Help with this typical Cool Web Search.....

My home page has been changed to http://81.222.131.49/index.php......Cool Web Search.........i tried SS&D......ADW......HThis....SCWH......but no change ........

In registry......i cant even change this values.......no matter what i do this values remains constant.......


Some body plz help.....http://img93.echo.cx/img93/272/untitled9lg.jpg

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

yes as i said ....i have been here for 1 year now.....and i never post before a vigorous
search.......
I have tried HJT.....but the problem is......the values in registry is not changing..!!!!!!!!!!!!

 

If you have followed the READ ME then procede with attaching a HJT log.

 

OK.......here it is.....Plz help!!!!!!
Thanx!

 

Your IE version is WAY out of date. This is a major security risk, after we get you cleaned up you need to update to Internet Explorer 6.0 SP1.


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php

O4 - HKLM\..\Run: [Traybar] D:\IMP SOFWARWE\DOWNLOAD\Traybar.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe

O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\SYSTEM\PAYTIME.EXE

NEXT:
Run CCleaner

Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

wowwwww..........thanx bigarrick........thanx a lot!!!!!!!!!!
Its gone!!!!!!!!!!!!!
Just think i have done the rigth thing posting the problem here.......
Thanx again!!!!!!!!!!

 

Go ahead a post a fresh HJT log just so we can confirm nothing is hiding or still there.

 

ok......but is it ok with o15 ??????
I tried to delete this using HJT......nothing deleted!!!!

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

Now, Scan with HJT and have it fix these 2 entries:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

After you fix these entries, navigate to and delete the following file:

C:\WINDOWS\web\related.htm

Run CCleaner and reboot your computer.

Post a fresh HJT log.