[heirARKY]

hello there.. this is all new 2 me, so pls bare wiv me
right, ive been battiling this 127051.exe and tibs41/2/3 problem 4 a week.. ive done all the fings u sed 2 do in the read this first post.. and the problem still comes back:| ive sooo htt a blank wall here.. that i fort id try send a hijack log report... sooo here it is.... any help would b much appreciated

thank u kindly

heirarky

Logfile of HijackThis v1.99.0
Scan saved at 14:11:41, on 21/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\open32.exe
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\eMule\emule.exe
C:\Program Files\WebSiteViewer\126322.dlr
C:\Documents and Settings\Jason\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll

[Advertisements]

Hello, My name is Matt and I will be assisting you.

Let me further review this problem and I will get back to you.

[canad1an]

Hello, My name is Matt and I will be assisting you.

Let me further review this problem and I will get back to you.

[heirARKY]

cheers matt... ur a pc saver

[canad1an]

Hi heirARKY,

You have a Horseserver infection which requires some tools to get rid of.

• First, download HSFix from here
• After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.
• Next, download CleanUp! Install it, but do not run it yet.
• Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
• Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
• A log will be produced which you can close out of.
• Then run HijackThis again, close any open windows and browsers and fix these:
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
  O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
  O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
  O4 - HKLM\..\Run: [Shell] open32.exe
  O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
  O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
  O15 - Trusted Zone: *.frame.crazywinnings.com
  O15 - Trusted Zone: *.static.topconverting.com
  O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
  O15 - Trusted Zone: *.static.topconverting.com (HKLM)
  O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
  O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
  
• Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.
• Restart your computer into normal mode and run at least one of the following free, online virus scans:
  http://housecall.tre.../start_corp.asp
  http://www.pandasoft...n_principal.htm
  http://www3.ca.com/t...sinfo/scan.aspx
• Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt

[heirARKY]

hiya matt

cheers 4 helping by the way! right, ive done everfink u sed and here me 2 new log files.....

Logfile of HijackThis v1.99.0
Scan saved at 20:34:07, on 22/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jason\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab


Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
ps.a3d
drct16.dll
mszx23.exe
-
4. Deleting files that were found.
-
unable to remove drct16.dll
unable to remove mszx23.exe
-
5. Checking for and Removing Winupdate
-
-
-


jason

[canad1an]

Im going to have to ask you to remove a few more entries please.


Run HiJackThis again.

Put a tick next to the following entries.

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab

EXIT ALL OTHER WINDOWS

And click "Fix Selected"

Restart computer, then rescan and post a new log.

Good Luck!

[heirARKY]

right, tis done...
but as ul'l c thos pesky Trusted Zone thingys r back

Logfile of HijackThis v1.99.0
Scan saved at 23:55:13, on 23/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jason\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

[canad1an]

Is your problem fixed? Or do you still have trouble with Horseserver?

[canad1an]

Aside from those trusted sites being listed. Is your problem fixed? Or do you still have trouble with Horseserver?

[canad1an]

Please also:

Right click http://mvps.org/winh.../DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

[heirARKY]

hiya matt mate..

yeh that horseserver things all gone infact me pcs wrking really well!!! thanks 4 that ur a star!
quick q 4 ya... i did that Del Domains.inf thing.. but wot is it? wot does it do?

[canad1an]

http://mvps.org/winh.../DelDomains.inf
It will delete your currently trusted domains...I guess?

I don't know, and when I checked this post in the geek's area about that link it wasn't in out post...?
Well glad it worked!

As always, come back if you have problems...

-Matt