[HNMB6753]

Computer is running slow, homepage hijacked, links taking me to nasty websites, my favorites list is now full of p***.. Please help.. Here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 12:00:58 AM, on 3/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Owner\Desktop\Shortcuts\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O19 - User stylesheet: C:\WINDOWS\stsheets.dat

Thank you!!!!!!!!!!

[Advertisements]

OK it just got worse, I can't even use search engines anymore or else it takes me to p***. Please help me get rid of this!

[HNMB6753]

OK it just got worse, I can't even use search engines anymore or else it takes me to p***. Please help me get rid of this!

[Michelle]

Please post your whole HiJackThis log!

Michelle

[HNMB6753]

Logfile of HijackThis v1.99.1
Scan saved at 4:12:35 AM, on 3/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Owner\Desktop\Shortcuts\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O19 - User stylesheet: C:\WINDOWS\stsheets.dat

That's all of it, just did a fresh scan.

[Michelle]

Ok, weird, never seen one that short!

We need you to update Windows before analyzing your log. Please download and apply Service Pack 1a for Windows XP. Without this update, you're WIDE open to re-infection and we're both wasting our time as you can become re-infected within minutes without this update!
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

Michelle

[HNMB6753]

The link did not work.

[Michelle]

http://www.microsoft...p1/default.mspx

sorry

Michelle

[HNMB6753]

It is now installed. Thanks for the help so far.

[Michelle]

Please post a new log.

Michelle

[HNMB6753]

Logfile of HijackThis v1.99.1
Scan saved at 6:00:40 PM, on 3/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Shortcuts\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O19 - User stylesheet: C:\WINDOWS\stsheets.dat

[Michelle]

Please click on the link below to download Atribune's Find.zip:
Find.zip

*Download "Find.zip" to your HiJackThis folder (Desktop\shortcuts\Spyware). Make sure to Extract All Files!
*Double Click "Find.bat" and let it scan the PC - it just takes a couple of seconds!
*Look back in the folder you downloaded to and locate "Report.txt"
*Double Click "Report.txt" and copy the the log and paste it here.

Michelle

[HNMB6753]

C:\HP\DRIVERS\LAN\
sisnic.sys Sat Sep 29 2001 5:16:46a A.... 31,744 31.00 K

C:\WINDOWS\SYSTEM32\DRIVERS\
p3m.sys Sat Aug 18 2001 2:00:00p A.... 31,744 31.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 63,488 bytes 62.00 K

[Michelle]

Please print these instructions out.

*First I need you to reboot in Safe Mode - you can do this by continually tapping the F8 key until a menu appears, then use your up arrow key to highlight Safe Mode, then press enter.
*Be sure you're able to VIEW Hidden files *VERY IMPORTANT!* http://www.xtra.co.n...1916458,00.html
*Now Navigate to this Folder using WINDOWS EXPLORER:

C:\WINDOWS\SYSTEM32\DRIVERS

Locate this file in your DRIVERS folder:

p3m.sys

Right Click that File and Select Rename and Rename it to:

p3m.bak

Restart in Normal Mode.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis again. Put a checkmark next to these entries. Then click "FIX CHECKED"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O19 - User stylesheet: C:\WINDOWS\stsheets.dat

Restart into safemode again. Locate the File "stsheets.dat" DELETE IT! You need to go straight into Windows Explorer to find it. Doing a search on your computer won't work. Make absolutely sure that you're able to VIEW Hidden files because this file will be hidden. It is there and needs to be deleted!

C:\WINDOWS\stsheets.dat

When deleted, reboot your system again and bring it back up in normal mode. Run MSCONFIG and enable everything in the startup area.
To get to MSCONFIG, click on Start > Run > type in MSCONFIG > click OK.
Under the "General" tab Make Sure "Normal Startup" is Checked!
Click the tab labeled "Startup" and put a Check by every box there. Once everything is enabled, run "Hijack This!" and post a new HiJackThis log!

Michelle

[HNMB6753]

No suspicious items found! The log is empty and my homepage is back! Thank you!

[Michelle]

Now, please go into C:\Windows\System32\Drivers and delete p3m.bak

It was the file causing all the problems and you don't want it!!

Congratulations you log is clean! Great job on the clean up

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
• Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.

And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

Edited by bananafanafo, 27 March 2005 - 06:50 PM.