[groover]

Hi, Firstly thanks for offering your help to me. I have my homepage now hijacked by all-ru.net. Alot of my pages arent displaying correctly anymore and I have run every program you have marked down before advising to run HijackThis. I have updated everything to do with XP as well.

Logfile of HijackThis v1.99.1
Scan saved at 5:06:41 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Howard\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O19 - User stylesheet: C:\WINDOWS\stsheets.dat

Thanks again! Groover!

[Advertisements]

Welcome to Geeks to Go!
I apologize for the wait. If you still need help with your system, please post a new HiJackThis log.

[Michelle]

Welcome to Geeks to Go!
I apologize for the wait. If you still need help with your system, please post a new HiJackThis log.

[groover]

Thanks Bananafanafo!

Logfile of HijackThis v1.99.1
Scan saved at 8:27:51 AM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\update\update.exe
C:\Documents and Settings\Howard\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O19 - User stylesheet: C:\WINDOWS\stsheets.dat

[Michelle]

Please click on the link below to download this program:
http://www.atribune....nloads/find.zip

*Right-click on your desktop and go to New > Folder - name it HJT.
*Download "Find.zip" to the HJT folder that you made. Make sure to Extract All Files!
*Double Click "Find.bat" and let it scan the PC, takes only seconds!
*Look back in the Folder you downloaded to (HJT) and locate "Report.txt"
*Double Click "Report.txt" and Copy the entire contents of the log and paste it here. It's going to be a very short log.

[groover]

C:\WINDOWS\SYSTEM32\DRIVERS\
disdnu.sys Thu Dec 9 2004 8:10:24p A.... 31,744 31.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 31,744 bytes 31.00 K

cheers!

[Michelle]

Please print these instructions out.

*First I need you to reboot in Safe Mode - you can do this by restarting your computer, then continually tapping the F8 key until a menu appears, then use your up arrow key to highlight Safe Mode, press enter.
*Be sure you're able to VIEW Hidden files *VERY IMPORTANT!* http://www.xtra.co.n...1916458,00.html
*Now Navigate to this Folder using WINDOWS EXPLORER:

C:\WINDOWS\SYSTEM32\DRIVERS

Locate this file in your DRIVERS folder:

disdnu.sys

Right Click that File and Select "Rename" and Rename it to:

disdnu.bak

Restart in Normal Mode.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis again. Put a checkmark next to these entries. Then click "FIX CHECKED"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O19 - User stylesheet: C:\WINDOWS\stsheets.dat

Restart into safemode again. Locate these Files (in bold) and DELETE THEM! You need to go straight into Windows Explorer to find it. Doing a search on your computer won't work. Make absolutely sure that you're able to VIEW Hidden files because at least one file will be hidden. They are both there and need to be deleted!

C:\WINDOWS\stsheets.dat
C:\WINDOWS\SYSTEM32\DRIVERS\disdnu.bak

Reboot your computer and post a new HiJackThis log.

[groover]

OK I did what u said. I had the hidden files viewed as well. However, I looked for the two files to be deleted and could only find one- C:\WINDOWS\SYSTEM32\DRIVERS\disdnu.bak
so I deleted it. The other I could not find. After several reboots both in and out of safe mode I just couldnt locate the file-C:\WINDOWS\stsheets.dat

so this is the last log when I ran HIJACK THIS. Am I OK?

Logfile of HijackThis v1.99.1
Scan saved at 10:54:48 AM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Documents and Settings\Howard\Desktop\HijackThis.exe

O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

[Michelle]

Ok great! Nothing to worry about - if you can't find it with hidden files showing then it's not there!

How is it running?

[groover]

Fantastic! All is running OK. I am just trying to put my Panda Anti Virus on my computer, (couldnt with the virus), and should have done this from day one when I bought the computer 2 weeks ago! Thanks again for your help and have a great day!

[Michelle]

You're very welcome!

I highly recommend XP Service Pack 2: http://www.microsoft.com - click on "Windows Update".

Congratulations your log is clean! Great job on the clean up

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Ewido Security Suite <= Protection against Trojans, Worms, Dialers, Hijackers, Spyware, and Keyloggers.

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
• Firewall<= A firewall is definitely a must have. Two good free versions are Sygate and ZoneLabs.

[Michelle]

Since this topic has been resolved, I'm going to go ahead and close it. If you're the original poster and have any other problems, you can PM me or another staff member and we'll re-open it for you!

Everyone else please post a new topic.