Redirected host, spybot doesn't fix it

Discussion in 'Malware Help (A Specialist Will Reply)' started by 84usmd, Mar 21, 2005.

  1. 84usmd

    84usmd Private E-2

    Whenever I open up IE, my homepage automatically goes to http://utruuh.globe-finder.cc/iiehf/ . Before it goes there, a different url appears http://rl.webtracer.cc/-/?iiehfand then goes away being replaced by the above url. I downloaded and ran the most up-to-date versions of Spybot and AdAware. Adaware says all problems are fixed. Spybot says that I have 5 possible hijackers, which are registry edits and that I have 1 common hijacker. When I click on Fix Problem, it gets rid of the 5 possible hijackers, but when it gets to the 1 common hijacker I get an error message thats says:

    Unexpected error in fixing problem.
    (Datei "C:WINDOWS\hosts" kann nicht erstellt werden. The process cannot access the file because it is being used by another process)

    I went to google and translated 'kann nicht erstellt werden' and it translated into 'cannot be provided' in german. Also the next time that I run the Spybot program those 5 registry edits re-appear.

    Any advice on how I can fix this problem will be much appreciated. Thanks!
     
    84usmd, Mar 21, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    To help us to best help you, please follow the steps below closely and in the order given and do not skip anything. If you have any difficulty, please post back letting us know what steps you have completed, what you found while doing the scans if anything along with details about any problems you may have encountered in completing the steps. The more details you can provide the better. Don't be afraid to ask for additional help if you don't understand something!

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Mar 21, 2005
    #2
  3. 84usmd

    84usmd Private E-2

    Browser hijacked, pls help

    I made a post about a week ago about my browser redirecting me automatically. I went through all the steps in the general spyware guide posted in the sticky part of the forum. All of the steps did not solve the problem. I ran hijackthis and saved my log file. If you would like to see it let me know. Thanks
     
    84usmd, Mar 25, 2005
    #3
  4. AbbySue

    AbbySue MajorGeeks Administrator

    Re: Browser hijacked, pls help


    Merged your new thread with your old one....no need to start a new topic:)

    It would be helpful if you gave a little more feedback as per chaslang's original post to you.
    Also, please complete the remaining steps outlined in chaslangs orignal reply to you.
     
    AbbySue, Mar 25, 2005
    #4
  5. 84usmd

    84usmd Private E-2

    The problem is that when I open up internet explorer I automatically get redirected to a random search engine. I open up properties before I open up IE and set the home page to www.google.com and then I open up IE and get redirected to a different homepage. Sometimes I get a popup after I change it a message pops up from spyguard that says an attempt was made to change my homepage to something from other than what i had set it to. When I click on keep old settings the window keeps popping up asking me if i want to change the homepage to a new homepage that i dont want. I have to click keep new setting, which is the homepage that i do not want. When I ran spybot in normal mode I got 1 common hijacker and when I tried to fix it, the program would not let me because the program was already in use. When I ran spybot in safe mode, it let me fix the common hijacker, which was a redirected host. I thought it was fixed then, but when I restarted in normal mode and tried to open up a webpage, then same thing happened. I followed all the steps in Major Attitude's post about reading this first before asking for spyware support thread and now I am to the point where I'm at if steps above have not solved the problem then download hijack this and read the tutorial. I read the tutorial and ran hijackthis and saved the log.

    Any advice would be appreciated. Thanks a lot.
     
    84usmd, Mar 25, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have run ALL of the steps in the READ ME FIRST, then follow my directions on posting a HijackThis log. Make sure you follow those directions properly to avoid delaying us from working on your problem. Make sure the HJT log is current (from right now).
     
    chaslang, Mar 25, 2005
    #6
  7. 84usmd

    84usmd Private E-2

    HJT log
     

    Attached Files:

    84usmd, Mar 25, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Remember what I said about following directions:

    You did not extract HijackThis into its own folder. You are running it directly from the ZIP file which is what I specifically requested that you not do. See the below line :

    C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 3 for HJT.zip\HijackThis.exe

    This shows that you are running it from the ZIP. Extract the hijackthis.exe file from the ZIP file and put it in a directory that you need to create named. C:\Program File\HJT

    If you don't do this, you will not get any backups.
     
    chaslang, Mar 25, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After fixing what I said in my previous message, do the following.

    Please unzip and run the RegSrchTool
    Please make sure that your Anti-Virus app does not have Script Blocking enabled. If so, disable it to allow the tool to run.

    Please enter the following into the Search Box: stsheets

    Please save the results of this search and attach them.


    Then, please unzip and run the Locate.zip Tool
    DoubleClick on the locate.bat to run it and attach that log.

    Post the two logs as attachments!
     
    chaslang, Mar 25, 2005
    #9
  10. 84usmd

    84usmd Private E-2

    Sorry about that. I ran HJT the correct way and ran the RegSrch Tools with no problem. When I ran the locate.bat file, I got a message that pops up and it says:

    C:\WINDOWS\system32.cmd.exe
    C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate application.

    It has 2 buttons, Close and Ignore. When I hit close it simply closes the program and it doesn't show me a log and when I click ignore, the same thing happens.

    I attached the two new logs for the other programs though.
     

    Attached Files:

    84usmd, Mar 26, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixsts.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixsts.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
    Now un HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?iiehf
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?iiehf
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://superprogdownload.com/download/helps/id/071691/1666572332.chm::/win.exe
    O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.213/users/bond/web/axe/x.chm::/update.exe
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O19 - User stylesheet: C:\WINDOWS\stsheets.dat

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\stsheets.dat
    C:\WINDOWS\SYSTEM32\DRIVERS\bcm4sbxe.sys

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Mar 26, 2005
    #11
  12. 84usmd

    84usmd Private E-2

    Thanks chaslang! IE is running great now. No problems at all.

    I posted the new HJT log.
     

    Attached Files:

    84usmd, Mar 26, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Mar 26, 2005
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds