Tech Support Forum - View Single Post - Help with browser hijack-hijack this log attached

**Pancake** · 04-19-2005, 11:34 PM

Hi and Welcome
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes.

Download any of the required programs before attempting to start any of the fixes.

Please do NOT run Hijack This in a TEMPorary folder or on the Desktop. I recommend c:/program files/HJT/

Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------

Run CWShredder.

How to install and run CWShredder

Download CWShredder
Choose the stand alone version. This is free.
Save cwshredder.exe into its own directory, NOT in a TEMPorary folder or on the DESKTOP.
I recommend, c:/program files/CWShredder/
Close all browsers
Unzip into same directory
Doubleclick CWSInstall.exe
Click <Check for updates> and let it install all updates
Click <Fix>
Click <Next>
Close CWShredder//
------------------------------------------------------------------

To help clean out Trusted Zones,download and run DELDOMAINS then double click to open the DelDomains.inf .To execute the file: right-click and Select 'Install' from the Menu.

-----------------------------------------------------------------
Files highlighted in BLACK will need to be removed from your hard drive.

------------------------------------------------------------------

Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode and then run "Hijack This"
------------------------------------------------------------------

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click End Process for each one if they are still listed.

C:\WINDOWS\System32\msxmidi.exe

------------------------------------------------------------------

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F3 - REG:win.ini: run=C:\WINDOWS\System32\svhost.exe
O1 - Hosts: 207.68.176.190 www.auto.search.msn.com
O2 - BHO: IE SP2 AddOn - {C190E5B4-3022-4E8E-828D-7B161C96D783} - C:\WINDOWS\System32\spybi.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\System32\msxmidi.exe
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://170.224.37.149/SiteRoots/mai...aDownloader.cab

------------------------------------------------------------------

Open Windows Explorer and delete the following highlighted file/s (or delete the whole (Red) folder if listed).

C:\WINDOWS\System32\msxmidi.exe
C:\WINDOWS\System32\svhost.exe <-------- CAUTION...dont delete the genuine file svchost.exe note the spelling.

-------------------------------------------------------------------
Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files.

When finished please post a new log......

04-19-2005, 11:34 PM	#3 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Hi and Welcome It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1 Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes. Download any of the required programs before attempting to start any of the fixes. Please do NOT run Hijack This in a TEMPorary folder or on the Desktop. I recommend c:/program files/HJT/ Turn off System Restore instructions (WinXP) Rightclick My Computer \| Properties \| System Restore \| check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point. SHOW HIDDEN FILES AND FOLDERS. To show hidden files instructions (WinXP) Doubleclick My Computer \| Tools \| Folder Options \| View tab Select Show Hidden Files and Folders Uncheck Hide extensions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders \| Yes \| Apply \| OK ------------------------------------------------------------------ Run CWShredder. How to install and run CWShredder Download CWShredder Choose the stand alone version. This is free. Save cwshredder.exe into its own directory, NOT in a TEMPorary folder or on the DESKTOP. I recommend, c:/program files/CWShredder/ Close all browsers Unzip into same directory Doubleclick CWSInstall.exe Click <Check for updates> and let it install all updates Click <Fix> Click <Next> Close CWShredder// ------------------------------------------------------------------ To help clean out Trusted Zones,download and run DELDOMAINS then double click to open the DelDomains.inf .To execute the file: right-click and Select 'Install' from the Menu. ----------------------------------------------------------------- Files highlighted in BLACK will need to be removed from your hard drive. ------------------------------------------------------------------ Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode and then run "Hijack This" ------------------------------------------------------------------ Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click End Process for each one if they are still listed. C:\WINDOWS\System32\msxmidi.exe ------------------------------------------------------------------ Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = F3 - REG:win.ini: run=C:\WINDOWS\System32\svhost.exe O1 - Hosts: 207.68.176.190 www.auto.search.msn.com O2 - BHO: IE SP2 AddOn - {C190E5B4-3022-4E8E-828D-7B161C96D783} - C:\WINDOWS\System32\spybi.dll O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file) O4 - HKLM\..\Run: [System backup] C:\WINDOWS\System32\msxmidi.exe O15 - Trusted Zone: .awmdabest.com (HKLM) O15 - Trusted Zone: .skoobidoo.com (HKLM) O15 - Trusted Zone: .windupdates.com (HKLM) O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://170.224.37.149/SiteRoots/mai...aDownloader.cab ------------------------------------------------------------------ Open Windows Explorer and delete the following highlighted* file/s (or delete the whole (Red) folder if listed). C:\WINDOWS\System32\msxmidi.exe C:\WINDOWS\System32\svhost.exe <-------- CAUTION...dont delete the genuine file svchost.exe note the spelling. ------------------------------------------------------------------- Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files. When finished please post a new log...... __________________ Eddy