My browser is hijacked can anyone help me?

[Ami]

Hello,
My browser has been hijacked by "web search"
I ran Spybot S&D and spy ware X-terminator, I got rid of a lot of
nasty stuff (ad ware and the like) but my browser is still hijacked. I
ran "hijack this" but I haven't a clue what to do with the info....
Can someone tell me what I have to get rid of??

I would appreciate any help at all.
Thanks
Amina


This is the log file from Hijack This:

Logfile of HijackThis v1.97.7
Scan saved at 1:47:00 PM, on 11/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\BCMWLTRY.EXE
C:\PROGRAM FILES\PICASA\PICASAMEDIADETECTOR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPMEMCHECK.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPCONTROL.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\COOKIEPATROL.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\OUTLOOK.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}
- C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program
Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
-atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton
SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK
2\Ssk.exe
O4 - HKLM\..\Run: [PPMemCheck]
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Spyware X-terminator Control Center]
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol]
C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common
Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton
SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton
SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program
Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [Tsa2] C:\PROGRAM FILES\COMMON FILES\TSA\TSM2.EXE
O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK
2\Ssk.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msedpb.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program
Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English -
res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38229.7607407407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj
Object) - http://www.odysseusmarketing.com/actsetup.cab

 

[Coffeecoco930]

I can't answer your question, but I can recommend you buy ZoneAlarm Security Suite 5.5. That problem will be eliminated.

Coffeecoco930

Hello,
My browser has been hijacked by "web search"
I ran Spybot S&D and spy ware X-terminator, I got rid of a lot of
nasty stuff (ad ware and the like) but my browser is still hijacked. I
ran "hijack this" but I haven't a clue what to do with the info....
Can someone tell me what I have to get rid of??

I would appreciate any help at all.
Thanks
Amina


This is the log file from Hijack This:

Logfile of HijackThis v1.97.7
Scan saved at 1:47:00 PM, on 11/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\BCMWLTRY.EXE
C:\PROGRAM FILES\PICASA\PICASAMEDIADETECTOR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPMEMCHECK.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPCONTROL.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\COOKIEPATROL.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\OUTLOOK.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}
- C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program
Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
-atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton
SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK
2\Ssk.exe
O4 - HKLM\..\Run: [PPMemCheck]
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Spyware X-terminator Control Center]
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol]
C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common
Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton
SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton
SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program
Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [Tsa2] C:\PROGRAM FILES\COMMON FILES\TSA\TSM2.EXE
O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK
2\Ssk.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msedpb.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program
Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English -
res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38229.7607407407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj
Object) - http://www.odysseusmarketing.com/actsetup.cab

 

[Yddap]

In

I can't answer your question, but I can recommend you buy ZoneAlarm
Security Suite 5.5. That problem will be eliminated.

Coffeecoco930

stop posting in HTML ands some one might reply
:-(

 

[David H. Lipman]

Please read the following News Group Charter...
http://www.stormpages.com/eaegis/antivirus.htm

Pertinent clause:
"The following are also prohibited:

HTML or Rich Text formatted posts. All posts (messages) must be in plain text only and be
human-readable."

Dave




I can't answer your question, but I can recommend you buy ZoneAlarm Security Suite 5.5.
That problem will be eliminated.

Coffeecoco930

 

[David H. Lipman]

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt269.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* * * Please report back your results * * *

Dave





| Hello,
| My browser has been hijacked by "web search"
| I ran Spybot S&D and spy ware X-terminator, I got rid of a lot of
| nasty stuff (ad ware and the like) but my browser is still hijacked. I
| ran "hijack this" but I haven't a clue what to do with the info....
| Can someone tell me what I have to get rid of??
|
| I would appreciate any help at all.
| Thanks
| Amina
|
|
| This is the log file from Hijack This:
|
| Logfile of HijackThis v1.97.7
| Scan saved at 1:47:00 PM, on 11/26/04
| Platform: Windows 98 SE (Win9x 4.10.2222A)
| MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
|
| Running processes:
| C:\WINDOWS\SYSTEM\KERNEL32.DLL
| C:\WINDOWS\SYSTEM\MSGSRV32.EXE
| C:\WINDOWS\SYSTEM\MPREXE.EXE
| C:\WINDOWS\SYSTEM\mmtask.tsk
| C:\WINDOWS\SYSTEM\MSTASK.EXE
| C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
| C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
| C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
| C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
| C:\WINDOWS\EXPLORER.EXE
| C:\WINDOWS\TASKMON.EXE
| C:\WINDOWS\SYSTEM\SYSTRAY.EXE
| C:\WINDOWS\SYSTEM\BCMWLTRY.EXE
| C:\PROGRAM FILES\PICASA\PICASAMEDIADETECTOR.EXE
| C:\WINDOWS\SYSTEM\QTTASK.EXE
| C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
| C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPMEMCHECK.EXE
| C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPCONTROL.EXE
| C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\COOKIEPATROL.EXE
| C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
| C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
| C:\WINDOWS\SYSTEM\WMIEXE.EXE
| C:\WINDOWS\SYSTEM\SPOOL32.EXE
| C:\WINDOWS\SYSTEM\DDHELP.EXE
| C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
| C:\WINDOWS\SYSTEM\PSTORES.EXE
| C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
| C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
| C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
| C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\OUTLOOK.EXE
| C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE
|
| R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
| http://www.google.com/ie
| R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
| http://www.google.com
| R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
| http://www.cnn.com/
| R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
|
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
| R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
| http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
| R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
| http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
| R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
| = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
| R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
| = http://www.google.com/ie
| R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
| http://www.google.com/keyword/%s
| R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
| =
| R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
| http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
| R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
| http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
| R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}
| - C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL (file missing)
| O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
| C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
| O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
| C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
| O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
| C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
| O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
| c:\program files\google\googletoolbar1.dll
| O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
| C:\WINDOWS\SYSTEM\MSDXM.OCX
| O3 - Toolbar: Norton AntiVirus -
| {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
| SystemWorks\Norton AntiVirus\NavShExt.dll
| O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
| c:\program files\google\googletoolbar1.dll
| O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
| O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
| O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
| O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
| powrprof.dll,LoadCurrentPwrScheme
| O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
| O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
| O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
| O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
| O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program
| Files\Picasa\PicasaMediaDetector.exe
| O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
| O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
| -atboottime
| O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
| Shared\ccApp.exe"
| O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
| Shared\ccRegVfy.exe"
| O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton
| SystemWorks\Norton Utilities\NPROTECT.EXE
| O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK
| 2\Ssk.exe
| O4 - HKLM\..\Run: [PPMemCheck]
| C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
| O4 - HKLM\..\Run: [Spyware X-terminator Control Center]
| C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
| O4 - HKLM\..\Run: [CookiePatrol]
| C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
| O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
| powrprof.dll,LoadCurrentPwrScheme
| O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
| O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common
| Files\Symantec Shared\ccEvtMgr.exe"
| O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common
| Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
| O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton
| SystemWorks\Norton CleanSweep\CSINJECT.EXE
| O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton
| SystemWorks\Norton Utilities\NPROTECT.EXE
| O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program
| Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
| O4 - HKCU\..\Run: [Tsa2] C:\PROGRAM FILES\COMMON FILES\TSA\TSM2.EXE
| O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK
| 2\Ssk.exe
| O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msedpb.exe
| O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program
| Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
| O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
| Office\Office10\OSA.EXE
| O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
| Files\Adobe\Calibration\Adobe Gamma Loader.exe
| O8 - Extra context menu item: E&xport to Microsoft Excel -
| res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
| O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
| FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
| O8 - Extra context menu item: Cached Snapshot of Page -
| res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
| O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM
| FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
| O8 - Extra context menu item: Backward Links - res://C:\PROGRAM
| FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
| O8 - Extra context menu item: Translate into English -
| res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
| O9 - Extra button: Related (HKLM)
| O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
| O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
| http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38229.7607407407
| O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
| Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
| O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
| Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
| O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
|
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
| O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj
| Object) - http://www.odysseusmarketing.com/actsetup.cab

 

[Randy]

Hello,
My browser has been hijacked by "web search"
I ran Spybot S&D and spy ware X-terminator, I got rid of a lot of
nasty stuff (ad ware and the like) but my browser is still hijacked. I
ran "hijack this" but I haven't a clue what to do with the info....
Can someone tell me what I have to get rid of??

I would appreciate any help at all.
Thanks
Amina


This is the log file from Hijack This:

Logfile of HijackThis v1.97.7
Scan saved at 1:47:00 PM, on 11/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

snipped log


Found this info at http://www.scanspyware.net/info/SurfSideKick.htm

SurfSideKick is a Hijacker that installs as a URLSearchHook and also
runs a process at startup (ssk.exe)

Delete the following directories:

SurfSideKick 2


Delete the following files:

Ssk.exe
SskBho.dll
SskCore.dll
SskUpdater.exe
Sskuknwrd.dll


Delete the following registry keys:

SSK_B5.EXE
Internet Explorer
SurfSideKick2
SurfSideKick2
{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}
{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}
Surf SideKick
SSK_B5.EXE

Delete the following registry values:

{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}
{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}
{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}
SurfSideKick 2
SurfSideKick 2
SurfSideKick 2
%programfilesdir%\SurfSideKick 2\Ssk.exe

 

[Anonymous via Panta Rhei]

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt269.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* * * Please report back your results * * *

Dave

Why do you not include CWShredder in your recomendations?
Especially when the problem looks like CWShredder can help.

Free download:
http://www.intermute.com/spysubtract/cwshredder_download.html

~~~~~~~~~~~~~~~~~~~~~
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified. You need a valid hashcash token to post to groups other
than alt.test and alt.anonymous.messages. Visit www.panta-rhei.dyndns.org
for abuse and hashcash info.

 

[siljaline]

Hello,
My browser has been hijacked by "web search"
I ran Spybot S&D and spy ware X-terminator, I got rid of a lot of
nasty stuff (ad ware and the like) but my browser is still hijacked. I
ran "hijack this" but I haven't a clue what to do with the info....
Can someone tell me what I have to get rid of??

I would appreciate any help at all.
Thanks
Amina

<snip>
http://aumha.org/a/quickfix.php

Silj

 

[_Vanguard_]

Hello,
My browser has been hijacked by "web search"
I ran Spybot S&D and spy ware X-terminator, I got rid of a lot of
nasty stuff (ad ware and the like) but my browser is still hijacked. I
ran "hijack this" but I haven't a clue what to do with the info....
Can someone tell me what I have to get rid of??

Cannot identify unknown processes but simply point them out for you to
check. However, you should run msconfig.exe to see what programs are
listed in the Startup tab, and it also shows the path to the program so
you can see which processes got loaded by what program. Also, run the
services.msc utility to see what NT services are running, and the
properties of each will tell you what that service used to load itself.
You can also do a Google search on a task or process name to find out
what it does, and find sites, like
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm that
describes many of them (some of the descriptions below are from there).

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

The Windows 32-bit Message Server for Windows 95/98/ME. This essential
program normally never appears in the Ctrl+Alt+Del Task List in
Windows 95/98/ME unless it has "hung".

C:\WINDOWS\SYSTEM\MPREXE.EXE

This is the Windows Multiple Provider Router. This program allows
Windows 9x/ME to have more than one network client, protocol, or
adapter - its function is to route network requests between the
different adapters and clients. MPREXE runs transparently and will only
appear in your Ctrl+Alt+Del Task List if there is a problem that has
caused it to hang.

C:\WINDOWS\SYSTEM\mmtask.tsk

Background task installed by MusicMatch Jukebox and which detects the
insertion or removal of a CD so that MusicMatch Jukebox can update its
display accordingly. You really need this JUNK to get loaded on Windows
startup?

C:\WINDOWS\SYSTEM\MSTASK.EXE

The Windows Tasks Scheduler, also called the Scheduling Agent.

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE

This is Symantec's stuff (you have their Systemworks stuff loading, like
Norton's Recycle Bin and Cleansweep monitoring your drives. If you
schedule Cleansweep to clean your drives, you don't need to waste the
resources to leave it running all the time. Hopefully you aren't
running their piggish System Doctor which does a bunch of monitoring.

C:\WINDOWS\EXPLORER.EXE

The instance of explorer.exe used to provide the desktop GUI.

C:\WINDOWS\TASKMON.EXE

The Windows Task Monitor. In theory the Task Monitor monitors your hard
disks accesses. First introduced in Windows 98, and also implemented
in Windows ME, but in no other versions of Windows. This task, like the
notorious FindFast, is a useless task.

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

This program runs the Windows System Tray, which is that part of the
Task Bar where the Time is displayed. You may have the
Backdoor.IRC.Mutebot virus, or one of the many other viruses which
pose as SYSTRAY, particularly if this entry is found on the Startups
tab; anti-virus software will catch it.

C:\WINDOWS\SYSTEM\BCMWLTRY.EXE

Don't know this one. You'll have to see if it is listed in msconfig.exe
or services.msc as something that gets loaded on startup. Since this is
Windows 9x/ME, also check autoexec.bat, config.sys, win.ini (in the Run=
and Load= lines), and the Task Scheduler (for events scheduled to run on
startup or login).

C:\PROGRAM FILES\PICASA\PICASAMEDIADETECTOR.EXE

Some fluff software you probably decided to load on startup, or from
some software you installed that loads itself because, of course, it is
so important that it must always be running and consuming resources.

C:\WINDOWS\SYSTEM\QTTASK.EXE

Superfluous check program loaded by Apple's Quicktime. It is NOT
required to run Quicktime. Disable it in msconfig.exe.

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

Symantec's Norton AntiVirus transparent proxy.

C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPMEMCHECK.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPCONTROL.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\COOKIEPATROL.EXE

Looks like you have PestPatrol running. When submitting a HijackThis
logfile for analysis by other users, stop all programs for which you
already know their function, like PestPatrol, anti-virus programs,
firewalls, WinPatrol, SpywareGuard, or whatever else you use to protect
your system. We really don't need to look at those.

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe

Looks like you waste resources running System Doctor or have Cleansweep
monitoring your disk usage.

C:\WINDOWS\SYSTEM\WMIEXE.EXE

Microsoft's Windows Management Instrumentation (WMI). Windows
Management Instrumentation provides a standard Windows programming
method of accessing system information, performance information, event
monitors, and application monitors.

C:\WINDOWS\SYSTEM\SPOOL32.EXE

Spooler Sub System Process for Windows 95/98/ME. SPOOL32 is a hidden
task, a task that does not show up when you press Ctrl+Alt+Del.

C:\WINDOWS\SYSTEM\DDHELP.EXE

Microsoft's DirectDraw Helper - DirectDraw is a component of DirectX.
Under Windows 95/98/ME DirectDraw is loaded into memory and managed by
DDHELP. DDHELP runs as a transparent process.

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

You left Internet Explorer running while running HijackThis. Why?
Perhaps you have a hung instance that unloaded its window but stuck in
memory. However, some malware will open a "hidden" instance of IE (by
loading it *without* a window) so it can then run a timer within a
script to generate popups later.

C:\WINDOWS\SYSTEM\PSTORES.EXE

Protected Storage Server (under Win9x/ME). It is invoked by Microsoft
Internet programs such as Outlook Express and Internet Explorer, to
securely store a variety of secure and confidential data into the
registry, such as Outlook Express passwords, SSL certificates,
auto-complete fields (usernames and passwords to enter websites, etc...)
and web forms data - and why, when it screws up, users sometimes end up
having to edit the protected storage key in the registry to get
passwords remembered again.

C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE

You have Microsoft's Windows Media Player currently open. Like I
said, don't leave open or running every process for whom you already
know its function. Why leave your system polluted with all these
superfluous running programs that you already know what they do?

C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

Obviously the HijackThis program to produce this logfile.

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

Another [hidden] instance of Internet Explorer?

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\OUTLOOK.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE

You left Word and Outlook loaded, too, when running HijackThis?
However, Microsoft has never fixed the problem, even in their latest
versions, that occasionally when you ask them to unload that they get
stuck. Their windows disappear but sometime later Word or Outlook (and
sometimes Outlook Express) will hang but the dispatcher won't kill them.
If you have exited Word, Outlook, or Outlook Express and notice peculiar
behavior in your system then check Task Manager and kill these stuck
processes.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.google.com

Looks like you have the Google toolbar installed and told it to
configure you search to default to using Google.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.cnn.com/

Well, each to his own as to what he wants for a "home" page when
starting their browser.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

This is leftover crap from the install of Windows. It is their "intro"
page the first time you load IE despite what you have configured under
your HKCU copy of the registry key. Oh, yeah, we all need handholding
after a Windows install ... not!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

Don't see much that I wouldn't expect there.

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}
- C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL (file missing)

Well, looks like you are infected with SurfSideKick!!!

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

Adobe's Acrobat Reader BHO (browser helper object for IE).

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

Looks like you choose to enable Spybot's Immunize BHO. This
checks/alerts/blocks when something in a web page is on their nasty
list. Unfortunately, you cannot configure Spybot's BHO to alert/block
on only bad sites and NOT on domains for cookies, so if a "bad" site
wants to save a cookie then you get alerted or it gets blocked although
there are much better cookie managers available.

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

Norton's AntiVirus product.

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll

Yep, as I suspect, you have the Google toolbar installed. Nothing bad
with it but don't enable its popup blocking if you already use another
product to block popups, and don't enable the advanced features (Page
Info and Page Ranking) unless you want to announce to Google when you
click on one of their links in the match results from a search since
that navigates you through their servers to record your navigation
before passing you onto the targeted site.

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX

Hmm, an ActiveX control. Right-click on it in Explorer and look under
its Version tab in its properties to see if it identifies what it does.

O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
SystemWorks\Norton AntiVirus\NavShExt.dll

Again, Norton AntiVirus.

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll

The Google toolbar again.

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

Microsoft's Registry Checker. This is not a Task List item, but rather
a startup item which you can see in MSConfig. The Registry Checker,
SCANREGW, loads on boot-up and checks that the Windows Registry is in
good order. If it is in good order, it backs up the Registry and then
lets Windows continue booting up. If there are minor problems, it fixes
them. If there are major problems, it prompts the user to restore from
a previous good copy of the Registry.

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

Already mentioned above.

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

That part of the taskbar on the right end called the system notification
area, or system tray.

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme

Probably how Windows loads the users selections for their Power Options.

O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe

Probably part of your video card's software, maybe an ATI video card.

O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe

As noted above, this is something you'll have to check out.

O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe

Hmm, looks suspicious. By its name, it appears to remove a .cpl Control
Panel applet. So what functionality might it be trying to hide? When
you open Control Panel, it scans for .cpl files to include in its list
of applets (plus, I believe, some are listed in registry keys, but maybe
that is just for Windows 2000/XP). You might want to check what this
startup program is doing (it runs for all user accounts).

O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program
Files\Picasa\PicasaMediaDetector.exe

Fluff software already mentioned above. You'll have to check what you
choose to load on startup for whatever you choose to install that
provides this oh, so, highly required media detect monitoring of what
you slide into your CD/DVD drives.

O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe

Did you install something which including updating the MDAC (Microsoft
Data Access Components) but neglect to reboot the system yet? You will
find RUNONCE.EXE as a startup entry rather than as a background task.
RUNONCE is the Microsoft "Run Once" Wrapper. It is a program which
developers can use as part of their installation procedures to ensure,
for example, that after the first reboot post the installation of the
software, some additional configuration program is run to complete the
installation, and once only. It is not uncommon for a RUNONCE startup
entry to be left behind after it has run once. Therefore, if you find a
RUNONCE.EXE entry in your startups, reboot your PC; if it is still
there after reboot, then you can safely disable it or delete it.

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
-atboottime

Yep, already mentioned, Quicktime's stupid update checker which is
superfluous. Disable it in msconfig.exe.

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"

Symantec's anti-virus proxy.

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"

This runs on Windows startup to verify the registry keys for Symantec's
products (Norton AntiVirus, Norton Internet Security) have not been
touched by some other program, like a virus, spyware, or other malware,
in an attempt to disable it or hide themself. At some point, maybe
after version 2002, Symantec decided to encrypt their registry keys both
for their names and their content (i.e., data names and data values).
If anything touches those keys, the hash value will change. This makes
it impossible to do some tasks, like export the registry keys for the
user's customizations, like web content filtering or application rules,
but it does protect the AV software from getting corrupted without
detection.

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton
SystemWorks\Norton Utilities\NPROTECT.EXE

Norton's Recycle Bin.

O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK
2\Ssk.exe

Yep, there's that scumware again.

O4 - HKLM\..\Run: [PPMemCheck]
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Spyware X-terminator Control Center]
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol]
C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
PestPatrol?


O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme

Loads the global power scheme (overriden by the HKCU key).

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

Task Scheduler.

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe"

Symantec's event manager (to record what happens with its NAV and NIS
products).

O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common
Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

You have Script Blocking enabled in Norton Antivirus. It changes the
registry keys for script blocking to chain itself into the path used to
load Wscript.exe (and probably Cscript.exe) so it can scan scripts
before passing them onto the Windows/Command script interperter.

O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton
SystemWorks\Norton CleanSweep\CSINJECT.EXE

Cleansweep, part of the Norton Utilities in Systemworks.

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton
SystemWorks\Norton Utilities\NPROTECT.EXE

Norton's Recycle Bin.

O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program
Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

My guess is you opted to use Norton's Tray Manager which rolls up all of
the Norton tray icons under one tray icon.

O4 - HKCU\..\Run: [Tsa2] C:\PROGRAM FILES\COMMON FILES\TSA\TSM2.EXE

Don't have a clue on this one. You'll have to go under that path and
check what those files do.

O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK
2\Ssk.exe

Scumware again.

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msedpb.exe

Don't know this one, either.

O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program
Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe

More Cleansweep nonsense.

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE

This is the Office System Assistant. It loads on startup and Microsoft
claims it is supposed to make loading faster for the MS Office programs
(Word, Outlook, Excel, etc.). I think back about 5 years ago, or more,
on slower hosts it might have provided a slight advantage in load times
but it is mostly a waste of resources. See
http://support.microsoft.com/?id=290144.

O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe

What of Adobe did you install? Maybe this is part of their Acrobat,
Photoshop, or other product.

O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000

Probably some Excel extra you installed.

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English -
res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

The Google toolbar again.

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38229.7607407407

Have you ever yet used the [Alexa] Related toolbar button in Internet
Explorer? Is it even displayed anymore?

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

Macromedia's Shockwave ActiveX control.

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj
Object) - http://www.odysseusmarketing.com/actsetup.cab

Huh? You need an AX control from some marketing group?


Since it appears you have PestPatrol, but since they do NOT list
Surf[SideKick] at http://www3.ca.com/securityadvisor/, it seems it is a
new variant that they won't yet catch. Spybot didn't list it, either,
in their Threats list on their site. However, Lavasoft does list
"surfsidekickBHO" which appears it might be the SurfSideKick BHO that
you got stuck with; see
http://www.lavasoftnews.com/ms/display_main.php?tac=surfsidekickBHO.
Change IE's options to ALWAYS prompt you on ALL ActiveX downloads and
get SpywareGuard to watch for any BHOs that some site might attempt to
install (I think WinPatrol also monitors for new BHOs as well as BHO
Demon, if you leave its shortcut in the Start menu to load on login).

You never mentioned scanning with Ad-Aware (from Lavasoft). Spybot only
catches some, Ad-Aware only catches some, PestPatrol only catches some
(but, unfortunately, has a problem with too many false positives [for
their online scanner]), and CWShredder is geared to a specific subset
that are not well covered by other malware scanners. Don't rely on one
malware scanner to detect them all. However, make sure you know what
the malware scanner intends to do before letting it do it. After all,
it is your choice to let the malware scanner make the changes so you are
ultimately responsible for its actions.

 

[David H. Lipman]

That's a good question.

I don't suggest anything that I haven't tried nor personally use. As of yet, I haven't run
into to anything that Adaware could not remove.

Dave



not include CWShredder in your recomendations?
| Especially when the problem looks like CWShredder can help.
|
| Free download:
| http://www.intermute.com/spysubtract/cwshredder_download.html
|
| ~~~~~~~~~~~~~~~~~~~~~
| This message was posted via one or more anonymous remailing services.
| The original sender is unknown. Any address shown in the From header
| is unverified. You need a valid hashcash token to post to groups other
| than alt.test and alt.anonymous.messages. Visit www.panta-rhei.dyndns.org
| for abuse and hashcash info.
|
|
|
|

 

[Reg Mouatt]

snipped log

You can post a copy of the log file here
http://www.hijackthis.de/index.php?langselect=englis
but do be very careful how you interpret the findings - I note that
both entries for 'Load Power Profile' are explained as 'Nasties' which
they are not but as in Randy's post (below) you do have an item listed
2/ssk.exe in your logfile which needs looking at. If you feel you need
more help, post the hijackthis log here - you will first have to
register as a member.
http://forum.aumha.org/viewforum.php?f=30

Reg

 

[Conor]

stop posting in HTML ands some one might reply
:-(

Get a decent ****ing newsreader and it'll strip the HTML out.

--
Conor

Greedo shot first. Greedo ALWAYS shot first. You did not see Solo shoot
first.
It never happened. Never, ever. Not in any version. Remember: Greedo
shot first.

 

[Conor]

I can't answer your question, but I can recommend you buy ZoneAlarm Security Suite 5.5. That problem will be eliminated.

Bet it won't....


--
Conor

Greedo shot first. Greedo ALWAYS shot first. You did not see Solo shoot
first.
It never happened. Never, ever. Not in any version. Remember: Greedo
shot first.

 

[Beauregard T. Shagnasty]

Get a decent ****ing newsreader and it'll strip the HTML out.

Most decent ****ing newsreaders will strip the HTML. That however,
equates to an ostrich sticking his head in the sand. "If I don't see
it, it didn't happen" and does not address the issue that
coffeecoco930 is not following Usenet netiquette.

 

[Claude Balls]

I can't answer your question, but I can recommend you buy ZoneAlarm Security Suite 5.5

Don't be a dumbass. Lose the html.

 

[bassbag]

That's a good question.

I don't suggest anything that I haven't tried nor personally use. As of yet, I haven't run
into to anything that Adaware could not remove.

Dave



not include CWShredder in your recomendations?
| Especially when the problem looks like CWShredder can help.
|
| Free download:
| http://www.intermute.com/spysubtract/cwshredder_download.html
|
| ~~~~~~~~~~~~~~~~~~~~~
| This message was posted via one or more anonymous remailing services.
| The original sender is unknown. Any address shown in the From header
| is unverified. You need a valid hashcash token to post to groups other
| than alt.test and alt.anonymous.messages. Visit www.panta-rhei.dyndns.org
| for abuse and hashcash info.
|
|
|
|

I understand your view of not recommending anything you havent tested
yourself.I can however confirm that i tried an index.dat viewer
http://www.tsm-soft.com/category/internet/irtpro063.html a few weeks ago
that installs a commercial web searcher (super search).Adaware didnt detect
it let alone remove it,possibly because it doesnt consider it a threat or it
hasnt been added.Cwshredder which specialises in coolweb and search hijack
variants did a fine job detecting and removing it.In the case of the above
programe (index.dat viewer)it installs every time you use the programme .exe
file.
me

 

[Roger Wilco]

- I note that
both entries for 'Load Power Profile' are explained as 'Nasties' which
they are not

The LoadPowerProfile key is easily used to almost transparently execute a mock rundll32.exe from the system directory
on some systems.

 

[OldWiseMan]

stop posting in HTML ands some one might reply

You just did, lol

 

[ImhoTech]

That's a good question.

I don't suggest anything that I haven't tried nor personally use. As of
yet, I haven't run
into to anything that Adaware could not remove.

Dave

That says a lot...You haven't run into much then.

 

[David H. Lipman]

That's a false conclusion.

Dave




|
|
| That says a lot...You haven't run into much then.
|
|