Second Posting - Hijacking of home page by search-for-you.com

[Angie]

My home page seems to have been hijacked by search-for-you.com, have
reset it countless times and deleted everything I can find in the
registry that refers to this but it keeps coming back. Am really fed
up with this and am about to reformat (yuck!) but hoping that someone
will look at my Hijack This log and tell me what, if anything, is safe
to delete etc.

Please.......someone?????

Logfile of HijackThis v1.97.7
Scan saved at 09:38:00, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\DitExp.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\Angela\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
http://www.aldi.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\windows\googletoolbar1.dll
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10}
- (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\windows\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe
-CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program
Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE
/AUTORUN
O4 - HKLM\..\Run: [RegisterDropHandler]
C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate
Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ntldr] C:\WINDOWS\System32\ntldr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
/STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler]
C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos
SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search -
res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages -
res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: GetMP3 (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111123} -
ms-its:mhtml:file://c:\nosuch.mht!http://www.toolbars-cash.com/clk/111.chm::/file.exe
O16 - DPF: {13112111-1224-1141-1451-111111113533} -
file://c:\temp\setup1.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} -
http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38139.4361574074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office
Tools on the Web Control) -
http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class)
- http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
hades.axsia-howmar.co.uk,pandora.axsia-howmar.co.uk,zeus.axsia-howmar.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =
hades.axsia-howmar.co.uk,pandora.axsia-howmar.co.uk,zeus.axsia-howmar.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
hades.axsia-howmar.co.uk,pandora.axsia-howmar.co.uk,zeus.axsia-howmar.co.uk

 

[Compute This Inc]

Go to google and search for CWShredder it is a very small
file you can download that when run will often remove the
Cool.Web.Search tools that hijack IE. here is the link to
the site.
http://www.spywareinfo.com/~merijn/

good luck.

Thomas Waterman
President
Compute This Inc

-----Original Message-----
My home page seems to have been hijacked by search-for- you.com, have
reset it countless times and deleted everything I can find in the
registry that refers to this but it keeps coming back. Am really fed
up with this and am about to reformat (yuck!) but hoping that someone
will look at my Hijack This log and tell me what, if anything, is safe
to delete etc.

Please.......someone?????

Logfile of HijackThis v1.97.7
Scan saved at 09:38:00, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\DitExp.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\Angela\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
http://www.aldi.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644- 206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333- CF10577473F7} -
c:\windows\googletoolbar1.dll
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD- 07CFE51CFF10}
- (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18- 009027A5CD4F} -
c:\windows\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E- 00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32 \VOBREGCheck.exe
-CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program
Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE
/AUTORUN
O4 - HKLM\..\Run: [RegisterDropHandler]
C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32 \FlatBed\HotKey.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate
Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ntldr] C:\WINDOWS\System32\ntldr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6 \avgcc32.exe
/STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler]
C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32 \ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos
SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search -
res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages -
res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: GetMP3 (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111123} -
ms-its:mhtml:file://c:\nosuch.mht!http://www.toolbars- cash.com/clk/111.chm::/file.exe
O16 - DPF: {13112111-1224-1141-1451-111111113533} -
file://c:\temp\setup1.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.in fo.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.c ab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} -
http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuc tl.CAB?38139.4361574074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office
Tools on the Web Control) -
http://officeupdate.microsoft.com/TemplateGallery/downloa ds/outc.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class)
- http://www2.incredimail.com/contents/setup/downloader/imlo
ader.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
hades.axsia-howmar.co.uk,pandora.axsia- howmar.co.uk,zeus.axsia-howmar.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =
hades.axsia-howmar.co.uk,pandora.axsia- howmar.co.uk,zeus.axsia-howmar.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
hades.axsia-howmar.co.uk,pandora.axsia- howmar.co.uk,zeus.axsia-howmar.co.uk
.

 

[Black Wolf Standing]

C:\WINDOWS\htpatch.exe

C:\WINDOWS\Dit.exe
C:\WINDOWS\DitExp.exe

I'm loathe to give advice on deleting files that I know
almost nothing about. But these stand out.
I would try to down load something like SpyWare Nuker
2004. (Or maybe two or three others to cover bases) Use
the free version to scan your system. Then it's up to you
if you want to purchase it or manually delete the
programs, registry entries, or cookies. Remember to run
any scanner while logged into each of your personalities.
HKEY_CURRENT_USER is probably different for each of your
personalities, especially if you been down loading and
surfing in one personality a lot.