• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Lucky Cat

homepage hijack, Win Min?

76 posts in this topic

Ive deleted mstasks1.exe, mstasks2.exe, wmplayer.exe.tmp no problem. But now I have a new problem...I cant delete:

 

F0 - syst>m.ini: Shell=

F0 - R >ystem.ini: Shel>=

F0 - R >ystem.ini: UserInit=

Everytime I click fix checked and I run Hijackthis again it re appears, are these items dangerous?

From what I've read, F0 items are always bad, but I was looking at a post that seems to say that they be legit.

 

These 3 files:

 

C:\Program Files\Winamp\winamp.ini

C:\Program Files\Winamp\winamp.m3u

C:\Windows\winamp.ini

 

go with Winamp (a media file player). Do you have this program on your computer? If so, was it installed around the time this problem began?

 

Could you make copies of the following file and place them in a ZIP file:

 

C:\install.cab

C:\install.htm

C:\Windows\didduid.ini

C:\Windows\dl.html

C:\Windows\hosts

C:\Windows\sasing.ini

C:\Windows\test

C:\Windows\inf\drvindex.pnf

C:\Windows\system32\ggdfg.txt

C:Windows\system32\drivers\etc\hosts

 

and send them to the following address: walk_wait AT msn.com (replace the AT with @). I'd like to have a look at these files.

 

-- LB

ahh yea seems like a few people out there have the F0 after being infected by something so it seems like a bad thing...As for winamp yea I have it installed but I installed it months ago and I wasnt running it the day I got infected (if anything I can just delete the whole thing and re install it, its easy) And Ill send you those files ASAP, thanks.

Share this post


Link to post
Share on other sites

Don't worry about the F0 items.... they're probably legit. They show up like that in certain non-english versions of XP.

 

-- LB

Share this post


Link to post
Share on other sites
Don't worry about the F0 items.... they're probably legit. They show up like that in certain non-english versions of XP.

 

-- LB

yea my XP is on a Japanese setting...maybe thats why >.< as long as they are not a threat ;) I sent you the files, hope ya can figure out if their safe or not :hmmm:

Share this post


Link to post
Share on other sites

I inspected the files you sent. No obvious signs that they were related to Hacker Defender. However some of the files are related to ISearch (a toolbar). Do you recall ever seeing this in any Spybot or Ad-Aware scans?

 

Go ahead and delete the following:

 

C:\install.cab

C:\install.htm

C:\Windows\didduid.ini

C:\Windows\dl.html

C:\Windows\test

C:\Windows\system32\ggdfg.txt

C:\Windows\sasing.ini

 

This one I'm not sure about:

 

C:\Windows\inf\drvindex.pnf

 

I couldn't make heads or tails of the info in this file. It's probably legit.

 

I may have you do more stuff to ensure that Hacker Defender is really gone.

 

-- LB

Share this post


Link to post
Share on other sites
I inspected the files you sent. No obvious signs that they were related to Hacker Defender. However some of the files are related to ISearch (a toolbar). Do you recall ever seeing this in any Spybot or Ad-Aware scans?

 

Go ahead and delete the following:

 

C:\install.cab

C:\install.htm

C:\Windows\didduid.ini

C:\Windows\dl.html

C:\Windows\test

C:\Windows\system32\ggdfg.txt

C:\Windows\sasing.ini

 

This one I'm not sure about:

 

C:\Windows\inf\drvindex.pnf

 

I couldn't make heads or tails of the info in this file. It's probably legit.

 

I may have you do more stuff to ensure that Hacker Defender is really gone.

 

-- LB

Okay will delete those files. drvindex.pnf does seem to be legit just odd that it got modifyed at the exact time of infection. and yea I did find iSearch Toolbar with Spy Sweeper and it got rid of it.

 

Okay thanks for your help so far....is it almost fixed? :D

Share this post


Link to post
Share on other sites

Could you find this file:

 

winunins.ini

 

and post the contents here?

 

As for that one file I'm unsure of (the one I couldn't make any sense of), I'm trying to find out if Hacker Defender messes with this or not.

 

-- LB

Share this post


Link to post
Share on other sites
Could you find this file:

 

winunins.ini

 

and post the contents here?

 

As for that one file I'm unsure of (the one I couldn't make any sense of), I'm trying to find out if Hacker Defender messes with this or not.

 

-- LB

I deleted winunins.ini because the solution for HackerDefender in this thread:

http://www.spywareinfoforum.com/index.php?showtopic=505

Said I should delete it, its gone so I cant paste its contents :weep: Does this matter? Is that a bad thing?

 

Thanks for your help so far.

Share this post


Link to post
Share on other sites
I'm not 100 % sure but probably Windows keeps a log of installed drivers in drvindex.pnf . As HD's driver was installed on a specific date/time, drvindex.pnf would have changed on the same date/time. The file itself should be let alone.

 

drvindex.pnf is OK.

 

I'm now checking to see if you should change your passwords (I don't know if Hacker Defender steals passowrds).

 

Just about done here.

 

-- LB

Share this post


Link to post
Share on other sites
I'm not 100 % sure but probably Windows keeps a log of installed drivers in drvindex.pnf . As HD's driver was installed on a specific date/time, drvindex.pnf would have changed on the same date/time. The file itself should be let alone.

 

drvindex.pnf is OK.

 

I'm now checking to see if you should change your passwords (I don't know if Hacker Defender steals passowrds).

 

Just about done here.

 

-- LB

Okay thanks alot! Glad were almost done ;) umm if I DID have to change passwords which ones would I have to change?

Share this post


Link to post
Share on other sites

I looked at the viruses that the anti-virus program found just after the problems began. None of them were mentioned as password stealers.

 

Run a full virus scan again and report back with any viruses found. I just want to make sure there isn't anything else.

 

-- LB

Share this post


Link to post
Share on other sites

You mentioned earlier that you have a home network. Was the infected computer part of this network?

 

-- LB

Share this post


Link to post
Share on other sites

Ran a full virus scan, found no virus. Yea the infected computer is part of the home network. It was plugged it at the time of the infection but I have had it un plugged ever since, except to update ad aware, spyblaster and my anti virus program.

Share this post


Link to post
Share on other sites

It sounds like you're clean now.

 

I recommend downloading the following programs:

 

Spyware Blaster

IE-Spyad

MVPS Hosts

 

These will prevent most of the stuff from getting on your system. Install them on each computer on your home network.

 

-- LB

Share this post


Link to post
Share on other sites

Iam clean? yay thanks alot for your help VashonDude. Ill install those things asap. One more thing before we finish up! What about the...

 

C:\Windows\winamp.ini

C:\Program Files\Winamp\winamp.ini

C:\Program Files\Winamp\winamp.m3u

 

files. I still find it odd those files were modifyed after the time of infection. I do have winamp installed but I didnt use it for days...If anything Ill just uninstall winamp and reinstall it. Or is this even something I should worry about?!

 

Anyway after this that should be it again thanks alot for your help VashonDude :D

Share this post


Link to post
Share on other sites

About the winamp thing I mentioned above I just deleted and uninstalled winamp...may have been okay anyway but better safe then sorry ;)

Share this post


Link to post
Share on other sites
About the winamp thing I mentioned above I just deleted and uninstalled winamp...may have been okay anyway but better safe then sorry ;)

Probably a good thing you deleted those files.

 

IE-Spyad and MVPS Hosts are updated frequently (about once every 2 weeks or so). Be sure to check the software updates forum here for update notices.

 

I'm glad I could be of assistance :wave:

 

-- LB

Share this post


Link to post
Share on other sites

hey theres one more thing...the file "hosts" that was created at the exact time of infection is still in my windows folder :unsure: Should I delete that?

Share this post


Link to post
Share on other sites

One of the hosts files was empty and the other had a perfectly harmless entry. I believe the one in the C:\Windows directory can be deleted (I'll check to make sure).

 

On the subject of the hosts file, the one I suggested you download is very useful. What it does is redirect certain sites to IP 127.0.0.1 (which just happens to be the computer the file is on). This will prevent anything from being downloaded from those sites.

 

-- LB

Share this post


Link to post
Share on other sites

Go ahead and delete the hosts file in the C:\Windows directory. That's not the legit place for the hosts file in XP (in XP, it's located in C:\Windows\System32\Drivers\Ect).

 

-- LB

Share this post


Link to post
Share on other sites

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0