My IE browser was hijacked by Search200.com. I used Hijack This and Ad-Aware and Spybot Search & Destroy...nothing seems to get rid of it. When I first launch IE instead of opening to my home page it runs something that sends me out to:

http://search200.com/passthrough/popupbaropener.html

It then loads a search bar at the bottom of my screen and tries to open my start page, which is a local file on my computer, but it doesn't work because it puts "file://" before the URL.

I have run Hijack This and deleted the entry over and over again, but it keeps coming back. I got Spybot-Search & Destroy, and ran than, but it keeps coming back!

I removed the following from my registry and it still comes back (after I shut down and reboot).

HKEY_USERS\S-1-5-21-1026744355-1238661117-741939197-1005\Software\Microsoft\Search Assistant\ACMru\5603

Value 0
Name: 000
Type: REG_SZ
Data: search200.com

But of course, it still came back!! Any help would be greatly appreciated!

Give this a try:

Scan with HijackThis again and place a check next to these items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
about:blank
R3 - URLSearchHook: (no name) - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no
file)
O2 - BHO: (no name) - {1D97834C-057B-6829-D57E-68EDC18915B8} -
C:\PROGRA~1\ACTIVE~1\Cash That.dll
O4 - HKLM\..\RunOnce: [_UnwiseNPO] cmd.exe /c del
C:\WINNT\system32\n3tpa1.dll
O4 - HKLM\..\RunOnce: [_UnwiseNPO_] cmd.exe /c del
C:\WINNT\system32\boot0k.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/downlo...22/wmv9VCM.CAB

Make sure that all browser windows and internet links are closed and click
'Fix Checked' with HijackThis.

Boot into safe mode by tapping the F8 key at restart and choosing 'safe
mode' from the menu.

Navigate to these files/folders

C:\PROGRA~1\ACTIVE~1<--delete this folder, not sure of the full name but it
contains the hijacker (Cash That.dll)
C:\WINNT\system32\boot0k.dll<--delete this file
C:\WINNT\system32\n3tpa1.dll<--delete this file

Reboot

Download Ad-Aware's free version from the link in my signature.

Ad-Aware 6 comes pre-configured with default options that are already ON
(green checkmark) ... do not change them. The following are changes that you
will need to make to prepare the "Full" custom scan that is recommended for
the first look into your computer (instead of a red "x", you will make them
a green "checkmark"):
Launch the program, and click on the Gear at the top of the start screen to
access the preferences/setting window.
Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard
drives.
Under Memory & Registry, select all options.
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Now update to the latest reference file. They update these constantly.

When you are finished, you will be using the Custom Scan with Memory and
Both registry scans ON. Please make sure that you activate IN-DEPTH scanning
before you proceed.

After you have set up these options, be sure to choose "Custom Scan" not
"Smart Scan" and choose next.

Let it remove all finds. It will put these in quarentine to back up later if
necessary.

Reboot once more and post us a fresh HijackThis log.


"Smith1028" <(E-Mail Removed)> wrote in message
news:6D90BAC8-EA23-4B38-BCA1-(E-Mail Removed)...
> My IE browser was hijacked by Search200.com. I used Hijack This and
Ad-Aware and Spybot Search & Destroy...nothing seems to get rid of it. When
I first launch IE instead of opening to my home page it runs something that
sends me out to:
>
> http://search200.com/passthrough/popupbaropener.html
>
> It then loads a search bar at the bottom of my screen and tries to open my
start page, which is a local file on my computer, but it doesn't work
because it puts "file://" before the URL.
>
> I have run Hijack This and deleted the entry over and over again, but it
keeps coming back. I got Spybot-Search & Destroy, and ran than, but it keeps
coming back!
>
> I removed the following from my registry and it still comes back (after I
shut down and reboot).
>
>
HKEY_USERS\S-1-5-21-1026744355-1238661117-741939197-1005\Software\Microsoft\
Search Assistant\ACMru\5603
>
> Value 0
> Name: 000
> Type: REG_SZ
> Data: search200.com
>
> But of course, it still came back!! Any help would be greatly appreciated!
>
>

I'm running WindowsXP Professional v5.1. Here is the log file from the most recent Hijack This scan....none of the items you mentioned are in here...

Logfile of HijackThis v1.97.7
Scan saved at 4:50:58 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\IMWEBSTA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\DUMB01~1\Soft Dupe Hide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\QUICKENW\QWDLLS.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Lisa Smith\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/ind...background.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DDD192CD-5D11-31F3-2438-5F3195CB315A} - C:\PROGRA~1\ERRORS~1\Pile flaw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: IdolObj - {B8A90684-0658-F081-B038-7D849BC04353} - C:\PROGRA~1\ERRORS~1\Pile flaw.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IMWEBSTA.EXE] IMWEBSTA.EXE START
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [bait body] C:\PROGRA~1\DUMB01~1\Soft Dupe Hide.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.livingnaturally.com/commo...upons/smsx.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...5/sdcregie.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/29739b2fced0081...p/RdxIE601.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...?37878.4721875
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/ca...ile=stamps.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/acc...AcpControl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab

Thanks for your help!

Lisa

"Michael D. Alligood" wrote:

> Give this a try:
>
> Scan with HijackThis again and place a check next to these items:
>
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
> http://red.clientapps.yahoo.com/cust.../www.yahoo.com
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
> about:blank
> R3 - URLSearchHook: (no name) - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no
> file)
> O2 - BHO: (no name) - {1D97834C-057B-6829-D57E-68EDC18915B8} -
> C:\PROGRA~1\ACTIVE~1\Cash That.dll
> O4 - HKLM\..\RunOnce: [_UnwiseNPO] cmd.exe /c del
> C:\WINNT\system32\n3tpa1.dll
> O4 - HKLM\..\RunOnce: [_UnwiseNPO_] cmd.exe /c del
> C:\WINNT\system32\boot0k.dll
> O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
> http://download.microsoft.com/downlo...22/wmv9VCM.CAB
>
> Make sure that all browser windows and internet links are closed and click
> 'Fix Checked' with HijackThis.
>
> Boot into safe mode by tapping the F8 key at restart and choosing 'safe
> mode' from the menu.
>
> Navigate to these files/folders
>
> C:\PROGRA~1\ACTIVE~1<--delete this folder, not sure of the full name but it
> contains the hijacker (Cash That.dll)
> C:\WINNT\system32\boot0k.dll<--delete this file
> C:\WINNT\system32\n3tpa1.dll<--delete this file
>
> Reboot
>
> Download Ad-Aware's free version from the link in my signature.
>
> Ad-Aware 6 comes pre-configured with default options that are already ON
> (green checkmark) ... do not change them. The following are changes that you
> will need to make to prepare the "Full" custom scan that is recommended for
> the first look into your computer (instead of a red "x", you will make them
> a green "checkmark"):
> Launch the program, and click on the Gear at the top of the start screen to
> access the preferences/setting window.
> Click the "Scanning" button.
> Under Drives & Folders, select "Scan within Archives".
> Click "Click here to select Drives + folders" and select your installed hard
> drives.
> Under Memory & Registry, select all options.
> Under "Cleaning Engine", select the following:
> "Let Windows remove files in use after reboot."
> Click on 'Proceed' to save these Preferences.
> Now update to the latest reference file. They update these constantly.
>
> When you are finished, you will be using the Custom Scan with Memory and
> Both registry scans ON. Please make sure that you activate IN-DEPTH scanning
> before you proceed.
>
> After you have set up these options, be sure to choose "Custom Scan" not
> "Smart Scan" and choose next.
>
> Let it remove all finds. It will put these in quarentine to back up later if
> necessary.
>
> Reboot once more and post us a fresh HijackThis log.
>
>
> "Smith1028" <(E-Mail Removed)> wrote in message
> news:6D90BAC8-EA23-4B38-BCA1-(E-Mail Removed)...
> > My IE browser was hijacked by Search200.com. I used Hijack This and
> Ad-Aware and Spybot Search & Destroy...nothing seems to get rid of it. When
> I first launch IE instead of opening to my home page it runs something that
> sends me out to:
> >
> > http://search200.com/passthrough/popupbaropener.html
> >
> > It then loads a search bar at the bottom of my screen and tries to open my
> start page, which is a local file on my computer, but it doesn't work
> because it puts "file://" before the URL.
> >
> > I have run Hijack This and deleted the entry over and over again, but it
> keeps coming back. I got Spybot-Search & Destroy, and ran than, but it keeps
> coming back!
> >
> > I removed the following from my registry and it still comes back (after I
> shut down and reboot).
> >
> >
> HKEY_USERS\S-1-5-21-1026744355-1238661117-741939197-1005\Software\Microsoft\
> Search Assistant\ACMru\5603
> >
> > Value 0
> > Name: 000
> > Type: REG_SZ
> > Data: search200.com
> >
> > But of course, it still came back!! Any help would be greatly appreciated!
> >
> >
>
>
>

Don't post your log file here. There are specialty forums for that:

Forums to Intrepret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

Smith1028 wrote:

> I'm running WindowsXP Professional v5.1. Here is the log file from the most recent Hijack This scan....none of the items you mentioned are in here...
>
> Logfile of HijackThis v1.97.7
> Scan saved at 4:50:58 PM, on 7/18/2004
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\System32\ibmpmsvc.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\WINDOWS\Explorer.EXE
> C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
> C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
> C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
> C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
> C:\WINDOWS\AGRSMMSG.exe
> C:\WINDOWS\system32\dla\tfswctrl.exe
> C:\WINDOWS\System32\RunDll32.exe
> C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
> C:\Program Files\BroadJump\Client Foundation\CFD.exe
> C:\WINDOWS\System32\IMWEBSTA.EXE
> C:\Program Files\QuickTime\qttask.exe
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\Program Files\Yahoo!\browser\ybrwicon.exe
> C:\Program Files\Support.com\bin\tgcmd.exe
> C:\PROGRA~1\DUMB01~1\Soft Dupe Hide.exe
> C:\Program Files\Messenger\msmsgs.exe
> C:\WINDOWS\System32\ctfmon.exe
> C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
> C:\QUICKENW\QWDLLS.EXE
> C:\PROGRA~1\Yahoo!\browser\ycommon.exe
> C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
> C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
> C:\WINDOWS\System32\Ati2evxx.exe
> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
> C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
> C:\Program Files\Norton AntiVirus\navapsvc.exe
> C:\WINDOWS\System32\QCONSVC.EXE
> C:\WINDOWS\System32\svchost.exe
> C:\Documents and Settings\Lisa Smith\My Documents\HijackThis.exe
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/ind...background.htm
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
> O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
> O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
> O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
> O2 - BHO: (no name) - {DDD192CD-5D11-31F3-2438-5F3195CB315A} - C:\PROGRA~1\ERRORS~1\Pile flaw.dll
> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
> O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
> O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
> O3 - Toolbar: IdolObj - {B8A90684-0658-F081-B038-7D849BC04353} - C:\PROGRA~1\ERRORS~1\Pile flaw.dll
> O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
> O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
> O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
> O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
> O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
> O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
> O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
> O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
> O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
> O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
> O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
> O4 - HKLM\..\Run: [IMWEBSTA.EXE] IMWEBSTA.EXE START
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
> O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
> O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
> O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
> O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
> O4 - HKLM\..\Run: [bait body] C:\PROGRA~1\DUMB01~1\Soft Dupe Hide.exe
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
> O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
> O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
> O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
> O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
> O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
> O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
> O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
> O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
> O9 - Extra button: Yahoo! Login (HKLM)
> O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
> O9 - Extra button: Messenger (HKLM)
> O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
> O9 - Extra button: AIM (HKLM)
> O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
> O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
> O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
> O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.livingnaturally.com/commo...upons/smsx.cab
> O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...5/sdcregie.cab
> O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
> O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
> O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
> O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/29739b2fced0081...p/RdxIE601.cab
> O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
> O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...?37878.4721875
> O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
> O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/ca...ile=stamps.cab
> O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll
> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
> O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
> O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/acc...AcpControl.cab
> O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
>
> Thanks for your help!
>
> Lisa
>
> "Michael D. Alligood" wrote:
>
>
>>Give this a try:
>>
>>Scan with HijackThis again and place a check next to these items:
>>
>>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
>>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
>>R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
>>http://red.clientapps.yahoo.com/cust.../www.yahoo.com
>>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
>>about:blank
>>R3 - URLSearchHook: (no name) - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no
>>file)
>>O2 - BHO: (no name) - {1D97834C-057B-6829-D57E-68EDC18915B8} -
>>C:\PROGRA~1\ACTIVE~1\Cash That.dll
>>O4 - HKLM\..\RunOnce: [_UnwiseNPO] cmd.exe /c del
>>C:\WINNT\system32\n3tpa1.dll
>>O4 - HKLM\..\RunOnce: [_UnwiseNPO_] cmd.exe /c del
>>C:\WINNT\system32\boot0k.dll
>>O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
>>http://download.microsoft.com/downlo...22/wmv9VCM.CAB
>>
>>Make sure that all browser windows and internet links are closed and click
>>'Fix Checked' with HijackThis.
>>
>>Boot into safe mode by tapping the F8 key at restart and choosing 'safe
>>mode' from the menu.
>>
>>Navigate to these files/folders
>>
>>C:\PROGRA~1\ACTIVE~1<--delete this folder, not sure of the full name but it
>>contains the hijacker (Cash That.dll)
>>C:\WINNT\system32\boot0k.dll<--delete this file
>>C:\WINNT\system32\n3tpa1.dll<--delete this file
>>
>>Reboot
>>
>>Download Ad-Aware's free version from the link in my signature.
>>
>>Ad-Aware 6 comes pre-configured with default options that are already ON
>>(green checkmark) ... do not change them. The following are changes that you
>>will need to make to prepare the "Full" custom scan that is recommended for
>>the first look into your computer (instead of a red "x", you will make them
>>a green "checkmark"):
>>Launch the program, and click on the Gear at the top of the start screen to
>>access the preferences/setting window.
>>Click the "Scanning" button.
>>Under Drives & Folders, select "Scan within Archives".
>>Click "Click here to select Drives + folders" and select your installed hard
>>drives.
>>Under Memory & Registry, select all options.
>>Under "Cleaning Engine", select the following:
>>"Let Windows remove files in use after reboot."
>>Click on 'Proceed' to save these Preferences.
>>Now update to the latest reference file. They update these constantly.
>>
>>When you are finished, you will be using the Custom Scan with Memory and
>>Both registry scans ON. Please make sure that you activate IN-DEPTH scanning
>>before you proceed.
>>
>>After you have set up these options, be sure to choose "Custom Scan" not
>>"Smart Scan" and choose next.
>>
>>Let it remove all finds. It will put these in quarentine to back up later if
>>necessary.
>>
>>Reboot once more and post us a fresh HijackThis log.
>>
>>
>>"Smith1028" <(E-Mail Removed)> wrote in message
>>news:6D90BAC8-EA23-4B38-BCA1-(E-Mail Removed)...
>>
>>>My IE browser was hijacked by Search200.com. I used Hijack This and
>>
>>Ad-Aware and Spybot Search & Destroy...nothing seems to get rid of it. When
>>I first launch IE instead of opening to my home page it runs something that
>>sends me out to:
>>
>>>http://search200.com/passthrough/popupbaropener.html
>>>
>>>It then loads a search bar at the bottom of my screen and tries to open my
>>
>>start page, which is a local file on my computer, but it doesn't work
>>because it puts "file://" before the URL.
>>
>>>I have run Hijack This and deleted the entry over and over again, but it
>>
>>keeps coming back. I got Spybot-Search & Destroy, and ran than, but it keeps
>>coming back!
>>
>>>I removed the following from my registry and it still comes back (after I
>>
>>shut down and reboot).
>>
>>>
>>HKEY_USERS\S-1-5-21-1026744355-1238661117-741939197-1005\Software\Microsoft\
>>Search Assistant\ACMru\5603
>>
>>>Value 0
>>>Name: 000
>>>Type: REG_SZ
>>>Data: search200.com
>>>
>>>But of course, it still came back!! Any help would be greatly appreciated!
>>>
>>>
>>
>>
>>

..... and I made it worse by including it in my reply to you which you
then did in your reply to me. That's an awful lot of uneccessary
stuff...lol....that's one big reason why logs shouldn't be posted here
and because there are those other sites were the security experts hang out.

Smith1028 wrote:

> Sorry, I posted it because the other responder, Michael Alligood requested that I do so.
>