Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Tough problem. Only a genius can solve...

1911 Views 10 Replies 2 Participants Last post by  $teve
T
Everyone,
Somehow in my surfing I got a bug. It redirects my home page to scanthenet.com on open and when I try to see www.yahoo.com or www.google.com. Otherwise it seems ok. Unfortunately it is also sending out my personal information. See below:

To : [email protected]
Subject : Re: Your details
Message-ID:

Attachment(s) removed:
-----------------------------------------
your_details.pif

I have used Adaware 6.0. It found some trouble but not the bad one. I tried Spy Sweeper. It found the bad one. I deleted the troubled files but everytime it comes back. [I think it has corrupted my registry.] I used Spybot Search and Destroy. It found the problem and did say the registry was corrupted and supposedly fixed it but the trouble came right back. So.....I need an expert to advise me what I can do. In the meantime I am preparing to wipe the C: drive and reload everything from scratch. But if someone can show me how to kill the bug without spending the entire day reloading all my software from scratch, I would happily bow in whatever direction they come from.
:(
Save
Like
Status
Not open for further replies.
1 - 5 of 11 Posts
$teve
Its the sobig worm...download and run this tool:
http://vil.nai.com/vil/stinger/

Then do this:
go to http://www.lurkhere.com/~nicefiles/ , and download 'Hijack This!'.....
Unzip it to its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

If you have anything disabled by MSConfig or any other startup manager, please re-enable it before scanning to post.

;)
See less See more
Save
Like
$teve
Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windows and "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redi...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
O1 - Hosts: 69.93.33.159 www.google.com
O1 - Hosts: 69.93.33.159 google.com
O1 - Hosts: 69.93.33.159 altavista.com
O1 - Hosts: 69.93.33.159 www.altavista.com
O1 - Hosts: 69.93.33.159 yahoo.com
O1 - Hosts: 69.93.33.159 www.yahoo.com

Go to "tools"/"internet options" and reset your prefered startpage.
Re-boot after and see if all is ok.

Consider installing the following:

SpywareBlaster v 3.0 and SpywareGuard v2.2, to prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection: http://www.wilderssecurity.net/index.html

IE-SPYAD, a registry file that adds a long list of known "sites" to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm

;)
See less See more
Save
Like
$teve
Did you check and fix the o1 entries?
If you did download and run this......
CoolWebShredder (CWS) from here:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
Please make certain that all browser and folder windows are closed before using CWShredder.
;)
Save
Like
$teve
Nope Bob.thats fine to leave............you have a clean bill of health.
:up:

Always a pleasure
;)
Save
Like
$teve
Also..........Spybot has an Imunize feature..........this will help prevent any home page changes made by anyone but yourself.
;)
Save
Like
1 - 5 of 11 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top