seriously seriously urgent- mds search booster related- please advise

See this thread here on MG's . It shows how to remove Haxdoor problems:
http://forums.majorgeeks.com/showthread.php?t=53615

You really should do the following though so we really no what you have:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

If you also have HorseServer problems, do the followiing:

Download: http://www.atribune.org/downloads/HSFix.zip

Extract the tool from the ZIP File to its own folder. Please boot to Safe Mode, open the Tool folder and DoubleClick hsfix.bat and let it run. It will produce a log here - C:\hslog.txt

Please run the tool as directed and attach the log it produces along with a fresh HijackThis Log and we'll see where you stand.

 

You don't have any of the problems you were referring to in your original thread. At least not from what I see right now.

I'll post something for you to do in a few minutes.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\inetdata\services.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Was the previous log from safe mode? I'm not sure what you are trying to say above but it does look like some of your process are not loading at startup. Have you been playing with HijackThis to fix things before coming here for help?

 

You don't know how to run Windows Explorer???

Click Start and select Explore. Then navigate your way to C:\WINDOWS\inetdata and then locate the services.exe file in that folder and delete it. Do not delete services.exe from anywhere else.

You need to follow the steps in my message in order from beginning to end with no interruptions and do not use your browser during those steps. Only open it again where I tell you to come back and post a log.

The link you referred to in your first message refers to problems with:

Horseserver.net, klikfeed.com & Backdoor.Haxdoor.D Analysis

You show now signs of those!

Is CWShredder giving you a file name?

 

Can you use Add/Remove programs to uninstall Search Booster?

Looks to me like someone deleted the Startup procedures for some of your applications. You may need to uninstall them, reboot, and then reinstall.

You did not post the new HJT log.

 

Do you use a program called Photodex Presenter? It's setup program is named pxsetup.exe

 

Also run what I gave you in message # 3.

 

Okay some of you McAfee stuff is now showing up as loading at Startup. But not ZoneAlarm. May need to reinstall to make sure it is properly configured. Yes you could just copy the zlclient.exe to the startup folder but there could be other things messed up.

Try this:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixmdsb.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fixmdsb.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes

 

Admin is always there in safe mode! Do what I gave you in message # 20

 

Spybot can make a log on what it finds. Post the log. I would like to see where it is finding y.exe and why it keeps coming back.

 

You log is clean from what I can see. I would disconnect from the internet phyiscally and then do the following (make sure you have the installation programs first - and updates McAfee just updated again today):

- uninstall McAfee
- uninstall ZoneAlarm
- reboot
- reinstall McAfee & update
- reboot and do full system scan
- if anything was found in the scan, reboot after fixing
- re-install ZoneAlarm
- reconnect your cable

See how things work now. Do you see all the proper processes in your HJT log?

 

You're welcome!