spyware startsearches.net

  • Thread starter Thread starter frank
  • Start date Start date
F

frank

I have used spybot, adaware, and msft antispyware and i
cannot get rid of a virus that has changed my IE 6.0 to
"startsearches.net" . If anyone out there can help it would
be appreciated. I don't want to re-format. I have
re-installed win xp home already and does not help.
Thanks
 
Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe

Save it to C:\hjt (new folder) then Run it and select
Scan and Save Log. Note where you saved the log then
send it to me as an attachment. Put Hijack in the subject
so I'll know it's not spam.

Ron Kinner
Microsoft MVP 2004 & 2005
(e-mail address removed)
 
Hi,

I've been to a client and have the same problems.

Also only have the restore hijack setting will change back.

Please advise.

Phil
 
Please print out or copy this page to Notepad. Make sure to work through the
fixes in the exact order it is mentioned below. If there's anything that you
don't understand, ask your question(s) before proceeding with the fixes. You
should 'not' have any open browsers when you are following the procedures
below.

Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the
following programs, if found:

Security iGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that
'Show hidden files and folders' (or 'Show all files') is enabled. Also make
sure that 'Display the contents of system folders' is checked.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox
and check the box that says 'End Explorer Shell While Killing File'. Next
click on 'Delete on Reboot'. For each of the following files below, check
the box that says 'Unregister .dll Before Deleting' if it's not grayed out.
Copy the below files and go back to KillBox. Go to File->Paste from
Clipboard and then hit the button with red circle with a white X. Confirm to
delete and when asked if you want to reboot now, say no:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\system32\ole32vbs.exe
C:\WINDOWS\System32\hp738C.tmp

Restart your computer and boot into Safe Mode by hitting the F8 key
repeatedly until a menu shows up (and choose Safe Mode from the list). In
some systems, this may be the F5 key, so try that if F8 doesn't work.

Delete these folders if they exist:

C:\Program Files\Search Maid\
C:\Program Files\Virtual Maid\
C:\Windows\System32\Log Files\
C:\Program Files\Security iGuard\
C:\Program Files\Ebates_MoeMoneyMaker\

Run a scan in HijackThis. Check each of the following and hit 'Fix checked'
(after checking them) if they still exist (make sure not to miss any):

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} -
C:\WINDOWS\System32\hp738C.tmp
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} -
file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file
missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper -
{945DE5C9-DA4A-40E9-9DC2-DD6F9F7420EB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{945DE5C9-DA4A-40E9-9DC2-DD6F9F7420EB} - (no file) (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX
Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?

Close HijackThis.
 
Back
Top