Hi all,

I recently was the lucky recipient of some popup bug that is causing me havoc. I downloaded the free version of Spyware Doctor, ran it and was rid of all of my problems except for one.... Enhancemysearch.com
I've tried everything to stop this sucker with no luck. I've put them on a never allow list in my privacy settings but this isn't working. I'm willing to purchase the full version as long as it will work. Has anyone heard of this bugger and know how to stop it? FYI...I running through a VPN with work but have administrative access to my puter.



Thanks,

Tele

You have a keyword hijacker. If you haven't already, download HijackThis, run it, do a scan, save the log. Don't fix any without knowing why. After you have the log, if you need help, you can always come back here.

Bruce

Bruce,

Thanks for your help. I have done what you advised... Here is the log.... It's a long one.

Logfile of HijackThis v1.97.7
Scan saved at 9:20:25 PM, on 11/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\HPConfig.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Marimba\CASTAN~1\Tuner.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\ZipToA.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WMI\WMIProviders\HPAlertWMI.exe
C:\WMI\WMIWDog.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\atiptaxx.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\MouseWarePro\MWProEng.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\pgtaff.exe
C:\WINNT\oagse.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\Palm\AlarmApp.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\downloads\VZLogin.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Lotus\Notes\NLNOTES.EXE
C:\WINNT\System32\MDM.EXE
C:\Program Files\Palm\Palm.exe
C:\downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://autoproxy.verizon.com/cgi-bin/getproxy
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINNT\system32\cdsm32.dll
O1 - Hosts: 144.28.52.17 USCAGOLPATS01
O1 - Hosts: 107.3749.9 USNYMEN11WS02
O1 - Hosts: 107.3749.7 USNYMEN11WS01
O1 - Hosts: 104.132.30.150 USNYTRYSAVS01
O1 - Hosts: 144.70.113.8 USILCBDMONS02
O1 - Hosts: 161.128.126.29 USMABURBUDS06
O1 - Hosts: 161.128.8.48 USMABURBUDS05
O1 - Hosts: 104.139.2.132 USNYKNGBRDS01
O1 - Hosts: 161.128.126.27 USMABURBUDS03
O1 - Hosts: 138.83.34.28 USTXCOPSV1S08
O1 - Hosts: 138.83.36.53 USTXCOPSV1S07
O1 - Hosts: 138.83.34.45 USTXCOPSV1S04
O1 - Hosts: 138.83.34.44 USTXCOPSV1S03
O1 - Hosts: 139.49.192.12 USTXCOPSV1S02
O1 - Hosts: 161.128.162.171 USNYMNHPRLS05
O1 - Hosts: 141.156.23.47 USMDCOCYASS04
O1 - Hosts: 141.156.23.45 USMDCOCYASS03
O1 - Hosts: 141.149.187.24 USPALEVFALS02
O1 - Hosts: 143.91.61.41 USTXIRVRRGS03
O1 - Hosts: 161.128.162.150 USNYMNHPRLS04
O1 - Hosts: 136.151.101.109 USFLCLRCLES02
O1 - Hosts: 161.128.162.137 USNYMNHPRLS03
O1 - Hosts: 151.205.63.31 USPALEVFALS01
O1 - Hosts: 143.91.61.40 USTXIRVRRGS02
O1 - Hosts: 136.151.101.108 USFLCLRCLES01
O1 - Hosts: 144.28.170.20 USCAPOMA05S02
O1 - Hosts: 141.156.23.10 USMDCOCYASS01
O1 - Hosts: 161.128.162.135 USNYMNHPRLS02
O1 - Hosts: 161.128.145.248 USNYMNHPRLS01
O1 - Hosts: 159.161.147.223 USCAPOMA05S01
O1 - Hosts: 151.205.79.132 USPACSHFAYS01
O1 - Hosts: 136.151.115.82 USFLTPA301S02
O1 - Hosts: 136.151.115.82 USFLTPA301S01
O1 - Hosts: 138.83.70.38 USFLTTPSTCS09
O1 - Hosts: 138.83.70.37 USFLTTPSTCS08
O1 - Hosts: 104.148.58.84 USNYMNHWESS02
O1 - Hosts: 136.151.208.185 USFLTTPSTCS07
O1 - Hosts: 104.148.58.82 USNYMNHWESS01
O1 - Hosts: 138.83.66.40 USFLTTPSTCS04
O1 - Hosts: 104.6.5.104 USMAHYNNRTS01
O1 - Hosts: 138.83.66.56 USFLTTPSTCS03
O1 - Hosts: 143.91.99.35 USTXIRVHQWS03
O1 - Hosts: 141.157.79.196 USVARICHSRS01
O1 - Hosts: 161.128.238.56 USNYPRLBHDSC2
O1 - Hosts: 143.91.100.135 USTXIRVHQWS02
O1 - Hosts: 161.128.238.55 USNYPRLBHDSC1
O1 - Hosts: 143.91.100.9 USTXIRVHQWS01
O1 - Hosts: 104.153.66.16 USNYPTCOCNS01
O1 - Hosts: 143.91.233.133 USTXIRVCARS01
O1 - Hosts: 162.83.31.69 USNJSCOCELS02
O1 - Hosts: 104.132.28.151 USNYNTNTRMS01
O1 - Hosts: 141.239.50.1 USHIHNLMBYS01
O1 - Hosts: 144.28.133.14 USCASFSLNRS01
O1 - Hosts: 162.83.31.68 USNJSCOCELS01
O1 - Hosts: 162.83.21.5 USNJMAM11SS01
O1 - Hosts: 161.128.43.200 USMABOSHISS01
O1 - Hosts: 162.83.76.70 USNJSPLHADS01
O1 - Hosts: 151.196.20.20 USMDSILCOLS01
O1 - Hosts: 141.150.76.108 USNJMLAMIDS01
O1 - Hosts: 141.154.100.14 USPAPHIRACS01
O1 - Hosts: 105.38.11.95 USNYGRDZCKS03
O1 - Hosts: 105.38.11.48 USNYGRDZCKS02
O1 - Hosts: 105.38.11.46 USNYGRDZCKS01
O1 - Hosts: 141.157.33.6 USVAROAAIRS02
O1 - Hosts: 141.157.33.8 USVAROAAIRS01
O1 - Hosts: 104.8.1.86 USNHMNCLMSS01
O1 - Hosts: 104.132.34.163 USNYBFFELMS01
O1 - Hosts: 159.161.39.168 USMOWENBLDS03
O1 - Hosts: 141.157.119.42 USVANEWNEWS01
O1 - Hosts: 159.161.39.165 USMOWENBLDS01
O1 - Hosts: 105.38.114.181 USNYMNHW5SS01
O1 - Hosts: 144.70.105.218 USILBLMMONS01
O1 - Hosts: 141.157.72.11 USVARICMAIS01
O1 - Hosts: 141.152.119.12 USNJMADPARS03
O1 - Hosts: 141.152.119.11 USNJMADPARS01
O1 - Hosts: 132.197.120.82 USMAWLTSYLS01
O1 - Hosts: 151.198.23.98 USPAWILWCOS01
O1 - Hosts: 104.132.6.118 USNYALBSTTS02
O1 - Hosts: 162.83.18.248 USNJHPL657S01
O1 - Hosts: 104.132.6.116 USNYALBSTTS01
O1 - Hosts: 161.128.100.186 USMATNTMYLS03
O1 - Hosts: 161.128.100.184 USMATNTMYLS02
O1 - Hosts: 161.128.100.193 USMATNTMYLS01
O1 - Hosts: 144.70.150.95 USMIMUKTERS01
O1 - Hosts: 104.139.3.7 USNYELRWCHS01
O1 - Hosts: 143.91.13.20 USTXIRVHQES02
O1 - Hosts: 143.91.12.54 USTXIRVHQES01
O1 - Hosts: 141.149.187.36 USVAFCHFAIS02
O1 - Hosts: 141.149.187.27 USVAFCHFAIS01
O1 - Hosts: 136.151.70.14 USFLTPATCCS01
O1 - Hosts: 144.28.176.125 USCAIRWAZUS02
O1 - Hosts: 104.2.5.239 USMEPRTFRSS01
O1 - Hosts: 139.49.7.9 USCACALAGRS02
O1 - Hosts: 139.49.7.1 USCACALAGRS01
O1 - Hosts: 136.151.88.1 USFLTPAADAS02
O1 - Hosts: 105.12.34.242 USMEPRTDVSS01
O1 - Hosts: 136.151.109.7 USFLTPAADAS01
O1 - Hosts: 151.205.55.82 USPAALLWINS01
O1 - Hosts: 144.70.165.12 USOHMARRVYS03
O1 - Hosts: 136.151.137.8 USKYLEXHARS01
O1 - Hosts: 144.70.165.48 USOHMARRVYS02
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper100.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0. dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D9972C8B-6B81-4388-ABBC-AA2A22CE1F4E} - C:\WINNT\system32\qlheb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0. dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe
O4 - HKLM\..\Run: [qlhebc] C:\WINNT\system32\qlhebc.exe
O4 - HKLM\..\Run: [pgtaff] C:\WINNT\pgtaff.exe
O4 - HKLM\..\Run: [xbmele] C:\WINNT\oagse.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [pgtaff] C:\WINNT\pgtaff.exe
O4 - HKCU\..\Run: [bw36RjJnR] gptlace.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm47547US
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O12 - Plugin for .rx: C:\Program Files\Attachmate\KEA! X\npacirx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/english/cyberstore/audiopack/xp_audio/ChkDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/10a4b2ccb10bd9b0eb05/netzip/RdxIE601.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_01) - https://soa01.verizon.com/plugin/j2re-1_3_1_01-win.exe
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38283.6231828704
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://webclass2.verizon.com/wld/Install/CentraDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yahoo.com/dl/mail/autocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
O16 - DPF: {CAFECAFE-0013-0001-0008-ABCDEFABCDEF} (JInitiator 1.3.1.8) - http://vrfhvp07.verizon.com:7779/discoverer/plus_files/plugin/jinit1318.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://verizon.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O17 - HKLM\System\CCS\Services\Tcpip\..\{42EE04D1-2F8E-486C-8D81-1611ADDF4D7E}: NameServer = 151.203.111.6,151.203.162.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = verizon.com,gte.com,bellatlantic.com,nynex.com,bel l-atl.com,ent.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{42EE04D1-2F8E-486C-8D81-1611ADDF4D7E}: NameServer = 151.203.111.6,151.203.162.6
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = verizon.com,gte.com,bellatlantic.com,nynex.com,bel l-atl.com,ent.verizon.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{42EE04D1-2F8E-486C-8D81-1611ADDF4D7E}: NameServer = 151.203.111.6,151.203.162.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = verizon.com,gte.com,bellatlantic.com,nynex.com,bel l-atl.com,ent.verizon.com


Now what?

Jerry

Hi, I'm fairly new at this. If I overlook something, perhaps one of the other guys will jump in here to help.

That's a bunch. Might take more than one pass to get them all.

First issue. Your Hijackthis version is out of date. I don't know where you got it, but the latest version is v1.98.2. Here's a link you can paste into your browser from which you can download the newer version: (Get the updated version after you follow the instructions below, we'll stay with what you have for this pass):

http://tomcoyote.com/hjt/

Next, you should bring up Hijackthis again and do another scan.

This time, we'll put check marks in the most important boxes and make some corrections.

Put a check mark in every entry that starts with "01 - Hosts". I think there are 101 of them.

Have you configured the Spyware Doctor to run at power on/boot. If not, put a check mark in the following entry. If you set up the Onguard feature, this may be OK. No problem if we make a mistake here. It can be fixed.

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

Do you use "Mywebsearch" for anything important. If not, put a check mark in the following boxes:

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm47547US

Do you know and use "funwebproducts" for anything? If not, put a check mark in the following:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup 1.0.0.8.cab

Do you know and use "verizon.webex.com"? If not, put a check mark in the following:

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://verizon.webex.com/client/latest/webex/ieatgpc.cab

There is still a lot more that I have to look at, but that's a start. The ones identified above are the most nasty.

Click on the Hijack button "Fix Checked", and the corrections you've identified above will be made.

Then, when it's convenient, update to a newer version of Hijackthis, run a new scan, and post the log here. We'll see what else needs attention.

Bruce

I see I stuttered in my post. Here's a few lines I had in the previous post:


"Do you use "Mywebsearch" for anything important. If not, put a check mark in the following boxes:

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm47547US "


Here's what I meant to say:



Do you use "Mywebsearch" for anything important. If not, put a check mark in the following boxes:

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm47547US



Bruce

OK Bruce....I'll go back and do a fix on the new items mentioned. OK, What I got after following your previous instructions using the old software version, looked no different than before. All of the 01-Host items were still there. So I updated my version and re-ran getting this output with a message box suggesting I delete my host file from C:\WINNT\SYSTEM32\DRIVERS\ETC\HOSTS. (I have not done this yet). It looks like the same file except the the non 01 items you had me remove are gone. ?????

Logfile of HijackThis v1.98.2
Scan saved at 12:25:10 AM, on 11/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\HPConfig.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Marimba\CASTAN~1\Tuner.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\ZipToA.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WMI\WMIProviders\HPAlertWMI.exe
C:\WMI\WMIWDog.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\atiptaxx.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\MouseWarePro\MWProEng.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\pgtaff.exe
C:\WINNT\oagse.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\Palm\AlarmApp.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\downloads\VZLogin.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Lotus\Notes\NLNOTES.EXE
C:\Program Files\Palm\Palm.exe
C:\WINNT\System32\calc.exe
C:\WINNT\System32\MDM.EXE
C:\downloads\HijackThis.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://autoproxy.verizon.com/cgi-bin/getproxy
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINNT\system32\cdsm32.dll
O1 - Hosts: 141.152.166.103 USNJJERMAGS01
O1 - Hosts: 161.128.67.197 USMALWLINDS03
O1 - Hosts: 161.128.66.197 USMALWLINDS02
O1 - Hosts: 104.138.3.7 USNYBNGHNRS01
O1 - Hosts: 161.128.65.197 USMALWLINDS01
O1 - Hosts: 104.153.226.135 USNYMNHETSS01
O1 - Hosts: 141.152.181.73 USNJFAIPOLS02
O1 - Hosts: 141.156.175.129 USMDBALYORS02
O1 - Hosts: 141.152.181.69 USNJFAIPOLS01
O1 - Hosts: 141.156.175.97 USMDBALYORS01
O1 - Hosts: 104.6.14.82 USMABRTLUNS01
O1 - Hosts: 144.28.12.7 USCATOK501S05
O1 - Hosts: 144.28.12.4 USCATOK501S04
O1 - Hosts: 144.28.12.2 USCATOK501S03
O1 - Hosts: 138.83.194.10 USCATOK501S02
O1 - Hosts: 105.13.43.27 USMABOSBWDS02
O1 - Hosts: 138.83.194.6 USCATOK501S01
O1 - Hosts: 105.13.43.25 USMABOSBWDS01
O1 - Hosts: 151.205.136.141 USPALACDUKS01
O1 - Hosts: 151.203.67.59 USMDSILFLDS06
O1 - Hosts: 151.203.67.58 USMDSILFLDS05
O1 - Hosts: 151.203.67.57 USMDSILFLDS04
O1 - Hosts: 104.148.82.191 USNYSTTFRSS01
O1 - Hosts: 151.203.66.144 USMDSILFLDS03
O1 - Hosts: 151.203.66.181 USMDSILFLDS02
O1 - Hosts: 151.203.66.179 USMDSILFLDS01
O1 - Hosts: 141.239.2.38 USHIHNLA07S02
O1 - Hosts: 141.239.2.23 USHIHNLA07S01
O1 - Hosts: 159.161.241.3 USWAEVTCARS01
O1 - Hosts: 159.161.208.56 USWISUNBHQS01
O1 - Hosts: 104.153.128.140 USNYJMCOSFS02
O1 - Hosts: 104.153.128.138 USNYJMCOSFS01
O1 - Hosts: 105.38.86.8 USNYBRYFAES01
O1 - Hosts: 104.148.50.135 USNYBRKOSAS02
O1 - Hosts: 104.148.50.133 USNYBRKOSAS01
O1 - Hosts: 151.205.32.4 USPALAD50NS01
O1 - Hosts: 105.38.11.100 USNYGNCZECS02
O1 - Hosts: 105.38.11.98 USNYGNCZECS01
O1 - Hosts: 104.132.9.37 USNYSYRTHMS02
O1 - Hosts: 104.132.9.39 USNYSYRTHMS01
O1 - Hosts: 144.70.124.24 USILBLMBHQS01
O1 - Hosts: 104.148.18.40 USNYMNHTTHS01
O1 - Hosts: 143.91.215.233 USTXSANSUNS02
O1 - Hosts: 159.161.203.4 USINFTWBWTS01
O1 - Hosts: 144.28.176.3 USCAIRWG02S01
O1 - Hosts: 166.68.210.35 USMAANDONCS01
O1 - Hosts: 159.161.151.194 USCAHBHV24S01
O1 - Hosts: 141.152.140.53 USNJORAKINS01
O1 - Hosts: 141.153.15.145 USPAHARSTRS02
O1 - Hosts: 141.153.15.132 USPAHARSTRS01
O1 - Hosts: 138.88.102.152 USWVCHABROS02
O1 - Hosts: 138.88.103.246 USWVCHABROS01
O1 - Hosts: 104.148.86.45 USNYBRXWPLS02
O1 - Hosts: 141.157.41.1 USVARICNNSS02
O1 - Hosts: 104.148.86.203 USNYBRXWPLS01
O1 - Hosts: 144.70.63.13 USINWFDLSCS02
O1 - Hosts: 159.161.196.69 USINWFDLSCS01
O1 - Hosts: 144.28.94.1 USCASMNEXPS01
O1 - Hosts: 161.128.112.26 USMAMYNCLCS01
O1 - Hosts: 104.148.83.111 USNYBRX2WAS02
O1 - Hosts: 104.148.83.111 USNYBRX2WAS01
O1 - Hosts: 141.154.154.252 USDEDOVSTAS01
O1 - Hosts: 141.157.45.211 USVARICHSPS02
O1 - Hosts: 104.148.51.160 USNYBRKBRDS01
O1 - Hosts: 105.38.73.242 USNYWNTWNTS02
O1 - Hosts: 104.153.3.245 USNYMNHBRDS04
O1 - Hosts: 141.157.45.219 USVARICHSPS01
O1 - Hosts: 105.38.73.240 USNYWNTWNTS01
O1 - Hosts: 104.153.3.242 USNYMNHBRDS03
O1 - Hosts: 161.128.208.51 USNYBFFFRNS01
O1 - Hosts: 104.153.3.240 USNYMNHBRDS02
O1 - Hosts: 105.38.3.214 USNYMNHBRDS01
O1 - Hosts: 138.83.162.9 USCASACICCS02
O1 - Hosts: 138.83.162.3 USCASACICCS01
O1 - Hosts: 104.148.108.103 USNYBRKWLLS01
O1 - Hosts: 151.205.135.171 USPADARCHES01
O1 - Hosts: 159.161.170.212 USFLSTPMAIS01
O1 - Hosts: 136.151.173.42 USNCDUR6RXS02
O1 - Hosts: 136.151.173.40 USNCDUR6RXS01
O1 - Hosts: 141.155.80.139 USPAPITSTAS04
O1 - Hosts: 141.155.76.84 USPAPITSTAS03
O1 - Hosts: 161.128.61.80 USMABOSFRSS01
O1 - Hosts: 141.156.125.90 USMDBALSTPS01
O1 - Hosts: 144.8.13.216 USWAEVTEGOS04
O1 - Hosts: 159.161.180.10 USWAEVTEGOS01
O1 - Hosts: 104.8.33.103 USMASPRSTTS01
O1 - Hosts: 104.24.251.39 USMABOSHSOS02
O1 - Hosts: 104.6.32.17 USMATAUPLNS01
O1 - Hosts: 104.148.83.199 USNYBRXWSTS02
O1 - Hosts: 104.148.89.12 USNYVLHSMMS01
O1 - Hosts: 104.148.83.247 USNYBRXWSTS01
O1 - Hosts: 159.161.159.134 USCAVTVS18S01
O1 - Hosts: 162.83.86.74 USNJCRAORAS02
O1 - Hosts: 162.83.86.69 USNJCRAORAS01
O1 - Hosts: 141.152.117.19 USNJNEWBROS03
O1 - Hosts: 141.152.117.6 USNJNEWBROS02
O1 - Hosts: 141.152.117.4 USNJNEWBROS01
O1 - Hosts: 104.6.30.8 USMAWORCHES01
O1 - Hosts: 151.205.125.120 USPAEXTGORS01
O1 - Hosts: 141.154.6.69 USDEWILTATS02
O1 - Hosts: 104.6.33.98 USMAMRLLCDS01
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper100.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0. dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {D9972C8B-6B81-4388-ABBC-AA2A22CE1F4E} - C:\WINNT\system32\qlheb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0. dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe
O4 - HKLM\..\Run: [qlhebc] C:\WINNT\system32\qlhebc.exe
O4 - HKLM\..\Run: [pgtaff] C:\WINNT\pgtaff.exe
O4 - HKLM\..\Run: [xbmele] C:\WINNT\oagse.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [pgtaff] C:\WINNT\pgtaff.exe
O4 - HKCU\..\Run: [bw36RjJnR] gptlace.exe
O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .rx: C:\Program Files\Attachmate\KEA! X\npacirx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/english/cyberstore/audiopack/xp_audio/ChkDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/10a4b2ccb10bd9b0eb05/netzip/RdxIE601.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_01) - https://soa01.verizon.com/plugin/j2re-1_3_1_01-win.exe
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://webclass2.verizon.com/wld/Install/CentraDownloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
O16 - DPF: {CAFECAFE-0013-0001-0008-ABCDEFABCDEF} (JInitiator 1.3.1.8) - http://vrfhvp07.verizon.com:7779/discoverer/plus_files/plugin/jinit1318.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://verizon.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O17 - HKLM\System\CCS\Services\Tcpip\..\{42EE04D1-2F8E-486C-8D81-1611ADDF4D7E}: NameServer = 151.203.111.6,151.203.162.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = verizon.com,gte.com,bellatlantic.com,nynex.com,bel l-atl.com,ent.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{42EE04D1-2F8E-486C-8D81-1611ADDF4D7E}: NameServer = 151.203.111.6,151.203.162.6
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = verizon.com,gte.com,bellatlantic.com,nynex.com,bel l-atl.com,ent.verizon.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{42EE04D1-2F8E-486C-8D81-1611ADDF4D7E}: NameServer = 151.203.111.6,151.203.162.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = verizon.com,gte.com,bellatlantic.com,nynex.com,bel l-atl.com,ent.verizon.com

Yep, the 01's came back didn't they. It's late, and I'm getting tired.

I think the problem is in the Hosts file, and perhaps there are some other steps we need to take.

If you want to do a log analysis yourself, go to this link, then put it on your favorites list where you can find it again.

http://hijackthis.de/index.php

Now, copy your Hijackthis log, switch over to the page above, and paste your log into the box near the top of the page.

Then, when you click on "Analyze", a few seconds later you will see the log analysis and recommendations.

I'll leave a message for another guy and see if I can get us some professional help in the morning. If he joins in, look at what he has to say. He'll already have your last log available in your post.

Bruce

Bruce, I can't thank you enough for your help. I ran the analyzer and came up with quite a few "nasty's". I'm tired too so we'll continue tomorrow.

Jerry

Mornin',

I was up all night watching the elections. Still tired.

I left a message for a fellow I respect very much to join us, but he's not here, so either he didn't get the message, or he's busy elsewhere.

I'm putting together a plan. In this post, I'll overview the plan and try to give you reasons for each step. If it works out, I'll save it to a Wordpad file for later use.

Here is a list of the steps I plan to take, and why. Any constructive criticism from anywhere would be appreciated.

1. Disable System Restore.
2. Restart the computer in Safe mode.
3. Make some changes to the Hosts file.
4. (Possibly) back up the registry, just in case.....
5. Use HijackThis to make some corrections to the registry.
6. Run a full system scan using your A/V software.
7. Reboot in normal mode.
8. Turn System Restore back on.

Here's a brief discussion on each point before we begin:

I don't know what Anti Virus system you are using, but it might be a good idea to log on now and make sure you have the latest virus definitions and dat files before we start.

1. Disable System Restore.

We don't know when the infection occurred, but there is a high probability that your system automatically created one or more restore points between then and now. These would have backed up the infection along with the other important files.

Turning off System Restore means that you will lose all System Restore points that were saved on your system before today, but . . . such is life.


2. Restart the computer in Safe mode.

We're going to reboot to Safe mode because we don't want any unneccessary or misbehaving programs interfering with our corrective steps.

3. Make some changes to the Hosts file.

This will involve deleting a number of lines from the Hosts file. There may be a faster and safer way of doing it, but I'll give you my best advice to date. There is one specific line in the Hosts file which we MUST NOT delete, so if we run into any trouble, be careful.

4. (Possibly) back up the registry, just in case.....

Since we've lost your System Restore points, we might back up the registry in case we get in trouble. At least then, we'd be able to get back to the condition it was in when we started. I'm thinking this over.

(In writing the next step, I concluded that this registry backup step is probably not a good idea because, when we finish, we want no leftovers on the system which might cause re-infection.)

5. Use HijackThis to make some corrections to the registry.

This will delete the items we check from the registry. We don't want them backed up because (we think) they are the entries causing the problem.

6. Run a full system scan using your A/V software.

Seems logical. Fix any problems that it finds.

7. Reboot in normal mode.

8. Turn System Restore back on.


Bruce

Been studying this all day. Here's my recommendations.

1. Turn off System restore.

Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.

You'll lose all your previous restore points, but they're probably infected anyway.

Click yes, Click OK

2. Get your Hijack log analysis on the desktop or printed for reference.

Run the analyzer. At the bottom of the page, right click on "Save Analysis", click on "Save target as...", save to desktop. If you need later, you can double click the desktop ICON to view the analysis while offline.

3. Boot in Safe Mode.

Power down, wait 30 sec. Power on.

At the first splash screen, begin tapping the F8 key. Boot options will start.

At boot options, use up/down arrows to select "Safe Mode", press enter.

4. When up in safe mode, run HijackThis, do a scan. Here's my advice on where to put checks to correct problems.
(Note that HijackThis will edit the registry and hosts files for us, I think. If this doesn't work on the host file, we may need to do it manually.)

All 01 - Hosts entries
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm (If you do not know the entry 'C:\WINNT\about.htm' is, delete it.)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINNT\system32\cdsm32.dll (Should be fixed if you do not know this application)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper100.dll (Fix if you don't know what it is)
O2 - BHO: SDWin32 Class - {D9972C8B-6B81-4388-ABBC-AA2A22CE1F4E} - C:\WINNT\system32\qlheb.dll (Fix if you don't know what it is)
O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe (Fix if you don't know what it is)
O4 - HKLM\..\Run: [qlhebc] C:\WINNT\system32\qlhebc.exe (Fix if you don't know what it is)
O4 - HKLM\..\Run: [pgtaff] C:\WINNT\pgtaff.exe (Fix if you don't know what it is)
O4 - HKLM\..\Run: [xbmele] C:\WINNT\oagse.exe (Fix if you don't know what it is)
O4 - HKCU\..\Run: [pgtaff] C:\WINNT\pgtaff.exe (Fix if you don't know what it is)
O4 - HKCU\..\Run: [bw36RjJnR] gptlace.exe (Fix if you don't know what it is)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) (Fix)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab (Fix if you don't know what it is)
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/english/cyberstore/audiopack/xp_audio/ChkDVD.cab (Fix if you don't know what it is)
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab (Fix if you don't know what it is)
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab (Fix if you don't know what it is)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://verizon.webex.com/client/latest/webex/ieatgpc.cab (This is a Verizon site, but marked Nasty. Your choice, might be OK, might not.)
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab (Fix if you don't know what it is)

The rest look lke your ISP (Verizon), or an HP site, so are probably OK.
Note: For the 017's, they all have Verizon or Bellatlantlic in them, or the IP's (such as 151.203.111.6,151.203.162.6 ) I've checked as belonging to Verizon.

Apply the fixes. You might want to do another scan to see if anything else is found.

5. You might want to do an Anti Virus scan. Fix anything it finds.

6. Reboot in normal mode.

7. Run another HijackThis log, post it here.

If I've figured this correctly, this should correct most of your problems. If not, we'll have to figure out why. It would probably be a good idea to keep a record of which Hijack problems you corrected, and which you did not.

When everything looks OK, don't forget to turn System Restore back on.




Bruce

Bruce... Sorry I have been slow to reply.. Things have been crazy at work. Most of the suggestions seem logical to me but only for my lack of knowledge. After work I will follow the steps you have suggested and post results tonight.
The Verizon entries are legit... I work for them. Man, is there anyway I can repay you for this advice? Thanks for your diligence. If there's anything you need regarding vintage tube driven audio amps/preamps, let me know. That is my specialty.

Thanks again,

Jerry

Booter, didn't you say you really liked '58 Corvettes? /images/forums/icons/wink.gif

<font color=purple>Tom</font color=purple>

ya'aa'tey

Hey Teleguy, I have a 66 Vibrolux that's giving me trouble but this isn't the Fender Forums!!! /images/forums/icons/laugh.gif

Bob

I think I may have stumbled across a fix for the "enhancemysearch.com" problem. I had it pop every time I entered a search keyword in Google and hit enter. The Google results would appear and almost imediately "enhancemysearch" would come up. Now I'm no software expert but this is what I found.
I did the following to my computer running W2K and it seems to have gotten rid of it without any side effects.
Run Hijack This and go down to the BHO's (Browser Helper Objects).
If you still see the "no name" with the string

{017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper100.dll

Check it and Hit "Fix" and then ok a delete.
Reboot and pull up IE and do a quick Google search. It should have gotten rid of the hijacker.

I recognized the "F86F" part of the string and after checking my log I compared it to the same string you had in your log and noticed the strings were identical, which prompted me to write you.
As I said this worked on my machine. You might check with some of the other guys to see if they think this is ok to do before proceeding.
Good Luck.