HomePage Re-directed & UserName Change

1. Problem just hit in last 24 hours. Main viruses detected were Java_Bytever.A and Java_Bytever.A-1. Also had one called Html_Coolweb.A
2. Used House Call & PC_Cillin. PCC showed files quarantined but I suspect not as problem tested with my ISP tech support today, as follows:
Correct web address shows up, but not at the ISP server address, then a repeat pop-up changing my user name to one hijacked from my system.
System is Win 2000 and am not sure where to disable 'restore programs'.
3.When IE connected screen "Instafinder.com" appears. I found and removed this directory completely.
4. Ad Aware also found 10 more, but I suspect a trojan or something more sinister as the past week many programs have started slowing. Usual system maintenance performed.
Thanks in advance suggested solutions.

 

http://forums.majorgeeks.com/announcement.php?f=33

Read this and try it.

 

Yep, thanks I only read half of it....its a very thorough step-by-step. Already found one main culprit by using AdAware in safe & switching those hidden files. Will revert back after trying all other options.
Excellent...thanks thus far

 

Re: HomePage Hijacking....continued

Okay, did all the things in the READTHIS announcement, got rid of many (c.230 files) with AdAware (safemode) & used all others relevant to Win2k.
Am preparing back-ups for a re-format, but thought I'd ask:

Safemode with Networking can't allow connection to ISP? Correct. How to resolve this issue. Tks

 

Up to HijackThis Logfile...AnyHelp?

Working through the many useful threads, perhaps someone can interpret my logfile, as attached. Tks in advance. Tired of using my laptop as backup.

 

Re: Up to HijackThis Logfile...AnyHelp?

You have sais.exe spyware.c:\program files\180solutions\sais.exe
And your ie start/search pages need to be checked,grockester may be responsibe?
I have never used HJT so you should wait for bjgarrick or chaslang on how to fix it.

 

Re: Logfile of Reg. Errors Identified

Yes, tks mate. Using the tutorial Generic Solution to HSA (Only the Best) & About:Blank hijack , I've identified also:

At R3 URL SearchHook...; O3 Toolbar (no name)... ; O4 sais....; then O16 DPF to a fizzlewizzle website

Problem is tutorial states Run "notepad c:\path\xxxx, and as I've not been in here before, am not sure of the correct procedure. Am of course aware that, the .log is the backup.

Perhaps can get an instruction on just this critical aspect of removing the nastys from the reg. file.
Apology to Major for seeing the tutorial after attaching my logfile. Tks.

 

Re: Logfile of Reg. Errors Identified

I gave your hjt log to the auto analyse sites in the tutorial and they found the same things,so maybe you should tick the items and click fix.
The tuts doesnt include 023-win nt services?

 

Tks further, the tute talked about a generic path to notepad file which confuses a little, as an important step before going into safemode for HJ. Is it safe to go straight to HJ in safemode and run Fixes on the nasty lines. i.e. I can follow the tute on my laptop as I work on the problem PC?
And then follow all the subsequent software recommendations?

 

I think you should stick with MAs tutorial and dont try any safe mode.

 

Even for an old-timer (in PCs since 1986) one tut re HSA calls for a notepad command before going into safemode to then use HijackThis. CW Shredder did not remove the nasty code.

Grateful any help.

 

Tks your great reply...back here now.
1. Was confused with HSA generic procedure c.f. HJT instructions. Tks clarification.
2. Could not run any live-updates of "Scanning And Cleaning Steps: (These 4 steps are NOT optional and must be run!!)" as blocked from all ISPs on the problem PC, so Step 4, online updates not possible. This laptop I am communicating on is virtually clean. Hence took latest software across from laptop downloads to problem PC for running.
3. Did Add/Remove steps & Shareaza problems. Shareaza has entered from a download, thought I had removed it.
4. There's no 180solutions (or the 2 others) directory/files on system. I removed shareaza.exe completely, incl. from recycle bin.
5. Followed all steps and attached is new logfile.
6. Have not re-connected that PC to net until I hear further from you.
Tks in advance.

 

Thanks greatly, sure made a difference, esp general sys ops speed. Doing those final removes as suggested. Also now on that PC, 1st thing was c.37.5 Mb MS critical updates. Reckon the viruses cut out that working too!