Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93078 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Search hijacked?!


  • This topic is locked This topic is locked
14 replies to this topic

#1 gtbase

gtbase

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 05 July 2005 - 03:04 PM

Hi-This is my first post here. I found you through a general search by putting in half of a web address that I have been getting re-directed to; I found a post regarding the problem and checked for the same files on my computer, but it didn't work, so....I hope that I'm not annoying anyone by asking a repeated question. So, here's the problem, and what I have tried already. Everytime I try to search from my address bar, I get redirected to the following address: 1dial.search-results-site.com/html/searchresults.php
My homepage is msn and I would like msn to be my search engine. I can use the msn search bar on the homepage, but not the address bar - I used to be able to. Here is what I have done so far:
OS is Windows 2000 Professional
Internet options "customize" is set at one search engine-msn
Advanced options are set at "search from address bar"
I have the following Anti-Virus/Spyware/Adware programs installed and up to date: Ad-Aware; Spybot; Scan Spyware (paid version); Microsoft Anti Spyware; Tweak Now Reg Cleaner; Reg. Mechanic (free version); Norton System Works (paid registered copy); Hi-Jack This. All of these are the latest versions, with the latest updates. Whatever these programs have found has been fixed/deleted. There are no viruses. Nothing else seems to be affected, other than occasionally when I open up a Microsoft Office program like Word or Excel, all of a sudden my Outlook Express opens up. I haven't been able to pinpoint what sets this off.
I also went to the microsoft site, and did their browser hijack fix, and it said I was clean.
I am willing to do a regedit, if anyone can tell me which one to look for.
I have done all of the above spyware/adware programs until they run clean.

Following is my HiJack This logfile:
Logfile of HijackThis v1.99.1
Scan saved at 2:49:40 PM, on 7/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\WINNT\system32\hpha2mon.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\system32\HPHipm08.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [HPHA2MON] C:\WINNT\system32\hpha2mon.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {30985566-E01F-11D2-85DB-EA44DE000000} (IRTHMapDisplay Control) - https://irth.digsafe...HMapDisplay.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - https://irth.digsafe...ry/mgaxctrl.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

The two 016 files are files that I recognize; so please don't tell me to delete them unless you think they are infected - I need them, and they take forever to download.

I am at a real loss here, can anyone help?

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 15 July 2005 - 09:51 PM

Hello gtbase, welcome to the TC.

I don't see any bad guys that are showing up in your log, but lets see if we can find something.

Please download ewido Security Suite
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu."
  • Launch ewido, there should be a big "E" icon on your desktop, double-click it.
  • The program will prompt you to update click the "OK" button
  • The program will now go to the main screen

    You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start

    The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.

    Once the updates are installed do the following:
  • If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
  • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run ewido.
  • Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
  • Click on scanner
  • Click on Settings
    • Under "How to scan" all boxes should be selected
    • Under "Possibly unwanted software" all boxes should be selected
    • Under "What to scan" select scan every file
    • Click OK
  • Click on Complete system scan
  • Let the program scan the machine
  • If ewido finds anything, it will pop up a notification. NOTE: We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged. In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

    Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
  • Click Save report
  • Save the report to your desktop
  • Exit ewido

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 gtbase

gtbase

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 18 July 2005 - 09:11 AM

LDTate:
Thank you for responding. I have done what you told me to do, and following are the two logs. BTW I noticed the R1 entry in the HijackThis log. That specific entry hasn't been there for quite awhile. When I first started my quest to get this bugger, that entry was there, and I checked it to "fix"; it hasn't returned until now.
Also-if you could help me with something that has happened as a result of my post. When I posted through the "what happens if I don't hear within 5 days" I thought I had done it correctly. However when I checked my e-mail this morning, I had 15 new messages - 14 of which directed me back to that "what happens...." post; only 1 (yours) directed me to my post with a reply. I am still getting e-mails everytime someone else goes to that "what happens..." post. Can you stop this?
Thank you! Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 10:55:45 AM, on 7/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\WINNT\system32\hpha2mon.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\HPHipm08.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [HPHA2MON] C:\WINNT\system32\hpha2mon.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {30985566-E01F-11D2-85DB-EA44DE000000} (IRTHMapDisplay Control) - https://irth.digsafe...HMapDisplay.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - https://irth.digsafe...ry/mgaxctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:51:27 AM, 7/18/2005
+ Report-Checksum: A53AABB0

+ Scan result:

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4EFAW0S8\sfexd001[1].htm -> Spyware.SideFind : Ignored
C:\Documents and Settings\Doris Carlson\Cookies\doris carlson@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Ignored
C:\Documents and Settings\Doris Carlson\Cookies\doris carlson@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Ignored
C:\Documents and Settings\Doris Carlson\Cookies\doris carlson@overture[2].txt -> Spyware.Cookie.Overture : Ignored


::Report End

Thanks Again!!

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 18 July 2005 - 02:54 PM

Having storms here. Was right in themiddle of posting :rant2:

Lets try this:

To use it:
  • Download CCleaner from http://www.ccleaner.com/ and install.
  • Open CCleaner.
  • Place a check by everything in the Applications tab.
  • Place a check by Internet Explorer, Windows explorer, and System in the Windows tab.
  • Hit the button that says Run CCleaner
  • Reboot to remove index.dat files.

Notes:
1.Uncheck "Cookies" under "Internet Explorer".

2.if user is running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".

3.Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Let me know if this helps.

I'll let you know how to stop the emails when we're done.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 gtbase

gtbase

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 19 July 2005 - 08:13 AM

LDTate:
YOU'RE THE BEST!!!!!! I downloaded CCleaner late yesterday afternoon, but because you noted that it might take a while to run, I didn't run it until this morning. I thought I may have done something wrong, because the scan took only about 30 seconds :o so I rebooted and ran it again, and again. Then I ran Ad-Aware, Spybot, Microsoft AntiSpyware and HijackThis. I ran CCleaner again, but still didn't get a "0" bytes. I purged all of my Norton Protected files; ran it again and rebooted again. I ran the cleaner one more time, but I still didn't get a "clean" slate, so I copied what was happening. If I run the cleaner twice in a row, the result of the second cleaning is the log (below) marked CClog. If I reboot and run the cleaning as soon as I start, the result of the scan is the log (below) marked CC2log. After all of that, I decided to just check the address bar search, and WALAA, my msn search from the address bar is back. So I take it that it's okay not to get a "0" bytes on the CCleaner results? Or should I keep running it until there are no bytes removed?
I ran a HijackThis log after everything, and I am posting it for you too - I am concerned about the first entry: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 Is this correct? or have we just "temporarily" solved the problem? Also, now that it appears that we tracked this bugger down, I have a number of programs that I downloaded to try to beat this thing, and I am hoping you can tell me which ones I can delete and which ones I should save. I have listed them below. Once again LDTate, thank you so much for what you have done for me. I will be waiting for your reply. BTW Am I supposed to be doing the CCleaner in "Safe Mode"? (because I wasn't).

Programs I downloaded:
Registry Mechanic
TweakNow RegCleaner
HijackThis (obviously a keeper!)
Spybot S&D (keeper)
Ad-Aware SE (keeper)
Microsoft AntiSpyware Beta
Spyware Doctor
Scan Spyware (I paid for this, but it rarely finds anything)
ewido security suite
CCleaner
Norton System Works 2002 Prof. Ed. (Packaged program that we bought) updated.

Here are the two CCleaner logs, and the Hijack This log:

CCLog (this is what I get the second time if I run it twice in a row)
CLEANING COMPLETE - (1.022 secs)
------------------------------------------------------------------------------------------
247 bytes removed.


Details of files deleted
------------------------------------------------------------------------------------------
IE Temporary Internet Files (2 files) 134 bytes
C:\Documents and Settings\Doris Carlson\Local Settings\History\History.IE5\desktop.ini 113 bytes


CC2Log (this is what I get if I run it right after I reboot)
CLEANING COMPLETE - (1.804 secs)
------------------------------------------------------------------------------------------
81.78KB removed.


Details of files deleted
------------------------------------------------------------------------------------------
IE Temporary Internet Files (6 files) 402 bytes
C:\Documents and Settings\Doris Carlson\Local Settings\History\History.IE5\desktop.ini 113 bytes
Marked for deletion: C:\Documents and Settings\Doris Carlson\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Marked for deletion: C:\Documents and Settings\Doris Carlson\Cookies\index.dat
Marked for deletion: C:\Documents and Settings\Doris Carlson\Local Settings\History\History.IE5\index.dat
C:\DOCUME~1\DORISC~1\LOCALS~1\Temp\Officeh.tmp 8.05KB
C:\DOCUME~1\DORISC~1\LOCALS~1\Temp\Offices.tmp 8.05KB
C:\DOCUME~1\DORISC~1\LOCALS~1\Temp\~DF2A5B.tmp 32.00KB
C:\DOCUME~1\DORISC~1\LOCALS~1\Temp\~DF43A2.tmp 32.00KB
C:\WINNT\system32\wbem\Logs\wbemcore.log 56 bytes
C:\WINNT\system32\wbem\Logs\WinMgmt.log 84 bytes
C:\WINNT\system32\wbem\Logs\wmiadap.log 1.04KB
C:\WINNT\Debug\ipsecpa.log 0 bytes

Logfile of HijackThis v1.99.1
Scan saved at 10:55:45 AM, on 7/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\WINNT\system32\hpha2mon.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\HPHipm08.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [HPHA2MON] C:\WINNT\system32\hpha2mon.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {30985566-E01F-11D2-85DB-EA44DE000000} (IRTHMapDisplay Control) - https://irth.digsafe...HMapDisplay.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - https://irth.digsafe...ry/mgaxctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 July 2005 - 03:21 PM

So I take it that it's okay not to get a "0" bytes on the CCleaner results? Or should I keep running it until there are no bytes removed?

You'll always get some, like cookies and IE temp files. I'd suggest you run CCLeaner once a week.

ran a HijackThis log after everything, and I am posting it for you too - I am concerned about the first entry: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 Is this correct?

That's just a Charter MSN search. We can remove it if you like. It's not hurting anything though. Is your Home Page MSN, like you want it?


Programs I downloaded:
Registry Mechanic
TweakNow RegCleaner
HijackThis (obviously a keeper!)
Spybot S&D (keeper)
Ad-Aware SE (keeper)
Microsoft AntiSpyware Beta
Spyware Doctor
Scan Spyware (I paid for this, but it rarely finds anything)
ewido security suite
CCleaner
Norton System Works 2002 Prof. Ed. (Packaged program that we bought) updated.



These are all ok programs. If you use them you can keep them. The ewido security suite is a 30 day trial. If you decide to remove any, be sure to use Add/Remove programs.



Let me know what you want to do with the R1. We still have a final post that you need to do.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 gtbase

gtbase

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 20 July 2005 - 07:33 AM

LDTate- Thank you, Thank you, Thank you! Yes, my MSN home page is the way I am use to, and the search is also what I have been trying to get. As long as you say that the "R1" entry is safe, than it is okay with me - I just thought that the "SEENUS" portion of the address sounded like spyware. I'm okay with it as long as you think it is safe. Let me know what I need to do next. Thank you again.

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 20 July 2005 - 02:41 PM

Good Job :thumbup:


Log looks good :D :thumbup: How is it running any issues?



1.Do one of the following:
In Windows 98/Me/2000, on the Windows desktop, double-click the My Computer icon.
In Windows XP, on the taskbar, click Start > My Computer.

2.Do one of the following:
In Windows 98, on the View menu, click Folder Options.
In Windows Me/2000/XP, on the Tools menu, click Folder Options.
On the View tab, check Hide file extensions for known file types.

3.Do one of the following:
In Windows 98, in the Advanced Settings box, under the "Hidden files" folder, unclick Show all files.
In Windows Me/2000/XP, check Hide protected operating system files. Then, under the "Hidden files" folder, unclick Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.



If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 Hans

Hans

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,029 posts

Posted 21 July 2005 - 12:07 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418
Kind regards,

Hans
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#10 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 22 July 2005 - 08:29 AM

Topic reopened at user's request.

Need to advise how to stop getting e-mails (see post of July 18, 11:11 am and LDTate's response, july 18, 4:54 pm)

Do you want me to just "unsubscribe to the e-mails"?
Thank You.


Yes, just click the unsubscribe link in the eamils you get, if you don't want to get them anymore.

Edited by rand1038, 22 July 2005 - 08:31 AM.

Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 July 2005 - 11:47 AM

Kinda strange, I never closed the topic. Looks like Hans did :scratch: gtbase, can you discribe what problems you're having?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#12 gtbase

gtbase

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 25 July 2005 - 07:14 AM

LDTate: Thank you for your response - I didn't think I would get anymore response from you because of the topic being closed. I wrote the admin. on Thursday to reopen, but in checking Friday morning, I hadn't heard, so I thought things had been ended. My only problem now is what I had explained earlier and that is when I posted in the "what to do if you don't hear a response in 5 days"; not only did I get my respons (and terrific help) from you, but now everytime someone else posts in that catagory (what to do......) I get their e-mail in my e-mail box. Since posting there, I have gotten 42 e-mails aside from the ones that notified me that you had responded. This morning there were 18, and I almost missed your response from Friday. I was afraid to "unsubscribe" until I was sure that you and I were finished. Also, just you let you know, I made a donation through "Paypal" using my personal account which shows up as "rcksmom" - I am more of a fanatic about my computer here at my office than I am about my computer at home, and I was very happy with the help you gave. I wasn't sure if anyone would read the note with the payment and make the connection between "gtbase" and "rcksmom". LD, thank you again. So now, do I just unsubscribe to those e-mails?

#13 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 25 July 2005 - 11:12 AM

To unsubscribe from this (or any) topic you must use "My Controls" at the top center of any forum page. Click on "My Controls" then under "Subscriptions" on the left hand side of the new page, click on 'View Topics". You will be taken to a list of topics that you have either started or replied to. Put a check mark beside the thread that you no longer wish to receive email notifications for and click "Unsubscribe" at the bottom of the list. Glad we were able to help :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#14 gtbase

gtbase

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 25 July 2005 - 12:17 PM

So done! Thanks LDTate. Over and out! B)

#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 25 July 2005 - 02:23 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users