TechSpot

patchyoursystem.com

By davio
Oct 15, 2005
  1. Hey there,
    I have this awful problem where somesort of trojan or spyware program has glued itself to my internet explorer. Everytime I start it up, it redirects me to patchyoursystem.com! It's killing me!

    Well anyways, it sends some sick ads and stuff of that sort. If anyone could help me remove this atrocious beast, I'd appreciate it!

    Thanks in advance,
    Davio
     
  2. Spike

    Spike TS Evangelist Posts: 2,168

    Could you please post a Hijack This log as a txt attachment so that we can have a look what's there.
     
  3. davio

    davio TS Rookie Topic Starter

    here, attached file
     
  4. pkroks

    pkroks TS Rookie Posts: 259

    read this thread on how to post a HiJack This Log.. ;)
     
  5. davio

    davio TS Rookie Topic Starter

    ok I apologise. Here is the .TXT
     

    Attached Files:

  6. pkroks

    pkroks TS Rookie Posts: 259

    ok, according to this thread here (have a read of it as well) i would suggest removing the following:

    ...................................................................................................
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL....
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL ....
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar ....
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar ....
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page ....
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext ....
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - ....
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - .....
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - ....
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - ....
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - ....
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - ....
    O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - ....
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - ....
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - ....
    ...................................................................................................


    you might need to download the following if you haven't already done so:
    LSP Fix from here


    and GET FIREFOX

    If i were you i would wait until someone with more experience backs me up but the above should be what needs to be deleted. :grinthumb:

    GET FIREFOX
     
  7. Spike

    Spike TS Evangelist Posts: 2,168

    boot into safe mode, disable system restore, and open task manager...

    end the following if running
    weather.exe
    BearShare.exe

    go to add/remove programs, and uninstall anything to do with
    weatherbug

    run hjt, and fix (check the square box next to the appropriate entry. When done, hit the fix button) the following entries...
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpB387.tmp
    O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

    ALL 016 entries

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    Delete all files above that have been made bold. Where a directory has been made bold, delete the whole directory.

    delete the contents of
    C:\windows\prefetch
    C:\windows\temp (except for those files with todays date, ie, 15th october (as was before mindignt) or 16th october)
    C:\Documents and Settings\[username]\Local Settings\Temp (repeat for each username on the computer)

    Clear your temporary internet files and cookies.

    when done, reboot, scan your computer with HJT, and post a fresh log.
     
  8. pkroks

    pkroks TS Rookie Posts: 259

    almost got 'em all when i posted, just forgot to tell him how to do it.... ;)
     
  9. Spike

    Spike TS Evangelist Posts: 2,168

    he he. No guarentee I got them all (though I firmly believe I did, minus some of the spyware removal apps that weren't specifically nasty). I'm confident I did though.
     
  10. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Sorry to put a damper on your spirits!

    Uninstall this crap as well:
    O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
     
  11. Spike

    Spike TS Evangelist Posts: 2,168

    Ah. So it IS spyware. I did think it was a little dubious, but a quick ggogle (not that I looked too deeply) told me that it was legit. (Though I wass still dubious).

    Again, we live and learn. thanks :)
     
  12. davio

    davio TS Rookie Topic Starter

    Thanks for everyones help. I finally removed this beast, this awful beast! It required evido, safe moding, and all that other crap. I'm just glad my Internet Explorer no longer goes to patchyoursystems.com

    Again thanks to everyone who helped :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...