first timer

Hi, I was referred to this site by my brother, a major computer geek. I've been having problems with browser hijackers, spyware, adware, etc. I read a few posts and used Hijack This first. Still having problems, I read on and used the one with all the downloads. I followed the instructions exactly and am still having problems. My browser home page keeps changing, I'm having trouble logging into Hotmail, and there are disgusting links in my favorites folder. I keep removing all this stuff with Spybot S&D and Adaware, but they keep coming back! Also there is an error message on my desktop that reads exactly as follows... "Security Warning, A fatal error in IE has occured at 0028:COO11E36 in VXDVMM (01). Error was caused by Trojan-Spy.HTML.Smitfraud.C, *System can not funtion in normal mode. Please check your security settings. *Scan your PC with any available anti-virus/spyware remover programs to fix the problem." This message has been on my desktop for weeks. I never had these problems until HP tech support crashed my hard drive and I had to send the entire PC to them in California to be repaired. The trouble started shortly after I got it back from them. I have tried everything I know to fix this. Can anyone help me? ................Chris

 

Don't mean to sound dumb but exactly where should I run HijackThis from? I just want to be sure before I do it. Better safe than sorry.

 

Chas, here is the log file you requested. Please let me know what to do next. Oh and by the way, I think it is a great thing you are doing with this web site. Thank God for people like you in the world!!!

 

Ok, ran RegSrchTool and all I got was a little message box that said "Search completed in 37 seconds.No instance of "stsheets" was found.

Then ran Locate.zip Tool by double clicking on lacate.bat. A dos window popped up with the heading that said "C:\WINDOWS\System32\cmd.exe.

I didn't get any log files to attach. What does this mean? This thing seems to be getting worse everytime I get online.

 

I only log in one way, but I'll try again right now.

 

Chas, I got a log for regsrchtool but it won't attach and still not getting anything from locate.bat. Still want a hijackthis log?

 

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "stsheets" 5/16/2005 6:35:30 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tapeq]
"StsPath"="\\??\\C:\\WINDOWS\\stsheets.dat"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tapeq]
"StsPath"="\\??\\C:\\WINDOWS\\stsheets.dat"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tapeq]
"StsPath"="\\??\\C:\\WINDOWS\\stsheets.dat"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"

[HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"

[HKEY_USERS\S-1-5-21-1354289438-648664656-3238835185-1003\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"

 

Chas, Here is latest HJT log. Hope I did this right. What next?

 

Chas, I followed your instructions exactly from the previous post.
I tried to get online this morning to work on this problem but couldn't get to any websites. So I ran Spybot S&D and then went into Spyware Blaster to Immunize and block websites. Apparently it worked for now, because I was then able to get to this website. I'm going to run Hijackthis again and attach the log. Could you please look at it for me and see if anything has changed?

 

I've attached my latest Hijackthis log file. I saw web-tracer as the first item but didn't want to delete anything until you looked at it. Let me know what to do next. Thanks again for all your help!

 

Here is the regsrchtool log. I should probably mention that the smitfraud thing is gone off my desktop and now the background is just black. Don't know if this means anything or not but couldn't hurt to mention it. Also, am having a lot of trouble getting online and to this website. This is something new.............Chris

 

OK, here is the log file. I followed your instructions exactly but when I rebooted and ran hijackthis, one of the web tracer lines was still there. So I clicked fix it and rebooted again and ran HJT again and the web tracer line was still there. So I saved and attached the file. When I got back online, instead of opening to global something, it opened to about blank. so something has changed but obviousley not for the better. What next? Thanks again for your help................Chris

 

I followed insturctions from last post and deleted the ro lines with web tracer in them and 019 was there again so I deleted that also. Reset the web settings and am going to start working on the "protect yourself from malware thing. You didn't say if I should run HJT again and attach a new log or not. Let me know if I need to do that. I'll be online line for a while working on this. Thanks again..........Chris

 

Wow. Simply hats off to you, Chas. I cannot believe your patience and persitance with this. You have my vote for honorary geek of the week!

Rock on!

 

Chas, I went thru the steps for protecting against malware but as I was doing the steps I was having problems with IE going back to the web tracer setting. I reset about 10 times but it won't stay set. I ran HJT again and the 2 RO lines for web tracer are back again and so is line 019 with stsheets on it. I don't understand why none of the fixes are working? Please help!?!? .............Chris
P.S. HJT log is attached. It is HJTlog524

 

ok, downloaded Avast! and Microsoft AntiSpyware but haven't run them yet. While checking Zone Alarm I found a lot of things that I'm not sure about. First of all it says there are 200 programs ok'd for the internet! Here are some that I don't recognize. Can you take a look and tell me if they are ok or not?

Agent Module
BackWeb 137903.exe
btfdpjid.exe
Cassandra
Client Server Runtiime Process
COM Surrogate
DAO 3.5 setup
Dr. Watson Postmortem Debugger
dumpsprep.exe
ereg
Generic Host Process for Win32 Server
ICE 2.6 (there are 9 of these)
iinstall.exe (not a typo)
Inno Setup Installer
Installer for Windows Installer
Malicious Software Removal Tool Update Stub
MmjbUpdt.exe
zbloader.exe
zloader.exe
WMI
wmplayer
WebReg application
Visual C# Command Line Compiler
Usernit Logon Application (not a typo)
Unwise.exe
Stop.00009_4.exe
Shadow Bar Module
mqspbkup.exe
mptsgsvc.exe
muyvslxq.exe
Run a DLL as an App
Removes the Home Search virus
MS DTC Console program
PML Driver
Search assisstant
Self Extracting Cabinet (13 of these)
Services and Controller App
Self Extracting Messenger
Meanwhile, I'm going to run the Windows Spyware program and see if it does anything. Thank You, Thank You, Thank You! I'll check back shortly....Chris

 

Hi Chas. Went back and ran MS antispyware and it seemed to do the trick! This is what was found...
180search assisstant (adware)
Spyware.Melkosoft (browser modifier)
Spyware.abspics (spyware)
Trojan Downloader Agent.JD (trojan downloader)
Search ToolBar (adware)
Adware.Sorted Links (browser plug-in
55 total infections found, all deleted, restored browser settings.
Then ran hijackthis and saw the 2 RO webtracer lines and the line 019 thing. Fixed those and saved file. It's attached. Also downloaded Mozilla Firefox and am using it now. Can you check it out and see where I am with this thing? I still don't have any options to change my desktop background. Is there any way to restore all the things that were changed during all this mess? Thanks a bunch. ...............Chris

 

Ok, went into Zone Alarm and denied access to the programs you listed. Then ran HJT and the 2 RO lines for web tracer were there as well as the line 019. clicked fix and scanned again. Still have one RO web tracer line. It just won't allow deletion. What can I do? I'm using Firefox now along with most of the other programs you recommended. I'm gonna run MS Anti Spyware again and see if it finds anything. Will let you know what I find out..........Gracie
BTW the HJT file is called hijackthislog52605.

 

Pt.2 of post.....Ran MS AntiSpyware and it found "about.blank" and said it was deleted. Then ran Spyware Blaster and found webtracer and another browser page...http://.search.msn.com/{SUB RFC1766}/srchasst/srchcust.htm. This one was listed in another spyware program as not being IE's default browser page. Then ran Spybot S&D. It found CoolWebSearch and 2 other registry hijackers. I clicked fix and it said they were fixed. So I tried getting online with IE and the home page opened as "about.blank". I don't understand why this stuff keeps coming back!?!?!? I even emptied the recycle bin after each deletion. Any suggestions? I saved the Spybot log file. Should I attach it? Let me know. Sorry this is so frustrating! I hope you will still help me clean up this mess? Thanks again for all your help to date!!!............Gracie

 

FYI: I am using a DSL connection and there are no other user on my pc. Also, I did get the Windows updates but I will go back and check for anything I may have missed. Will post logs thereafter. Thanks

 

Updated Windows with all but SP2. Ran Spybot S&D, log is attached. Ran HJT, the 2 RO lines with web tracer in the were still there and so was 019 line. Clicked on fix, then rescanned and they were still there. Did this 3 times with same result. This log is also attached. After all this, when I opened IE, it went right to glode something in the address bar. When I first booted up today It was still going to MSN. Don't know why it reverted back to globe. Anything else I can do to get this stuff off my pc? Thanks for your time. .............Gracie

 

Chas, got back online to check in here, browser is still going to globe something. I ran MS anti-spyware and it came out clean. I don't get it!?! ...............Chris

 

Ok Chas, followed your instructions exactly. The HJT logs are named before and after. Everything looks ok so far except that my desktop background is still black with no option to change it. Let me know how it looks after looking at the logs. Thanks..........Gracie

 

Pt. 2 of post.........Sorry forgot to add a few things....Did the fixsts.reg. It said the items were added sucessfully but I never saw anything come up the REGEDIT4 lines on it. Reset web setting as instructed. Then ran HJT before and after connecting to the internet. HJT logs are attached and named before and after.

 

Chas, can you tell me how to restore the desktop background? I lost something during all this. When I click on properties on the desktop I only get two tabs, screen saver & settings. Settings only allows me to change resolution. I think the trojan desktop hijacker did something to it. Thanks..........Gracie

 

Absolutely wonderful!!! My desktop is back to normal. Chas, I can't thank you enough! I hope you know how much people like me appreciate people like you and the rest of the MajorGeeks crew! I'm going to ask God to bless you for all your selfless work, so be expecting something great to happen very soon. ................Gracie

 

Hi Chas! I'm back! I've got this thing on my pc. Norton anti-virus detected it but none of the other spyware programs pick it up and Norton says it can't fix it. It's called "tapeq.sys" and is located here...C:\windows\system32\drivers\tapeq.sys. I tried to delete it from this file but couldn't. Any idea how to get rid of this thing? I can't understand where it came from with all the stuff I've got protecting me. I'd really appreciate your help on this. Thank....Gracie

 

Thanks. I think that worked. I'll find out tomorrow after I run the anti-virus stuff again. I was able to delete it from safe mode though. Norton told me what and where it was. That's how I knew it wasn't a driver.
Thanks again.....Gracie

 

Hey Chas, I don't know what just happened but I was online and the computer suddenly rebooted itself. I sent the error message to microsoft and it took me to this website. I copied the info below. It says something about an online crash. I'm wondering if it has anything to do with that driver I deleted yesterday?!?! How can I find out?.........Gracie


| microsoft.com guide


Online Crash Analysis | Corporate Error Reporting | Online Crash Analysis Worldwide
Browser security settings may impair site functionality

JavaScript and cookies must be enabled

Microsoft Online Crash Analysis uses JavaScript and cookies to display content correctly.

To upload your error report or check the status of a previously submitted error report, ensure that your browser security settings meet the following requirements:

JavaScript must be enabled.
Cookies must be enabled.

Error Caused By A Device Driver

Thank you for submitting an error report. Microsoft is unable to specifically determine what caused the problem you reported. To troubleshoot the problem, please see the information below.

Analysis

A device driver installed on your system caused the problem; however, we cannot determine the precise cause. Depending on which situation is applicable to you, please do one of the following:

If this problem occurred after you installed a new hardware device on your system, the problem might be caused by the driver for the device. If you know the manufacturer of the device, contact the manufacturer's product support service for assistance.
Some software, such as firewall and anti-virus software, also installs drivers. If this problem occurred after you installed new software, the software might have installed a driver that caused the problem. If you know the manufacturer of the software, contact the manufacturer's product support service for assistance.
If you don't know the driver's manufacturer and need help diagnosing and resolving this problem, contact your computer manufacturer's product support service.
Updated drivers might be available on the Microsoft Windows Update website. At Windows Update, you can have your computer scanned and, if there are updated drivers available, Windows Update will offer a selection of drivers that you might be able to use.