cant open some of my saved webpages

Rotimi · Jan 9, 2005

Re: Please help me remove Malware

OK I am more than a 'JJC' at this.....that i dont even know how to post a new message. What it is is, I have just downloaded spyware doctor full version and recently used it to sort out my virus problems (though one of them couldnt be healed...itsays) My main problem is I cant open some of my saved webpages that are kind of very vital to me....like my internet banking and some other sites that need inputting membership numbers and password. I dont know what I have done wrong while cleaning out the viruses. Can anyone HELP, can they also help tell how to pst a new quetion other than postiong a reply to someone elses. Thanks

Rotimi · Jan 9, 2005

Please Heeeeeeeeeeeeelp!!!!!!!!!!!!!!!

Here's a copy of my system's HJT log

Logfile of HijackThis v1.99.0
Scan saved at 13:13:20, on 09/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Edit by chaslang: Unrequested inline log deleted

chaslang · Jan 9, 2005

Re: Please help me remove Malware

You need to read the Stickies and the FAQs. You should not post your message for help in a thread that does not belong to you. Also there are guidelines about posting HijackThis logs you need to follow. You have a bunch of problems and trojans. You need to run the steps below.

Read the below:
How To Post A New Thread Requesting Support

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

To Get you started:
After putting HJT in the proper directory, make sure you EXIT al browsers, run it and have it Fix all those O1 - Host lines

Rotimi · Jan 9, 2005

Thanks ever so much, the infos were very helpful.
However, I have before posting, read the "Read me first....." and got stuck at step number 4 i.e Downloading Tools. The links would not open as "can not find server" messg comes up for all of the links.
I've also tried to at least restore my system's setting to its original stage but the page would not load and when it does its just blank.
Let me mention too that I have used the latest version of AVG free version and also have installed and run Spyware Doctor. These programes have found Trojan Horse viruses and loads of faults/malwares and healed them (I think) but one of these though healed is still in quarantine. I have also restored items in the AVG virus vault hoping this will at least restore my system to its pop up stage which is actually why I started this whole virus scan thing.
Thanks again for your help.

chaslang · Jan 9, 2005

There aren't any problems with the tools being downloaded. Try again. If you cannot download them from MG's, answer this can you download anything from anywhere. For example, try this to download CCleaner:

http://www.ccleaner.com/ccdownload.php

If that works and you cannot download from MG's, check your hosts file and also your Internet Explorer Restricted Zones to make sure MG's is not blocked.

Rotimi · Jan 9, 2005

Thanks again!
The CCleaner link worked just fine and have downloaded.
There are no websites in the IE restricted sites and have also lowered the secrty level.
How could I possibly check for HOSTS FILE?

chaslang · Jan 9, 2005

So I guess you are telling me that you still cannot download from MG's? Is that right?

What did you lower you security level to?

Your hosts file can be brought up quickly by doing the following, click Start, Run and enter notepad c:\windows\system32\drivers\etc\host into the open box and click OK.

What should be in the hosts file is below in the quote box. If you have any additonal lines in it, tell me and remove all of them except what is below.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
Click to expand...

Rotimi · Jan 10, 2005

Hi there Chaslang,
Following your advice to bring up the host file, I did as instructed in your post but got the following message....."Cannot find the c:\windows\system32\drivers\etc\host.textfile" and also below it...."Do you want to ceate one".

Answering your questions, Yes I still can't download from MG's and I lowered the security level to low.

Thank you again

chaslang · Jan 10, 2005

Download HijackThis from here: http://www.merijn.org/files/hijackthis.zip and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Rotimi · Jan 10, 2005

Hi Chaslang,
I havent got the "additional option" tab to attach a log file.

Please advice

chaslang · Jan 10, 2005

Click "Go Advanced" first then Manage Attachments will be further down the page.

Rotimi · Jan 10, 2005

Dont mean to sound stupid but I haven't got this "Go Advanced" option either
SORRY!!

chaslang · Jan 10, 2005

When you click on the Reply button to start a new message, you do not see a button under the window titled Go Advanced?

If not, you must have some features disabled that you need. Post your log inline and I'll change it.

Rotimi · Jan 10, 2005

Please see below

Thank you!

Edit by chaslang: Inline log changed to attachment

chaslang · Jan 10, 2005

Hmmmmm! See all those O1 entries? Remember when I ask you to look at your hosts file? There's the problem!!!!!

Rotimi · Jan 10, 2005

Any idea how I may sort this out?
Please

chaslang · Jan 10, 2005

You must remember to exit all browsers BEFORE running HJT.
You need to go to Add/Remove programs and uninstall P2P Networking!

What is your expected/desired home page?

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side.
Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb8l.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O3 - Toolbar: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int113777.exe -auto
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [vccyjtiyzzk] C:\WINDOWS\System32\rpvdgd.exe
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\P2P Networking <--- the whole folder
C:\WINDOWS\ZServ.dll
C:\WINDOWS\isrvs <--- the whole folder
C:\Program Files\websx <--- the whole folder
C:\WINDOWS\System32\rpvdgd.exe

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Rotimi · Jan 10, 2005

Do you mean just this one listed

***C:\WINDOWS\System32\P2P Networking\P2P Networking.ex)

and if yes it is not among the list found in the process manager. Please note too that I have deleted this from "Add/Delet progrms"

Rotimi · Jan 10, 2005

Hi there,
Here's the new Logfile of HijackThis following your advice. I'm still having problems opeing certaing pages.....

Edit by chaslang: Inline log changed to an attachment

chaslang · Jan 12, 2005

Rotimi said:

Do you mean just this one listed

***C:\WINDOWS\System32\P2P Networking\P2P Networking.ex)

and if yes it is not among the list found in the process manager. Please note too that I have deleted this from "Add/Delet progrms"
Click to expand...

Okay! Since you already uninstalled it, it is not appearing anymore. I left in my cleanup procedure just in case it did not uninstall.

I repeat a question: What is your expected/desired home page?

You should be able to download from Majorgeeks (and other places now). Check it. Make sure you can download the stuff we wanted you to download in the READ ME. Then start running the READ ME steps.

Note: never cut anything of of your HJT log files. You cut the first line, which is
Logfile of HijackThis v1.99.0

While it is not important now, because I know what you have already. A new log posted for someone that way would leave them not knowing if you have the correct version. You also MUST remember to exit ALL browsers ALWAYS before running HJT. You had this running:
C:\Program Files\Internet Explorer\IEXPLORE.EXE
They can interfere with proper cleanup.

Run Windows Explorer and look for the below files. Tell me if you find any of them:
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\isrvs\sysupd.dll
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\wupdt.exe

Then do the below:

Copy and paste the information in the below quote box to notepad. Save it to a file that you will have access to later when you boot into safe mode. Name it fix.reg. Then boot into safe mode, run Windows Explorer and locate the fixisrvs.reg file. Doubleclick it and grant it permission to merge in the registry entries.

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]
[-HKEY_USERS\S-1-5-21-1644491937-861567501-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}\iexplore]
[-HKEY_USERS\S-1-5-21-1644491937-861567501-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238FB-C706-4791-8674-4D429F85897E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
"{950238FB-C706-4791-8674-4D429F85897E}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mfiltis]
Click to expand...

Rotimi · Jan 12, 2005

Hi there,
I have finally been able to download from MG's. Still having problems loading up a few other web pages though......some issue with javascipt (I think).

However, none of these files were found ref:

Run Windows Explorer and look for the below files. Tell me if you find any of them:
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\isrvs\sysupd.dll
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\wupdt.exe

My expected/desired HomePage would be (bbc.co.uk/london) but this is not a huge importance right now. Let me point out that having worked in safe mode following the steps in the tutorial, my homepage had been automatically reset to "Google" after reboot in normal mode. Would you know of any reason why this changed?

Here's the result of the Trend Micro's Free Online Virus Scan
Virus found: TROJ SMALL.ND
Scan Result: NON CLEANABLE!
File: C:\ProgramFiles\Pl.exe
C:\Windows\BTGrab.dll

These were also found ALTNET, ALEXA and DSO EXPLOIT

And finally a log of my HJT scan folllowing the completion of the steps in the tutorial.

Edit by chaslang: Inline log changed to attachment

chaslang · Jan 12, 2005

Are you still not able to attach logs? You need to check run IE and click the Tools, Internet Tools, Advanced buttons and then look at how Java is setup.

I surprized you could not find those files especially C:\WINDOWS\BTGrab.dll . Notice in your last message that even TrendMicro said it was there. Are you sure you have enable viewing of hidden files, folders and system files?

Which application found ?

"These were also found ALTNET, ALEXA and DSO EXPLOIT"
Click to expand...

Was it Spybot? Did you install the DSO patch for Spybot? Did you update the detections?

Note: I noticed a few things in your HJT log. First it is VERY IMPORTANT to remember that you must exit all browsers before running HJT. I still saw IE running.

And why do you have the below items running when doing this:

C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe

Remember all un-necessary applications should be closed. And what is the purpose of both MSN Messenger and Messenger running?

chaslang · Jan 12, 2005

Okay your HJT log still shows:

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

This is another file that I had you look for and you said you could not find it. According to HJT, it is still there. Please download PocketKillbox from (don't run it yet):

http://www.downloads.subratam.org/KillBox.zip

Now exit all browsers and run HJT and have it fix:
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
Then exit HJT.

Here is a list of files that we need to delete using Killbox (the procedure will follow):

C:\Program Files\Pl.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\isrvs\sysupd.dll
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\BTGrab.dll

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\BTGrab.dll (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\Program Files\Pl.exe

1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\BTGrab.dll into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

Post a new HJT log (see if you can attach it).

Later we have to work on the below:
O14 - IERESET.INF: START_PAGE_URL=http://qgb8l.hpwis.com

So look on you system for a folder called i386
It may be c:\i386 or c:\windows\i386
Tell me if and where you find it.

Rotimi · Jan 13, 2005

I am still not able to attach logs and I am guessing its all part of the java issue. However I have checked the setup in IE. The box next to "Java (Sun)
Use Java 2 v1.4.2 for <applet> (requires restart)" is checked.
I did follow all the steps as per the tutorial and have enabled viewing of hidden files but still could not find those files. I am looking again.....and again. Yes Spybot found ALTNET etc and I did install the DSO patch for spybot and updated the detections.
I have another issue with not being able to send print jobs to my Network printer....would be grateful if you'd advice even though this can wait.
Please see the below log file ref your last post....and note too....None of those windows were running while I ran HJT. I dont know whats going on there.
Many Thanks once again...........

Edit by chaslang: Inline log changed to attachment

Rotimi · Jan 13, 2005

Have found in my system the folder called i386.
This located in:
C:\WINDOWS\System32\ReinstallBackups\0001\DriverFiles\i386

chaslang · Jan 13, 2005

Rotimi said:

Have found in my system the folder called i386.
This located in:
C:\WINDOWS\System32\ReinstallBackups\0001\DriverFiles\i386
Click to expand...

Okay! That last log was clean! Have you tried re-running TrendMicro and Spybot to see if they find anything. I have seen some stubborn cases of Altnet which require manual removal from the registry. When doing the scans, you most give me exactly what they find. They will point out files (full path) and full registry key information.

In the above i386 folder you found, do you see either of the below two files:
IERESET.INF
IERESET.IN_

Rotimi · Jan 13, 2005

The i386 folder has nothing in it. Empty!

Here's below a log of Spybot scan.

Altnet: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet

Common hijacker: Redirected host (Redirected host, nothing done)

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1753264677-2717326866-340114617-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2005-01-04 Includes\Dialer.sbi
2005-01-04 Includes\Hijackers.sbi
2004-12-29 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2005-01-04 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2005-01-05 Includes\Spybots.sbi
2004-11-29 Includes\Tracks.uti
2005-01-04 Includes\Trojans.sbi

chaslang · Jan 13, 2005

It looks to me like you never installed: Spybot - Search and Destroy DSO Exploit Fix
So install it.

Copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixalt.reg. Doubleclick it and grant it permission to merge in the registry entries.

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]
Click to expand...

Now run a new Spybot scan. How does it look now?

Was that the only i386 folder you have? I don't remember if I asked this: do you have your WinXP CD?

Log in or Sign up

cant open some of my saved webpages

Rotimi Private E-2

Rotimi Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Rotimi Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Rotimi Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Rotimi Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Rotimi Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Rotimi Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Rotimi Private E-2

Attached Files:

hjt1.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Rotimi Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Rotimi Private E-2

Rotimi Private E-2

Attached Files:

hjt2.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Rotimi Private E-2

Attached Files:

hjt3.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Rotimi Private E-2

Attached Files:

hjt4.txt

Rotimi Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Rotimi Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member