Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

problem with http://rl.webtracer.cc/-/?bayzm


  • Please log in to reply

#16
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
No problems,If I do my Job Right,this will be over soon!!

Lets Go Staright to Safe Mode!!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
Safe Mode

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
Hidden Files
Make sure to follow the Instructions for XP!!

Now Navigate to this Folder:

C:\WINDOWS\SYSTEM32\DRIVERS

Once the Drivers Folder is Open,Locate this file:

battcc.sys

Right Click that File and Select Rename and Rename it to:

battcc.bak

Restart in Normal Mode!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm

O1 - Hosts: 1159680172 auto.search.msn.com

O19 - User stylesheet: C:\WINDOWS\stsheets.dat

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Make sure Windows is Still Showing Hidden Files!!!

Locate and Delete the File in Bold Print:

C:\WINDOWS\stsheets.dat<<< File Only!

When finished, reboot your system again and bring it back up in normal mode. Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.
Make Sure Normal Startup is Checked!!
Select the tab labeled Startup and put a Check by every box there!! Once everything is enabled, run "Hijack This!" and post a new log to this thread!!

Here is a link explaining:
Msconfig

Edited by Cretemonster, 20 March 2005 - 06:32 PM.

  • 0

Advertisements


#17
kaalder1

kaalder1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
so far so good! Followed your instructions for batt.sys renaming to batt.bak, and was able to FINALLY delete R0, Host, etc files from HiJack This. Here is my latest Hijack This Log as requested...am I in the clear now???

Logfile of HijackThis v1.99.1
Scan saved at 8:28:37 PM, on 3/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Kristopher Aalderink\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#18
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
By Gum I think you got it!!!

Please Delete the file that was renamed now!!!

I take it,finding stsheets.dat wasnt a problem either?

Please Disable System Restore,so we can Flush out all nasty Restore Points!

To do this,Just Disable it and Restart the PC,once Restarted,Renable System Restore,the next time you restart,the system will create a Clean restore Point!

Here is a Link for System Restore:
System Restore

Post back and lets see how we did,the Restart Should tell the Story!
  • 0

#19
kaalder1

kaalder1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
THANK YOU, THANK YOU, THANK YOU!!!
I have been toiling with this web page redirector for over a month and finally the problem is resolved. I sincerely appreciate all of your help, Cretemonster!
  • 0

#20
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
How bout a Bit of prevntion!

Have a look at this Site:
JavaCool

Grab,Spyware Blaster and Spyware Guard!

Take a look at Grinlers Write Up about How I got Infected:
Infected!!!

If you are still Using Internet Explorer,I also Suggest this Program!
This Link has a Direct Download and Nice Tutorial onhow to use this Program
IE Spyad

Be Safe Out there!!!!

MJ :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP