Outlook Express has been HI-Jacked

Discussion in 'Computer Support' started by Guest, Apr 13, 2005.

  1. Guest

    Guest Guest

    A BLANK CHEQUE TO ANYONE THAT SOLVE THIS?

    I am running XP and my Internet Explorer has been captured by some sort of
    toolbar that continually loads all sorts of web pages. I right clicked on
    the bogus toolbar then clicked properties and it states:

    PROTOCOL: HyperText Transfer Protocol


    ADDRESS: (URL) HTTP: myserchnow.com/passthrough/newpass2. HTLM.

    Shopping.net/toolbar. HTLM

    --------
    How can I trace where this spy-ware is? I tried Ad-Aware and Microsoft's own
    spy-ware Beta
    software and both found spy-ware and deleted it but still the toolbar keeps
    coming back when I reboot? I have web-addresses in my favourites that I didn't
    put there, but when I go into my favourites folder to list and delete them
    the mystery favourites don't appear, therefor I can't see them to delete
    them?

    ---------

    UPDATE

    I reluctantly went out today and bought McAfee Internet Security Suite for
    £24.75
    at PC World, as it was reduced for a couple of days from £29.99.
    Unfortunately
    McAfee hasn't helped me. I still have this toolbar that I can't get rid of
    and I cant delete the web addresses that have been put into my favourites.
    As I have said before when I list my favourites the bogus web site address
    do not appear in the list, for me to delete them? How can I delete them? One
    more question, can I download Search & Destroy while I have McAfee installed
    on my computer, because, before I bought McAfee today I had already
    downloaded Search & Destroy to scan my disk. It also found spyware but it
    wouldn't delete the spyware unless I bought the product. I have been told
    that this should not have happened as S & D was FREE, have I done something
    wrong? I think this has happened to me before?

    Oh yes, does anyone want to buy the McAfee I.N.S that has been used once for
    a penny?



    My computer skills are still NILL therefor could you please keep any advice
    simple, thank you.
     
    Guest, Apr 13, 2005
    #1
    1. Advertising

  2. Guest

    neville Guest

    Sounds like a job for Frank DeLucca MS MPV and his service pak2.
    I would appreciate a cut for the referral though.
    "<<Scottie>>" <> wrote in message
    news:yyb7e.17139$...
    >A BLANK CHEQUE TO ANYONE THAT SOLVE THIS?
    >
    > I am running XP and my Internet Explorer has been captured by some sort of
    > toolbar that continually loads all sorts of web pages. I right clicked on
    > the bogus toolbar then clicked properties and it states:
    >
    > PROTOCOL: HyperText Transfer Protocol
    >
    >
    > ADDRESS: (URL) HTTP: myserchnow.com/passthrough/newpass2. HTLM.
    >
    > Shopping.net/toolbar. HTLM
    >
    > --------
    > How can I trace where this spy-ware is? I tried Ad-Aware and Microsoft's
    > own spy-ware Beta
    > software and both found spy-ware and deleted it but still the toolbar
    > keeps coming back when I reboot? I have web-addresses in my favourites
    > that I didn't put there, but when I go into my favourites folder to list
    > and delete them the mystery favourites don't appear, therefor I can't see
    > them to delete them?
    >
    > ---------
    >
    > UPDATE
    >
    > I reluctantly went out today and bought McAfee Internet Security Suite for
    > £24.75
    > at PC World, as it was reduced for a couple of days from £29.99.
    > Unfortunately
    > McAfee hasn't helped me. I still have this toolbar that I can't get rid of
    > and I cant delete the web addresses that have been put into my favourites.
    > As I have said before when I list my favourites the bogus web site address
    > do not appear in the list, for me to delete them? How can I delete them?
    > One more question, can I download Search & Destroy while I have McAfee
    > installed on my computer, because, before I bought McAfee today I had
    > already downloaded Search & Destroy to scan my disk. It also found spyware
    > but it wouldn't delete the spyware unless I bought the product. I have
    > been told that this should not have happened as S & D was FREE, have I
    > done something wrong? I think this has happened to me before?
    >
    > Oh yes, does anyone want to buy the McAfee I.N.S that has been used once
    > for a penny?
    >
    >
    >
    > My computer skills are still NILL therefor could you please keep any
    > advice simple, thank you.
    >
    >
     
    neville, Apr 13, 2005
    #2
    1. Advertising

  3. Guest

    why? Guest

    On Wed, 13 Apr 2005 16:13:18 GMT, <<Scottie>> wrote:

    >A BLANK CHEQUE TO ANYONE THAT SOLVE THIS?
    >
    >I am running XP and my Internet Explorer has been captured by some sort of
    >toolbar that continually loads all sorts of web pages. I right clicked on
    >the bogus toolbar then clicked properties and it states:
    >
    >PROTOCOL: HyperText Transfer Protocol
    >
    >
    >ADDRESS: (URL) HTTP: myserchnow.com/passthrough/newpass2. HTLM.
    >
    >Shopping.net/toolbar. HTLM


    Try running,
    SpyBot S&D , http://security.kolla.de/


    The toolbar name, mysearchnow produces lots of hits in Google.
    http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20833849.html



    1)
    http://short-media.com/forum/showthread.php?p=166159
    It's a long thread, with several HiJackThis (from)
    http://www.spywareinfo.com/~merijn/downloads.html
    logs. The person reported the problem was sorted, it involves fixing
    several of the startup entries and running this -
    OmegakillerSM, which will remove Mysearchnow.com and the toolbar.

    Information about the search page hijacking
    http://www.short-media.com/review.php?r=252&p=1


    The thread finishes off with -

    Then, run the Omegakiller application to restore your HOSTS file against
    their domains.

    Then....set a new System Restore Point. Follow Step 9 in this article:

    Removal steps
    http://www.short-media.com/review.php?r=252&p=3

    <snip>

    Me
     
    why?, Apr 13, 2005
    #3
  4. Guest

    Gordon Guest

    neville wrote:
    > Sounds like a job for Frank DeLucca MS MPV and his service pak2.
    > I would appreciate a cut for the referral though.


    Nice one, Neville!

    :)
     
    Gordon, Apr 13, 2005
    #4
  5. <<Scottie>> wrote:
    > A BLANK CHEQUE TO ANYONE THAT SOLVE THIS?
    >
    > I am running XP and my Internet Explorer has been captured by some
    > sort of toolbar that continually loads all sorts of web pages. I
    > right clicked on the bogus toolbar then clicked properties and it states:
    >
    > PROTOCOL: HyperText Transfer Protocol
    >
    >
    > ADDRESS: (URL) HTTP: myserchnow.com/passthrough/newpass2. HTLM.
    >
    > Shopping.net/toolbar. HTLM
    >
    > --------
    > How can I trace where this spy-ware is? I tried Ad-Aware and
    > Microsoft's own spy-ware Beta
    > software and both found spy-ware and deleted it but still the toolbar
    > keeps coming back when I reboot? I have web-addresses in my
    > favourites that I didn't put there, but when I go into my favourites
    > folder to list and delete them the mystery favourites don't appear,
    > therefor I can't see them to delete them?
    >
    > ---------
    >
    > UPDATE
    >
    > I reluctantly went out today and bought McAfee Internet Security
    > Suite for £24.75
    > at PC World, as it was reduced for a couple of days from £29.99.
    > Unfortunately
    > McAfee hasn't helped me. I still have this toolbar that I can't get
    > rid of and I cant delete the web addresses that have been put into my
    > favourites. As I have said before when I list my favourites the bogus web
    > site
    > address do not appear in the list, for me to delete them? How can I delete
    > them? One more question, can I download Search & Destroy while I have
    > McAfee installed on my computer, because, before I bought McAfee
    > today I had already downloaded Search & Destroy to scan my disk. It
    > also found spyware but it wouldn't delete the spyware unless I bought
    > the product. I have been told that this should not have happened as S
    > & D was FREE, have I done something wrong? I think this has happened
    > to me before?
    > Oh yes, does anyone want to buy the McAfee I.N.S that has been used
    > once for a penny?
    >
    >
    >
    > My computer skills are still NILL therefor could you please keep any
    > advice simple, thank you.


    This a very nasty thing to get rid off. We suggest you download, install and
    update Service Pak 2. Then start in safe mode and run Service Pak 2 again.
    It should be able to find the culprit. If not, poast back with your real
    email address so we can send you a patch by private email.

    Glad to be of any help, as always.
    --
    - Frank DeLucca -

    MS-MPV (Confirmation coming up any time now, seconds are ticking away..)
     
    Frank DeLucca, MS-MPV, Apr 13, 2005
    #5
  6. Guest

    °Mike° Guest

    Download, update and use ALL of the following -- even
    if you already have them installed, UPDATE THEM NOW.
    Malware changes by the day, even by the hour, so you MUST
    have the latest version of removal tools:

    Spybot Search & Destroy
    http://www.safer-networking.org/en/index.html
    SpyBot S&D guide
    http://www.chem.wisc.edu/~network/spybot/

    Ad-Aware SE
    http://www.lavasoftusa.com/
    Ad-Aware VX2 cleaner plug-in
    http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml
    IMPORTANT NOTICE:
    http://www.mvps.org/winhelp2002/hosts.htm#Attention

    Spyware Blaster
    http://www.javacoolsoftware.com/spywareblaster.html

    CWShredder (CoolWebSearch remover)
    http://cwshredder.net/cwshredder/cwschronicles.html
    Now maintained by InterMute
    http://www.intermute.com/spysubtract/cwshredder_download.html
    http://cwshredder.net/bin/CWShredder.exe


    In <yyb7e.17139$>,
    <<Scottie>> took 50 lines to utter:

    >A BLANK CHEQUE TO ANYONE THAT SOLVE THIS?
    >
    >I am running XP and my Internet Explorer has been captured by some sort of
    >toolbar that continually loads all sorts of web pages. I right clicked on
    >the bogus toolbar then clicked properties and it states:


    <snip>

    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
     
    °Mike°, Apr 13, 2005
    #6
  7. Guest

    Guest Guest

    My thanks for all the advice. It's nice to hear from you again Mike. To my
    rescue as usual. I have finally downloaded Spybot and it found and deleted
    17 errors. I am about to try Internet Explorer again, fingers X. Mike can I
    download all the software you recommended while I have McAfee installed on
    my computer? Once again my thanks to all.
    ----------
    "°Mike°" <> wrote in message
    news:42626722.2739343@localhost...
    > Download, update and use ALL of the following -- even
    > if you already have them installed, UPDATE THEM NOW.
    > Malware changes by the day, even by the hour, so you MUST
    > have the latest version of removal tools:
    >
    > Spybot Search & Destroy
    > http://www.safer-networking.org/en/index.html
    > SpyBot S&D guide
    > http://www.chem.wisc.edu/~network/spybot/
    >
    > Ad-Aware SE
    > http://www.lavasoftusa.com/
    > Ad-Aware VX2 cleaner plug-in
    > http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml
    > IMPORTANT NOTICE:
    > http://www.mvps.org/winhelp2002/hosts.htm#Attention
    >
    > Spyware Blaster
    > http://www.javacoolsoftware.com/spywareblaster.html
    >
    > CWShredder (CoolWebSearch remover)
    > http://cwshredder.net/cwshredder/cwschronicles.html
    > Now maintained by InterMute
    > http://www.intermute.com/spysubtract/cwshredder_download.html
    > http://cwshredder.net/bin/CWShredder.exe
    >
    >
    > In <yyb7e.17139$>,
    > <<Scottie>> took 50 lines to utter:
    >
    >>A BLANK CHEQUE TO ANYONE THAT SOLVE THIS?
    >>
    >>I am running XP and my Internet Explorer has been captured by some sort of
    >>toolbar that continually loads all sorts of web pages. I right clicked on
    >>the bogus toolbar then clicked properties and it states:

    >
    > <snip>
    >
    > --
    > Basic computer maintenance
    > http://uk.geocities.com/personel44/maintenance.html
     
    Guest, Apr 13, 2005
    #7
  8. Guest

    °Mike° Guest

    You're welcome.

    And yes, you can install all of the software with McAfee installed,
    but if anything complains during install, temporarily disable
    McAfee (after scanning, of course).

    In <HDe7e.21159$>,
    <<Scottie>> took 51 lines to utter:

    >My thanks for all the advice. It's nice to hear from you again Mike. To my
    >rescue as usual. I have finally downloaded Spybot and it found and deleted
    >17 errors. I am about to try Internet Explorer again, fingers X. Mike can I
    >download all the software you recommended while I have McAfee installed on
    >my computer? Once again my thanks to all.


    <snip>

    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
     
    °Mike°, Apr 13, 2005
    #8
  9. Guest

    Guest Guest

    I tried Internet Explorer but I am still getting the bogus toolbar? I have
    tried to send the Search & Destroy report with this post but the fonts are
    very small, so I don't know if I will be able to send it?

    WebTrends live: Tracking cookie (Mozilla: default) (Cookie, fixed)

    Weblrends live: Tracking cookie (Mozilla: default) (Cookie, fixed)

    Weblrends live: Tracking cookie (Mozilla: default) (Cookie, fixed)

    WebTrends live: Tracking cookie (Mozilla: default) (Cookie, fixed)

    Avenue A, Inc.: Tracking cookie (Mozifla: default) (Cookie, fixed)

    FastClick: Tracking cookie (Mozilla: default) (Cookie, fixed)

    HitBox: Tracking cookie (Mozilla: default) (Cookie, fixed)

    l-fttBox: Tracking cookie (Mozilla: default) (Cookie, fixed)

    Hothar: Interface (lHbMapiAddrBook) (Registry key, fixed)
    HKEY_LOCAL_MACHlNE\Software~Classes~lnterface\{F64B26Cl -O7DE-1 1
    D5-B5OD-OODOB77FOA6D}

    Hothar: Global settings (Registry key, fixed)
    HKEY_LOCALMACHlNE\Software~Hothar

    Hotbar: Interface (Registry key, fixed)

    HKEY_CLASSES_ROOT\lnterface\{927420A3-7259-4A74-B402-93291 77EC3FC}

    Hothar: Interface (Registry key, fixed) HKEY_CLASSES_ROOT\lnterface\{DA60341
    1-0593-11 D5-A46B-OO5O8B5BA2DF}

    Hothar: Interface (Registry key, fixed)
    HKEY_CLASSESfiOOlllnterface\{7E33BC81 -0818-11 D5-B5OD-OODOB77FOA6D}

    Hotbar: Interface (Registry key, fixed) HKEY_CLASSESROOT\Interface\(31 03E31
    2-El BB-49AB-8OEB-0A92FCA78746}

    Hothar: Interface (Registry key, fixed) HKEY_CLASSES_ROOT\lnterface\{1 771
    9B53-FAD1-1 1 D4-A466-OO5O8B5BA2DF}

    Hothar: Interface (lhbStats) (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Classes\lnterface\{1 771 9B54-FAD1-1 I
    D4-A466-OO5O8B5BA2DF}

    Hothar: Type library (Registry key, fixed)

    HKEY_CLASSESROOT\TypeLibl{60F63095-41 EC-1 1 D5-B558-OODOB77FOA6D}

    Spybot - Search && Destroy version: 1.3

    2005-03-03 lncludes\Cookies.sbi

    2005-04-07 tncludes\Diater.sbi

    2005-04-07 lncludes\Hijackers.sbi

    2005-03-22 lncludes\Keyloggers.sbi

    2004-11-29 Includes\LSP.sbi

    2005-04-07 lncludes\Malware.sbi

    2005-03-17 Includes\PUPS.sbi

    2005-03-17 lncIudes~Revision.sbi

    2005-02-09 lncludes\Security.sbi

    2005-04-07 lncludes\Spybots.sbi

    2005-02-17 Includes\Tracks.uti

    2Q05-04-07 lncludes\Trojans.sbi

    <snip>
     
    Guest, Apr 13, 2005
    #9
  10. Guest

    °Mike° Guest

    A SpyBot S&D log is useless for diagnosis. Install HijackThis
    and post the contents of that log here.

    HijackThis
    http://mjc1.com/mirror/hjt/
    http://www.spywareinfo.com/~merijn/files/hijackthis.zip
    http://209.133.47.12/~merijn/files/HijackThis.exe
    http://aumha.org/downloads/hijackthis.zip
    http://aumha.org/downloads/hijackthis.exe


    In <A4f7e.40$>,
    <<Scottie>> took 80 lines to utter:

    >I tried Internet Explorer but I am still getting the bogus toolbar? I have
    >tried to send the Search & Destroy report with this post but the fonts are
    >very small, so I don't know if I will be able to send it?


    <snip>

    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
     
    °Mike°, Apr 13, 2005
    #10
  11. "<<Scottie>>" <> wrote in message
    news:yyb7e.17139$...
    >A BLANK CHEQUE TO ANYONE THAT SOLVE THIS?
    >
    > I am running XP and my Internet Explorer has been captured by some sort of
    > toolbar that continually loads all sorts of web pages. I right clicked on
    > the bogus toolbar then clicked properties and it states:
    >
    > PROTOCOL: HyperText Transfer Protocol
    >
    >
    > ADDRESS: (URL) HTTP: myserchnow.com/passthrough/newpass2. HTLM.
    >
    > Shopping.net/toolbar. HTLM
    >
    > --------
    > How can I trace where this spy-ware is? I tried Ad-Aware and Microsoft's
    > own spy-ware Beta
    > software and both found spy-ware and deleted it but still the toolbar
    > keeps coming back when I reboot? I have web-addresses in my favourites
    > that I didn't put there, but when I go into my favourites folder to list
    > and delete them the mystery favourites don't appear, therefor I can't see
    > them to delete them?
    >
    > ---------


    May be some help here:
    http://short-media.com/forum/showthread.php?p=166159
     
    Oxford Systems, Apr 13, 2005
    #11
  12. Guest

    Guest Guest

    I hope this can help Mike? Thanks for your help.
    -------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 21:44:26, on 13/04/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE
    C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Xerox One Touch\OneTouchMon.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

    http://www.pdtuhghnjyhngmfekwgp.com/LGSEX1YgMxKR0pk/Rx95YD72xMW14qXVLoTqFlMY8BCopO7PGKM9pLbk

    LgCXGjqQ.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyOverride =

    127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program

    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} -
    c:\program

    files\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} -
    c:\program

    files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
    Files\Spybot -

    Search & Destroy\SDHelper.dll
    O2 - BHO: EpsonToolBandKicker Class -
    {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program

    Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} -
    C:\Program

    Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -

    c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [Motive SmartBridge]
    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [EPSON Stylus C66 Series (Copy 1)]

    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P32 "EPSON Stylus
    C66 Series (Copy

    1)" /O6 "USB001" /M "Stylus C66"
    O4 - HKLM\..\Run: [EPSON Stylus C66 Series]

    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus
    C66 Series" /O5

    "LPT1:" /M "Stylus C66"
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler]
    C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Xerox One
    Touch\OneTouchMon.exe"
    O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program
    Files\SlySoft\AnyDVD\ElbyCheck.exe" /L

    AnyDVD
    O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe"

    -osboot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [KASP] "C:\Program Files\Kaspersky Lab\Kaspersky Security
    Suite\Kaspersky

    Anti-Spam Personal\OESpamTest.exe"
    O4 - HKLM\..\Run: [Proxyroadtickcopy] C:\Documents and Settings\All
    Users\Application

    Data\ListSiteProxyRoad\Pop This.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe"
    /checktask
    O4 - HKLM\..\Run: [VirusScan Online]
    "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    /embedding
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe
    /startup
    O4 - HKLM\..\RunServices: [RegisterDropHandler]
    C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [FRAG DEAD]
    C:\DOCUME~1\Alex\APPLIC~1\THUNKC~1\Ballprogram.exe
    O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program
    Files\McAfee\McAfee

    QuickClean\Plguni.exe /START
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband

    medic\bin\matcli.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft

    Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft
    Office\Office\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console -
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
    Class) -

    http://www.pandasoftware.com/activescan/as5/asinst.cab
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner -

    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee,
    Inc -

    C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) -
    Networks Associates

    Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee
    Corporation -

    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates
    Technology. Inc.

    - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe


    "°Mike°" <> wrote in message
    news:...
    >A SpyBot S&D log is useless for diagnosis. Install HijackThis
    > and post the contents of that log here.
    >
    > HijackThis
    > http://mjc1.com/mirror/hjt/
    > http://www.spywareinfo.com/~merijn/files/hijackthis.zip
    > http://209.133.47.12/~merijn/files/HijackThis.exe
    > http://aumha.org/downloads/hijackthis.zip
    > http://aumha.org/downloads/hijackthis.exe
    >
    >
    > In <A4f7e.40$>,
    > <<Scottie>> took 80 lines to utter:
    >
    >>I tried Internet Explorer but I am still getting the bogus toolbar? I have
    >>tried to send the Search & Destroy report with this post but the fonts are
    >>very small, so I don't know if I will be able to send it?

    >
    > <snip>
    >
    > --
    > Basic computer maintenance
    > http://uk.geocities.com/personel44/maintenance.html
     
    Guest, Apr 13, 2005
    #12
  13. Guest

    °Mike° Guest

    In <4Bf7e.11523$>,
    <<Scottie>> took 223 lines to utter:

    >I hope this can help Mike? Thanks for your help.
    >-------------------
    >Logfile of HijackThis v1.99.1
    >Scan saved at 21:44:26, on 13/04/2005
    >Platform: Windows XP SP2 (WinNT 5.01.2600)
    >MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    >
    >Running processes:

    <snip>

    >C:\Program Files\Microsoft Office\Office\FINDFAST.EXE


    The above is not nasty, but will bog your computer down.
    Terminate the process and disable it -- see (1).


    >R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    >http://www.pdtuhghnjyhngmfekwgp.com...2xMW14qXVLoTqFlMY8BCopO7PGKM9pLbkLgCXGjqQ.php


    Have HijackThis fix the above.


    >R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    >Settings,ProxyOverride = 127.0.0.1


    Make sure that the above proxy settings are correct.


    >O4 - HKLM\..\Run: [Proxyroadtickcopy] C:\Documents and Settings\All
    >Users\Application Data\ListSiteProxyRoad\Pop This.exe


    I do not know what the above is. If you don't, then have HijackThis
    fix it.


    >O4 - HKCU\..\Run: [FRAG DEAD] C:\DOCUME~1\Alex\APPLIC~1\THUNKC~1\Ballprogram.exe


    Have HijackThis fix the above.


    >O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
    >Office\Office\FINDFAST.EXE


    (1). See comment at start, and fix the above.

    <snip>

    Also, it looks as though you have tried to second guess where line
    feeds should go, in the log, and entered them manually. If you did,
    please don't -- it was a mess.

    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
     
    °Mike°, Apr 13, 2005
    #13
  14. Guest

    Guest Guest

    I had a look at your link and the person with the same problem as myself
    did get his Internet Express back, but I'm afraid there is no way in the
    world could I follow what he was advised to do. My computer skills are zero.
    -----------
    "Oxford Systems" <> wrote in message
    news:bjf7e.5585$...
    > "<<Scottie>>" <> wrote in message
    > news:yyb7e.17139$...
    >>A BLANK CHEQUE TO ANYONE THAT SOLVE THIS?
    >>
    >> I am running XP and my Internet Explorer has been captured by some sort
    >> of
    >> toolbar that continually loads all sorts of web pages. I right clicked on
    >> the bogus toolbar then clicked properties and it states:
    >>
    >> PROTOCOL: HyperText Transfer Protocol
    >>
    >>
    >> ADDRESS: (URL) HTTP: myserchnow.com/passthrough/newpass2. HTLM.
    >>
    >> Shopping.net/toolbar. HTLM
    >>
    >> --------
    >> How can I trace where this spy-ware is? I tried Ad-Aware and Microsoft's
    >> own spy-ware Beta
    >> software and both found spy-ware and deleted it but still the toolbar
    >> keeps coming back when I reboot? I have web-addresses in my favourites
    >> that I didn't put there, but when I go into my favourites folder to list
    >> and delete them the mystery favourites don't appear, therefor I can't see
    >> them to delete them?
    >>
    >> ---------

    >
    > May be some help here:
    > http://short-media.com/forum/showthread.php?p=166159
    >
    >
    >
     
    Guest, Apr 13, 2005
    #14
  15. Guest

    Guest Guest

    Mike you are a wizard. No toolbar and the bogus favourites have gone. What
    can I do to make sure that all the spyware has been deleted from my
    computer?

    YOU SAID
    Also, it looks as though you have tried to second guess where line
    feeds should go, in the log, and entered them manually. If you did,
    please don't -- it was a mess
    --------------
    Mike I don't know what happened to the report, I just copied it to notepad
    "I think" and posted it to you. You've made an unhappy guy HAPPY AGAIN.
    <snip>
    http://uk.geocities.com/personel44/maintenance.html
     
    Guest, Apr 13, 2005
    #15
  16. Guest

    °Mike° Guest

    In <iBg7e.67$>,
    <<Scottie>> took 15 lines to utter:

    >Mike you are a wizard. No toolbar and the bogus favourites have gone. What
    >can I do to make sure that all the spyware has been deleted from my
    >computer?


    See my very first post to you.

    >YOU SAID
    >Also, it looks as though you have tried to second guess where line
    >feeds should go, in the log, and entered them manually. If you did,
    >please don't -- it was a mess
    >--------------
    > Mike I don't know what happened to the report, I just copied it to notepad
    >"I think" and posted it to you.


    Ok, no big deal, but I had to take out the spurious line feeds
    to make head-or-tail of it.

    > You've made an unhappy guy HAPPY AGAIN.


    Cool, and you're welcome.

    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
     
    °Mike°, Apr 13, 2005
    #16
  17. Guest

    why? Guest

    On Wed, 13 Apr 2005 21:14:05 GMT, <<Scottie>> wrote:

    >I had a look at your link and the person with the same problem as myself
    >did get his Internet Express back, but I'm afraid there is no way in the


    Internet Express?

    >world could I follow what he was advised to do. My computer skills are zero.


    Read it carefully, here is a summary.

    The person with the problem posted a HijackThis log.

    They were advised to d/l and run a utility (see links in my previous
    post).

    .... then posted several other hijackThis logs. (you may not need to do
    that) and said the removal tool didn't clear it out fully.

    .... upgraded HijackThis to a new version , the current one is later then
    mentioned in the thread.

    Told which entries to have HijackThis fix,

    A few more posts, told to fix other entries.

    Finally, told to follow step 9 of some instructions about the system
    restore point, and posted back saying it's gone.

    There isn't a magic cure all, one of these similar search bars (at work)
    took a few hours to clear out and that was using several utilities,
    cleaners , Google and the manual removal notes from Symantec.

    >-----------
    >"Oxford Systems" <> wrote in message
    >news:bjf7e.5585$...
    >> "<<Scottie>>" <> wrote in message
    >> news:yyb7e.17139$...
    >>>A BLANK CHEQUE TO ANYONE THAT SOLVE THIS?
    >>>
    >>> I am running XP and my Internet Explorer has been captured by some sort
    >>> of
    >>> toolbar that continually loads all sorts of web pages. I right clicked on
    >>> the bogus toolbar then clicked properties and it states:
    >>>
    >>> PROTOCOL: HyperText Transfer Protocol
    >>>
    >>>
    >>> ADDRESS: (URL) HTTP: myserchnow.com/passthrough/newpass2. HTLM.
    >>>
    >>> Shopping.net/toolbar. HTLM

    <snip>
    >>
    >> May be some help here:
    >> http://short-media.com/forum/showthread.php?p=166159
    >>


    Me
     
    why?, Apr 13, 2005
    #17
  18. Guest

    Guest Guest

    Thanks for taking the time to try and help me. I have finely got my computer
    fixed, thanks to Mike "See Scottie/Mike a few posts up". I'm fortunate in
    that Mike has helped to solved problems for me on a number of occasions.
    ---------
    <snip>
     
    Guest, Apr 14, 2005
    #18
  19. Guest

    Gordon Guest

    Frank DeLucca, MS-MPV wrote:

    >
    > This a very nasty thing to get rid off. We suggest you download, install and
    > update Service Pak 2. Then start in safe mode and run Service Pak 2 again.
    > It should be able to find the culprit. If not, poast back with your real
    > email address so we can send you a patch by private email.
    >
    > Glad to be of any help, as always.


    I think you are a bot. And a pretty BORING one at that.
     
    Gordon, Apr 14, 2005
    #19
  20. Guest

    why? Guest

    On Wed, 13 Apr 2005 23:17:40 GMT, <<Scottie>> wrote:
    (hopefully posting addy used before is now working, it's still me)


    >Thanks for taking the time to try and help me. I have finely got my computer


    YW.

    >fixed, thanks to Mike "See Scottie/Mike a few posts up". I'm fortunate in


    Saw it a few minutes after I posted, didn't update for new posts fast
    enough.

    >that Mike has helped to solved problems for me on a number of occasions.


    Me
     
    why?, Apr 14, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ?

    search engine/home page hi-jacked

    ?, Jan 19, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    490
    °Mike°
    Jan 19, 2004
  2. Gollum

    browser has been hi jacked

    Gollum, Jun 1, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    519
    TechNews
    Jun 1, 2004
  3. Marc
    Replies:
    8
    Views:
    837
    Martik
    Jul 25, 2005
  4. WF
    Replies:
    2
    Views:
    674
  5. dejola
    Replies:
    6
    Views:
    699
    jason43050
    Dec 30, 2005
Loading...

Share This Page