Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Seemingly indestructable virus webtrace [resolved]


  • This topic is locked This topic is locked

#1
HNMB6753

HNMB6753

    New Member

  • Member
  • Pip
  • 9 posts
Computer is running slow, homepage hijacked, links taking me to nasty websites, my favorites list is now full of p***.. Please help.. Here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 12:00:58 AM, on 3/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Owner\Desktop\Shortcuts\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O19 - User stylesheet: C:\WINDOWS\stsheets.dat

Thank you!!!!!!!!!!
  • 0

Advertisements


#2
HNMB6753

HNMB6753

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
OK it just got worse, I can't even use search engines anymore or else it takes me to p***. Please help me get rid of this!
  • 0

#3
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please post your whole HiJackThis log!

Michelle :tazz:
  • 0

#4
HNMB6753

HNMB6753

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:12:35 AM, on 3/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Owner\Desktop\Shortcuts\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O19 - User stylesheet: C:\WINDOWS\stsheets.dat

That's all of it, just did a fresh scan.
  • 0

#5
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, weird, :tazz: never seen one that short!

We need you to update Windows before analyzing your log. Please download and apply Service Pack 1a for Windows XP. Without this update, you're WIDE open to re-infection and we're both wasting our time as you can become re-infected within minutes without this update!
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

Michelle ;)
  • 0

#6
HNMB6753

HNMB6753

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
The link did not work.
  • 0

#7
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
http://www.microsoft...p1/default.mspx

sorry :tazz:

Michelle
  • 0

#8
HNMB6753

HNMB6753

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
It is now installed. Thanks for the help so far.
  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please post a new log.

Michelle
  • 0

#10
HNMB6753

HNMB6753

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:00:40 PM, on 3/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Shortcuts\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
  • 0

Advertisements


#11
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please click on the link below to download Atribune's Find.zip:
Find.zip

*Download "Find.zip" to your HiJackThis folder (Desktop\shortcuts\Spyware). Make sure to Extract All Files!
*Double Click "Find.bat" and let it scan the PC - it just takes a couple of seconds!
*Look back in the folder you downloaded to and locate "Report.txt"
*Double Click "Report.txt" and copy the the log and paste it here.

Michelle :tazz:
  • 0

#12
HNMB6753

HNMB6753

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
C:\HP\DRIVERS\LAN\
sisnic.sys Sat Sep 29 2001 5:16:46a A.... 31,744 31.00 K

C:\WINDOWS\SYSTEM32\DRIVERS\
p3m.sys Sat Aug 18 2001 2:00:00p A.... 31,744 31.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 63,488 bytes 62.00 K
  • 0

#13
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please print these instructions out.

*First I need you to reboot in Safe Mode - you can do this by continually tapping the F8 key until a menu appears, then use your up arrow key to highlight Safe Mode, then press enter.
*Be sure you're able to VIEW Hidden files *VERY IMPORTANT!* http://www.xtra.co.n...1916458,00.html
*Now Navigate to this Folder using WINDOWS EXPLORER:

C:\WINDOWS\SYSTEM32\DRIVERS

Locate this file in your DRIVERS folder:

p3m.sys

Right Click that File and Select Rename and Rename it to:

p3m.bak

Restart in Normal Mode.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis again. Put a checkmark next to these entries. Then click "FIX CHECKED"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O19 - User stylesheet: C:\WINDOWS\stsheets.dat


Restart into safemode again. Locate the File "stsheets.dat" DELETE IT! You need to go straight into Windows Explorer to find it. Doing a search on your computer won't work. Make absolutely sure that you're able to VIEW Hidden files because this file will be hidden. It is there and needs to be deleted!

C:\WINDOWS\stsheets.dat

When deleted, reboot your system again and bring it back up in normal mode. Run MSCONFIG and enable everything in the startup area.
To get to MSCONFIG, click on Start > Run > type in MSCONFIG > click OK.
Under the "General" tab Make Sure "Normal Startup" is Checked!
Click the tab labeled "Startup" and put a Check by every box there. Once everything is enabled, run "Hijack This!" and post a new HiJackThis log!

Michelle :tazz:
  • 0

#14
HNMB6753

HNMB6753

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
No suspicious items found! The log is empty and my homepage is back! Thank you!
  • 0

#15
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Now, please go into C:\Windows\System32\Drivers and delete p3m.bak

It was the file causing all the problems and you don't want it!!

Congratulations you log is clean! Great job on the clean up :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

Edited by bananafanafo, 27 March 2005 - 06:50 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP