options (if they are not grayed-out):
‘Internet Explorer History’
‘Internet Explorer Cookies’
‘Kazaa’
‘Temporary Internet Files’
Review the list for any other ‘History’ items you wish to clean
At the bottom, click ‘Remember checked’
Click on the ‘Clean History’ button
Click the ‘Yes’ button, and then the ‘OK’ button

Click ‘Back’ at the top
Double-click ‘My PC Checkup’
Click the ‘Start’ button
In the first part of the list, uncheck everything up to any ActiveX entries; the entries you uncheck can be checked later, individually, to ensure they won’t interfere with your browsing habits (for maximum protection, however, you may leave them all checked)
Leave all ActiveX entries checked
In the second part of the list ‘(Items already changed below…),’ leave all entries checked
Click the ‘Continue’ button
Click the ‘OK’ button

At the top, click ‘Spyware Scan’
On the right side, click the ‘Scan Now’ button
This will take awhile depending on the size of your drive(s), number of files, CPU, etc. (40 minutes on my computer)
When the scan is complete, use the drop-down arrow next to each entry and select ‘Remove’ (if you see any entries that you think you may wish to keep, ‘Ignore’ them for now and post them for recommendations)
Select ‘Create restore point’ if you want CounterSpy to create a Windows XP System Restore point
At the bottom, click ‘Take Action’
Click the ‘Close’ button and exit the program

Now, reboot, close all browser windows, scan with HJT, post a new log, and let us know if the problem still exists.

0

Sorry for answering so late, i've been checking for new answers everyday, but i just just realized that there was a page 2 :P
Anyway, the CounterSpy found 2 registrty files i think, infected with "MoneyTree (Dialer)" (thats the name that it says).
I removed it, rebooted, but nothing, still the same...
Heres the log, same as always i think:


Logfile of HijackThis v1.99.1
Scan saved at 03:25:40 a.m., on 26/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\$Elwin\Files and Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Archivos de programa\IrfanView\Ebay\Ebay.htm (file missing)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF5EB85-D6B8-43E0-9973-BC22F2FBC0AD}: NameServer = 200.40.220.245 200.40.30.245
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Maybe i just should reinstall windows or something? i dont wanna keep wasting your time anymore with this, luckily i dont use much IE..
And by the way, the thing that bothers me most, its that i get very often redirected to porno sites.. the home page bothers a bit but not that much.

0

Well, after a bit of research, I think I've found a way to get rid of that nasty webtracer.

Get Find.zip from here:
http://www.atribune.org/downloads/find.zip

Download Find.zip into the same folder your HijackThis is in ('Files and Programs' in your case); make sure you Extract All Files

Double-click Find.bat and let it scan your computer (should only take a few seconds)

Look in the folder you have HijackThis in and find Report.txt

Double-click Report.txt, copy the entire contents of the log, and paste it here.

After running this program, do NOT shutdown or log off of your computer until after we have fixed the problem.

Sorry for answering so late, i've been checking for new answers everyday, but i just just realized that there was a page 2.

Don't feel bad, the same thing happened to me when I first came here :o

0

When i run Find.bat, i think it gives me an error but i cant read the message because its there for less than a second (the last word its "report.txt").
In the report.txt theres nothing, I think its having compativility problems and it cant run properly.

0

Well, these probably aren't going to be on your system, but you can do a search for them and see what you come up with. From what I can find out, it seems the problem is going to be in this DRIVERS folder, but the name can be different.

C:\WINDOWS\SYSTEM32\DRIVERS\beepw.sys
C:\WINDOWS\System32\drivers\hidclasy.sys
C:\WINDOWS\SYSTEM32\DRIVERS\battcc.sys

I'll see what else I can find out, or maybe someone else will have some ideas.

This program can help locate it, but, unfortunately, I don't know how to use it:
http://www.niksoft.at/_data/startdreck.zip

0

I didnt have any of those files, i had two that had similar names to two of those so just in case, i deleted em :P
By the way, CounterSpy is blocking the virus to change the homepage, so now I dont have that home page anymore! The thing is that it expires in 14 days :(
Anyways i dont use much IE, just to ask some stuff in some forums but not that much, so if i get redirected or if my homepage is changed really doesnt bother me much, the thing that DOES bother me, its if this spyware or whatever it is, is sending information such us passwords or CD-keys to another person, Is there anything that i can do to know if the virus is doing that?
Becuase when i ran all the Antivirus/Antispyware that you told me to ran, they all found a virus and the description said only stuff about IE.. if its only doing that, i can live with it.

I really appreciate and i say thank you so much to all of you that tried to help me with my nasty problem (now my IE has password so no other "friends" would be able to do this again)

0

I deleted the file on safe mode, anyways i rebooted and it appeared again..
"Locate.bat" only worked in safe mode as well, still the "Report.txt" only have this: C:\WINDOWS\SYSTEM32\DRIVERS\FASTFATS.SYS

0

I deleted the file on safe mode, anyways i rebooted and it appeared again..
"Locate.bat" only worked in safe mode as well, still the "Report.txt" only have this: C:\WINDOWS\SYSTEM32\DRIVERS\FASTFATS.SYS

That's most likely the file that's causing problems; I did a Google search for it and found nothing -- most legit files will have some info on them somewhere. If you have any doubts, set a System Restore point before deleting it.

After you delete it, reboot and post another HJT log.

0

You also appear to have a CWS infection.

Download CWShredder from here:

http://www.intermute.com/spysubtract/cwshredder_download.html

Unzip to your desktop, run it, and then:

1. Click "Check For Update"
(If an update isn't available, skip to step 4)

2. Click "Click here to Download the upate"

3. When the new version has been downloaded, click "Save"

4. Click "Fix"

If it asks you to verify any files to be deleted, either do a Google search for it/them or ask us here before deleting.

Then, post a new HJT log

0

ITS GONE!!!! =D

After deleting in safe mode the file "FASTFATS.SYS", "stsheets.dat" and fixing everything that was relationed with the virus, the virus dissapeared.
I rebooted again in normal mode, scanned with HijackThis and nothing was there!!! The home page wasnt there anymore, i could change it freely!!

Im so happy to get rid of that crap, the guy that made the program that you told me to download at "http://www.atribune.org/downloads/locate.zip" really did a good job, it was the only one that detected the real problem!!

Thanks, thanks, thanks a LOT!! I thought that having AVG was enough...
Im gonna recommend this site from now on to everyone that have techincal/malware problems because im very happy with the results that i got.

Thanks again!

0

I'm glad we finally got everything cleaned out, that was quite a workout!

I thought that having AVG was enough...

Unfortunately, no one program is enough to protect you from everything out there nowadays. In this thread you've seen just a few of the tools we use to remove malware, there are many more for different infections.

To help protect your system, I suggest you get (if you don't already have them):
Ad-Aware SE
SpyBot Search and Destroy
SpywareBlaster
SpywareGaurd
They're all free and help a lot! But don't let yourself be fooled into thinking you're completely protected!

I'm going to mark this thread as solved, but if any problems come back in the near future, PM one of the moderators to reopen it.

If you haven't done so already, have a look through the other forums here, like the Geeks Lounge, there's more to this site than just computer stuff :)

0

Hello there guys

I had the same Virus or whatever it was. I used this same method descirbed here above to get rid of it. I only wanted to mention that my filename in Report. txt turned out to be GML.SYS

One or more CON code pages invalid for given keyboard code
C:\WINDOWS\SYSTEM32\DRIVERS\GML.SYS
C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIVER\LVCA.SYS

I do not know about LVCA.SYS. It does not look like a virus to me considering its place in the system.

Anyone an opinion?

Trandill

0

C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIVER\LVCA.SYS

I do not know about LVCA.SYS. It does not look like a virus to me considering its place in the system.

This is a Dexxa USB Webcam driver for win98.

0

This is a Dexxa USB Webcam driver for win98.

Thanks for that information.

I got a lot of worms and Trojans and Spyware and other good stuff with this hijacking of my browser. There is now still one thing I don't know how to get rid of. Some program in my compter seems to redirect request to go to google. com to some googl which is a porn search engine. Has somebody had this problem lately?

Thanks :(

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.