Evil coolsearch spyware. Help!

[Harley]

I've been checking this message board and others seem to
have the same problem but mine seems to go a step further.

Whenever I open explorer coolsearch or search-4-you.com
comes up as my homepage. It also adds some links to my
favorites. Whenever I try to enter a web address into
the address bar, it just goes back to the coolsearch
website. I've downloaded adaware, spybot and
spyblaster. I've got three profiles on one computer so I
run the programs on all three (after changing back my
homepages and removing the links) and things work just
fine. I can search the net with the address bar, my
homepage is intact etc.

Then, the following morning when I wake up - it's back!
I tried testing it last night by moving my clock forward
so that "another day" would occur at midnight and the
date change didn't cause it to come back. It's as if
there is a time bomb and it resets every x number of
hours.

What else can I do? Thanks for your help. Another note
from some previous virus, one of my profiles is missing
the Tools, Internet Options, general tab.

 

[war17]

Your homepage has been highjacked. Use CWShredder to get rid it.

http://www.spychecker.com/program/cwshredder.html

If still no joy, download HijackThis from Spywareinfo download page

http://www.spywareinfo.com/downloads.php

Run the program and you will find many entries. Most are OK. Post the log. I
will find the problem for you.

 

[Harley]

Here's the log from hijackthis. I haven't used shredder
yet. I found a site called computercops.biz that showed
what these mean and I removed the R1 and R0 sites with
the bad homepages as well as the O13s. I'm crossing my
fingers as I get ready to reboot and/or go to bed to see
what greets me in the morning.

Thank you for your help.


Logfile of HijackThis v1.97.7
Scan saved at 11:34:24 PM, on 1/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Harley\Local
Settings\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://www.nkvd.us/s.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.nkvd.us/1503/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.nkvd.us/s.htm
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.nkvd.us/s.htm
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://www.nkvd.us/s.htm
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = about:blank
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection
Wizard,Shellnext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
http://www.nkvd.us/s.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
http://www.nkvd.us/s.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\windows\googletoolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32
\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program
Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program
Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1
\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [InCD] C:\Program
Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32
\NeroCheck.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program
Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All
Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program
Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program
Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 8.0 Tray Icon.lnk =
C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
O8 - Extra context menu item: &Google Search -
res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages -
res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page -
res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O13 - Home Prefix: http://www.nkvd.us/1503/
O13 - Mosaic Prefix: http://www.nkvd.us/1503/
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 -
http://chat.rtsports.com:443/Java/cs4fs084.cab
O16 - DPF: PeopleSoft Java Client v7.63i -
https://hronline.wamu.net/javaclientPROD/javaclient_du.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cab

 

[Harley]

Here's what it looks like after I removed those initial
listings. After I rebooted, it came back.

Thanks.

Logfile of HijackThis v1.97.7
Scan saved at 12:35:09 AM, on 1/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\winlogon.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Harley\Local
Settings\Temp\Temporary Directory 4 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://find4u.net/spb.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://find4u.net/indexb.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://find4u.net/indexb.htm
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://find4u.net/spb.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://find4u.net/indexb.htm
R1 - HKCU\Software\Microsoft\Internet Connection
Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\windows\googletoolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32
\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program
Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program
Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1
\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [InCD] C:\Program
Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32
\NeroCheck.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program
Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All
Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program
Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program
Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 8.0 Tray Icon.lnk =
C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Google Search -
res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages -
res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page -
res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 -
http://chat.rtsports.com:443/Java/cs4fs084.cab
O16 - DPF: PeopleSoft Java Client v7.63i -
https://hronline.wamu.net/javaclientPROD/javaclient_du.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cab

 

[DVarnau]

Harley,
Run CWShredder. The other programs don't remove coolwebsearch variants
completely.

Go to http://mvps.org/winhelp2002/unwanted.htm for security and other
recommendations and help with the missing General tab.

Don
--
Newsgroup replies preferred, but e-mail address is...
don_04[at]varnau[dot]org
- - - - - - - - - -

Here's the log from hijackthis. I haven't used shredder
yet. >

Logfile of HijackThis v1.97.7
Scan saved at 11:34:24 PM, on 1/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

[SNIP]

 

[H Leboeuf]

You have at least this trojan still in your computer.

Hazzer backdoor.
=================
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hazzer.html

Here's what it looks like after I removed those initial
listings. After I rebooted, it came back.

Thanks.

Logfile of HijackThis v1.97.7
Scan saved at 12:35:09 AM, on 1/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\winlogon.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Harley\Local
Settings\Temp\Temporary Directory 4 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://find4u.net/spb.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://find4u.net/indexb.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://find4u.net/indexb.htm
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://find4u.net/spb.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://find4u.net/indexb.htm
R1 - HKCU\Software\Microsoft\Internet Connection
Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\windows\googletoolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32
\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program
Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program
Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1
\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [InCD] C:\Program
Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32
\NeroCheck.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program
Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All
Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program
Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program
Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 8.0 Tray Icon.lnk =
C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Google Search -
res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages -
res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page -
res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 -
http://chat.rtsports.com:443/Java/cs4fs084.cab
O16 - DPF: PeopleSoft Java Client v7.63i -
https://hronline.wamu.net/javaclientPROD/javaclient_du.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cab

-----Original Message-----
Your homepage has been highjacked. Use CWShredder to get rid it.

http://www.spychecker.com/program/cwshredder.html

If still no joy, download HijackThis from Spywareinfo download page

http://www.spywareinfo.com/downloads.php

Run the program and you will find many entries. Most are OK. Post the log. I
will find the problem for you.

--
Warren
For additional help, post in
http://groups.msn.com/HelpforInternetExplorerorWindowsME/ homepage




.