horse-search.net

Greetings. I have followed your instructions posted here - twice, but my browser still jumps to horse-search.net every few minutes when I have the browser open. The various tools found and attempted to fix several problems. Something did fix the problem with my home page being reset, but I still have the problem with horse-search.net. Most recently, I got the new version of adaware and ran it in safe mode, and it found nothing. I'm not sure what to do next. Any help would be greatly appreciated.

 

Perhaps I should add that I'm running Windows XP Home Edition with service pack 2 installed (installed after I started having this problem). IE 6.0

 

Hi Rewald,

If you have exhausted ALL of the options in the Cleanup Tutorial (including the Online Scans), please send us a HijackThis Log. Be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

PP

 

Attached is the current hjt log.

Thank you for helping me.

 

Happy to help!

I see the baddie in your log. But before we go after it manaully, I'd like you to do the following:


FIRST:
Please download this tool: HSFix.zip Tool

Please Extract the files from the ZIP to your Desktop.

THEN:
Please boot to Safe Mode and DoubleClick hsfix.bat to run the tool.

Allow it as long as it takes to run, then Reboot to Normal Windows and look for a log at C:/hslog.txt . Please attach that log + a fresh HijackThis log.

Also, tell me how things are running now and if you had any problems doing the above. I'll check back as time permits.

PP

 

Logs attached.

I've been surfing for several minutes now, and so far, so good.

I'm running XP with multiple users. Everything I've done so far, I've done from the admin user. Will I need to clean anything up under the other users?

Thank you again for your help.

 

Happy to help

That log looks OK, aside from some minor cleanup which we'll get to later.

I would like you to run HSFix once more as per the previous instructions and attach the new log when done.

Then, please attach Fresh HijackThis Logs from normal Windows boot for ALL active user accounts (including fresh one for Administrator). Use as many posts as you need to attach them all, and we'll see where you stand.

PP

 

Attached:
Latest hsfix log (logged on to the Admin user)
Latest hjt log (from the Admin user)

 

Attached:
hjt log - user A
hjt log - user R

When I ran these, I got a message saying that I do not have write access.

These two accounts are limited.

 

Hi Rewald,

Things aren’t too bad . . . Let's see if we can wrap this up!

For the Administrator Account--

Fix these two lines with HijackThis:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24f2d1f86d2f22fe6b06/netzip/RdxIE601.cab



For the A - limited account--

Fix these lines with HijackThis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24f2d1f86d2f22fe6b06/netzip/RdxIE601.cab

Then, boot to Safe Mode and DELETE C:\WINDOWS\blank.htm


For the R - limited Account--

This one needs a bit more attention.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - URLSearchHook: (no name) - {30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)

O4 - HKCU\..\Run: [Jpl] C:\WINDOWS\system32\Nui.exe
O4 - HKCU\..\Run: [Ous] C:\WINDOWS\Bdl.exe
O4 - HKCU\..\Run: [Mjp] C:\WINDOWS\system32\Ajn.exe
O4 - HKCU\..\Run: [Pdn] C:\WINDOWS\system32\Jef.exe

O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted IP range: 64.62.171.156

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24f2d1f86d2f22fe6b06/netzip/RdxIE601.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\blank.htm
C:\WINDOWS\system32\Nui.exe
C:\WINDOWS\Bdl.exe
C:\WINDOWS\system32\Ajn.exe
C:\WINDOWS\system32\Jef.exe
NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Let me know of any problems you may have encountered with the above instructions for all accounts and how your computer is running now. Please attach fresh HJT logs for each account as well.

Best luck
PP

 

All instructions followed. New logs here and in the next post...

Thank you again for your help.

 

The two limited accounts. I left these as limited for the entire process.

 

Hi Rewald,

All HJT Logs look good to me! I trust everything is back to normal and working properly?

All that's left is to ask you to have a peek at Chaslang's Suggestions!!

Best
PP