Browser has been hijacked

[randy]

My browser has been hijacked by smut fantasies.com.
Attached is the hijack this log. What can I do to correct
the problem?

Logfile of HijackThis v1.97.7
Scan saved at 12:54:07 PM, on 3/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\SYSTEM32\PDFCreatorMessages.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Adaptec
Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5
\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnf.exe
C:\Program Files\activePDF\Composer\APClient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\system32\OnSrvr.exe
C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Broadband
Networking\MSBNTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
C:\WINNT\System32\HPHipm11.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Common
Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://smut-
fantasies.net/search/small.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://smut-
fantasies.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://search-click.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://search-
click.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer,CustomizeSearch = http://www.008i.com/search.html
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {00F16DC8-1B2A-42F4-B18B-
E21DA9D2D7FD} - C:\PROGRA~1\COMMON~1\IESERV~1\01A00.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winshow\winshow.dll
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winlink\winlink.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-
1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-
11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-
29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program
Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program
Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common
Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program
Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1
\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32
\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP
Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Opware12] "C:\Program
Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-
Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Msoffice] C:\WINNT\Fonts\msoffice.hta
O4 - HKLM\..\Run: [AdobeFonts] C:\WINNT\Fonts\fonts.hta
O4 - HKLM\..\Run: [APCOMPOSERClient] C:\Program
Files\activePDF\Composer\APClient.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -
cnetwait.odl
O4 - HKCU\..\Run: [OnSrvr] C:\WINNT\system32\OnSrvr.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25
\InstallStub.exe -a
O4 - Global Startup: Digital Line Detect.lnk = C:\Program
Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk =
C:\Program Files\Microsoft Broadband
Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar
Reminders.lnk = C:\Program Files\Common Files\Microsoft
Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program
Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: QuickBooks Update Agent.lnk =
C:\Program Files\Common
Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab

 

[Don Varnau]

Randy,
Download and run, in this order:

CWShredder http://www.spywareinfo.com/~merijn/downloads.html

Then download, install, *update* and run both of these programs:
Ad-aware from http://www.lavasoft.de/software/adaware/
Spybot from http://security.kolla.de/ (Remove items listed in red-others are
optional.)
Both programs should be updated after installation- before use.

Additional information, including security tips, at:
Dealing with Unwanted Spyware and Parasites:
http://mvps.org/winhelp2002/unwanted.htm

Many of the spyware removal experts will be found in forums such as these:
http://www.wilderssecurity.com/
http://amazingtechs.com/index.php?act=idx
http://forum.mvps.org/
http://www.lavasoftsupport.com/
http://www.spywareinfo.com/forums/
http://www.net-integration.net/forums.html


Don
--
MVP IE/OE
Please reply to the newsgroup so that others may participate.

My browser has been hijacked by smut fantasies.com.
Attached is the hijack this log. What can I do to correct
the problem?

Logfile of HijackThis v1.97.7
Scan saved at 12:54:07 PM, on 3/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

[snip]

 

[siljaline]

My browser has been hijacked by smut fantasies.com.
Attached is the hijack this log. What can I do to correct
the problem?

<snip>

Please re-post your HijackThis Log to a security Forum for expert analysis.
http://www.spywareinfo.com/forums/
http://www.computercops.biz/forums.html
http://boards.cexx.org/
http://forum.mvps.org/

HTH

~Silj

--
siljaline

MS - MVP Windows IE/OE
______________________

(Reply to group, as return address
is invalid - that we may all benefit)

 

[war17]

Wow! Some search sites have really got hold of your computer. First, run CW
Shredder program.

CoolWebShredder
http://www.spychecker.com/program/coolwebshredder.html

Whatever is left, check the following items in the HijackThis log and have
HijackThis remove them.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://smut-
fantasies.net/search/small.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://smut-
fantasies.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://search-click.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://search-
click.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer,CustomizeSearch = http://www.008i.com/search.html
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {00F16DC8-1B2A-42F4-B18B-
E21DA9D2D7FD} - C:\PROGRA~1\COMMON~1\IESERV~1\01A00.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winshow\winshow.dll
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winlink\winlink.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-
1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-
11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-
29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

Uninstall Plaxo from Control Panel > Add/Remove Programs and make sure this
item is remove from HT log

O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab


--
Warren
For additional help, post in
http://groups.msn.com/HelpforInternetExplorerorWindowsME/homepage

My browser has been hijacked by smut fantasies.com.
Attached is the hijack this log. What can I do to correct
the problem?

Logfile of HijackThis v1.97.7
Scan saved at 12:54:07 PM, on 3/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\SYSTEM32\PDFCreatorMessages.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Adaptec
Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5
\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnf.exe
C:\Program Files\activePDF\Composer\APClient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\system32\OnSrvr.exe
C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Broadband
Networking\MSBNTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
C:\WINNT\System32\HPHipm11.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Common
Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://smut-
fantasies.net/search/small.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://smut-
fantasies.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://search-click.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://search-
click.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer,CustomizeSearch = http://www.008i.com/search.html
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {00F16DC8-1B2A-42F4-B18B-
E21DA9D2D7FD} - C:\PROGRA~1\COMMON~1\IESERV~1\01A00.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winshow\winshow.dll
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winlink\winlink.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-
1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-
11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-
29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program
Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program
Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common
Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program
Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1
\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32
\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP
Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Opware12] "C:\Program
Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-
Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Msoffice] C:\WINNT\Fonts\msoffice.hta
O4 - HKLM\..\Run: [AdobeFonts] C:\WINNT\Fonts\fonts.hta
O4 - HKLM\..\Run: [APCOMPOSERClient] C:\Program
Files\activePDF\Composer\APClient.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -
cnetwait.odl
O4 - HKCU\..\Run: [OnSrvr] C:\WINNT\system32\OnSrvr.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25
\InstallStub.exe -a
O4 - Global Startup: Digital Line Detect.lnk = C:\Program
Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk =
C:\Program Files\Microsoft Broadband
Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar
Reminders.lnk = C:\Program Files\Common Files\Microsoft
Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program
Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: QuickBooks Update Agent.lnk =
C:\Program Files\Common
Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab

 

[randy]

Thank you,

That fixed it but several things have been deleted from
the registry editor. How do I get them back. Default
Page URL, Search page,search bar, search assistant etc.
Do I need them?

Thank you,

Randy

-----Original Message-----
Wow! Some search sites have really got hold of your computer. First, run CW
Shredder program.

CoolWebShredder
http://www.spychecker.com/program/coolwebshredder.html

Whatever is left, check the following items in the HijackThis log and have
HijackThis remove them.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://smut-
fantasies.net/search/small.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://smut-
fantasies.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://search-click.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://search-
click.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer,CustomizeSearch = http://www.008i.com/search.html
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {00F16DC8-1B2A-42F4-B18B-
E21DA9D2D7FD} - C:\PROGRA~1\COMMON~1\IESERV~1\01A00.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winshow\winshow.dll
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winlink\winlink.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-
1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F-
11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-
29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

Uninstall Plaxo from Control Panel > Add/Remove Programs and make sure this
item is remove from HT log

O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab


--
Warren
For additional help, post in
http://groups.msn.com/HelpforInternetExplorerorWindowsME/h omepage

My browser has been hijacked by smut fantasies.com.
Attached is the hijack this log. What can I do to correct
the problem?

Logfile of HijackThis v1.97.7
Scan saved at 12:54:07 PM, on 3/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\SYSTEM32\PDFCreatorMessages.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Adaptec
Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5
\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnf.exe
C:\Program Files\activePDF\Composer\APClient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\system32\OnSrvr.exe
C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Broadband
Networking\MSBNTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
C:\WINNT\System32\HPHipm11.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Common
Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://smut-
fantasies.net/search/small.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://smut-
fantasies.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://search- click.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://search-
click.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer,CustomizeSearch = http://www.008i.com/search.html
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716- B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {00F16DC8-1B2A-42F4-B18B-
E21DA9D2D7FD} - C:\PROGRA~1\COMMON~1\IESERV~1\01A00.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winshow\winshow.dll
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winlink\winlink.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-
1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F-
11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0- A59F-
29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32 \igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32 \hkcmd.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program
Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program
Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common
Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program
Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1
\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32
\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32 \hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP
Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Opware12] "C:\Program
Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-
Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Msoffice] C:\WINNT\Fonts\msoffice.hta
O4 - HKLM\..\Run: [AdobeFonts] C:\WINNT\Fonts\fonts.hta
O4 - HKLM\..\Run: [APCOMPOSERClient] C:\Program
Files\activePDF\Composer\APClient.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -
cnetwait.odl
O4 - HKCU\..\Run: [OnSrvr] C:\WINNT\system32\OnSrvr.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25
\InstallStub.exe -a
O4 - Global Startup: Digital Line Detect.lnk = C:\Program
Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk =
C:\Program Files\Microsoft Broadband
Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar
Reminders.lnk = C:\Program Files\Common Files\Microsoft
Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program
Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: QuickBooks Update Agent.lnk =
C:\Program Files\Common
Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab

.

 

[Frank Saunders, MS-MVP]

Thank you,

That fixed it but several things have been deleted from
the registry editor. How do I get them back. Default
Page URL, Search page,search bar, search assistant etc.
Do I need them?

Thank you,

Randy

-----Original Message-----
Wow! Some search sites have really got hold of your computer. First,
run CW Shredder program.

CoolWebShredder
http://www.spychecker.com/program/coolwebshredder.html

Whatever is left, check the following items in the HijackThis log
and have HijackThis remove them.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://smut-
fantasies.net/search/small.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://smut-
fantasies.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://search-click.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://search-
click.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer,CustomizeSearch = http://www.008i.com/search.html
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {00F16DC8-1B2A-42F4-B18B-
E21DA9D2D7FD} - C:\PROGRA~1\COMMON~1\IESERV~1\01A00.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winshow\winshow.dll
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winlink\winlink.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-
1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F-
11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-
29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

Uninstall Plaxo from Control Panel > Add/Remove Programs and make
sure this item is remove from HT log

O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab


--
Warren
For additional help, post in
http://groups.msn.com/HelpforInternetExplorerorWindowsME/h omepage

My browser has been hijacked by smut fantasies.com.
Attached is the hijack this log. What can I do to correct
the problem?

Logfile of HijackThis v1.97.7
Scan saved at 12:54:07 PM, on 3/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\SYSTEM32\PDFCreatorMessages.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Adaptec
Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5
\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnf.exe
C:\Program Files\activePDF\Composer\APClient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\system32\OnSrvr.exe
C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Broadband
Networking\MSBNTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
C:\WINNT\System32\HPHipm11.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Common
Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://smut-
fantasies.net/search/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://smut-
fantasies.net/search/small.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://smut-
fantasies.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smut-fantasies.net/search/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://search- click.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://search-
click.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet
Explorer,CustomizeSearch = http://www.008i.com/search.html
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716- B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {00F16DC8-1B2A-42F4-B18B-
E21DA9D2D7FD} - C:\PROGRA~1\COMMON~1\IESERV~1\01A00.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winshow\winshow.dll
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-
28BA1851E39A} - C:\Documents and Settings\Celeen
Miller\Application Data\winlink\winlink.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-
1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F-
11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0- A59F-
29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32 \igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32 \hkcmd.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program
Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program
Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common
Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program
Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1
\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32
\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32 \hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP
Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Opware12] "C:\Program
Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-
Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Msoffice] C:\WINNT\Fonts\msoffice.hta
O4 - HKLM\..\Run: [AdobeFonts] C:\WINNT\Fonts\fonts.hta
O4 - HKLM\..\Run: [APCOMPOSERClient] C:\Program
Files\activePDF\Composer\APClient.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -
cnetwait.odl
O4 - HKCU\..\Run: [OnSrvr] C:\WINNT\system32\OnSrvr.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25
\InstallStub.exe -a
O4 - Global Startup: Digital Line Detect.lnk = C:\Program
Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk =
C:\Program Files\Microsoft Broadband
Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar
Reminders.lnk = C:\Program Files\Common Files\Microsoft
Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program
Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: QuickBooks Update Agent.lnk =
C:\Program Files\Common
Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab

.

See http://www.mvps.org/inetexplorer/answers.htm#search_engine

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/