Can't remove search bar

Discussion in 'Computer Support' started by rednose, Sep 6, 2004.

  1. rednose

    rednose Guest

    I've acquired a strange search bar that attaches itself to the task
    bar when IE is opened.
    I've run AVG and ad-ware removers but they haven't helped.

    Hear is a copy of hijackthis log in case it helps.

    Logfile of HijackThis v1.97.7
    Scan saved at 21:45:52, on 06/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Agent\agent.exe
    C:\MailWasher Pro\MailWasher.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\STEVE\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.wanadoo.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.wanadoo.co.uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.wanadoo.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    =
    http://www.oliqaezybaaxhxehmwuzak.i...WBEPJw8qyeHEPpMCdmgxCjmtRTVZyBIm/ZphGHF7.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    Microsoft Internet Explorer provided by Wanadoo
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {B70DE4A8-6F21-4643-9B1A-AD0ECDC5C822} -
    C:\PROGRA~1\EXTRAJ~1\Noun Open.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    /STARTUP
    O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe
    -CheckReg
    O4 - HKLM\..\Run: [PinnacleDriverCheck]
    C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
    Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
    Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program
    Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!
    3\MsgPlus.exe"
    O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Way Send Ante Save] C:\Documents and Settings\All
    Users\Application Data\Open wma way send\Copy atom.exe
    O4 - HKLM\..\Run: [UpDefy] C:\PROGRA~1\RDRARM~1\AnteShowSite.exe
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad
    Filter\PopFilter.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
    Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr
    SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
    C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program
    Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Icatch(VI) SnapDetect.lnk =
    C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet
    Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
    http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
    http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC}
    (MessengerStatsClient Class) -
    http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab27571.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
    Control) -
    http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
    http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.exe
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
    Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
    (PPSDKActiveXScanner.MainScreen) -
    http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} -
    http://acceso.masminutos.com/laaplicacion.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
    (MessengerStatsClient Class) -
    http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37994.5167939815
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class)
    - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
    http://messenger.zone.msn.com/binary/ZIntro.cab27571.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
    Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune
    Object) - http://messenger.zone.msn.com/binary/WoF.cab27758.cab
    O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} -
    http://deposito.hostance.net/dialer/1025966.exe
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class)
    - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl
    Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown
    Class) -
    http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
    O17 -
    HKLM\System\CCS\Services\Tcpip\..\{6CCEF54D-4E5D-4DFE-BB2B-7EF86F4EF3D5}:
    NameServer = 195.92.195.94 195.92.195.95
     
    rednose, Sep 6, 2004
    #1
    1. Advertisements

  2. rednose

    Smoker Guest

    Many people who use AdAware also use SpyBot Search & Destroy because each
    one catches things the other may miss. Give it a try.
     
    Smoker, Sep 6, 2004
    #2
    1. Advertisements

  3. rednose

    °Mike° Guest

    Have HijackThis fix the above.

    I cannot identify the above. Unless you know what it is, treat it
    as suspicious.

    I cannot identify the above. Unless you know what it is, treat it
    as suspicious.

    I cannot identify the above. Unless you know what it is, treat it
    as suspicious.

    Have HijackThis fix the above.
    Have HijackThis fix the above.
    Have HijackThis fix the above.

    Unless the above IPs are from your network or ISP, have
    HijackThis fix the above.
     
    °Mike°, Sep 6, 2004
    #3
  4. rednose

    Howlis Guest

    Have you installed Messenger Plus recently, if so uninstall and reinstall
    but without adding the optional sponsor program.



     
    Howlis, Sep 7, 2004
    #4
  5. rednose

    samuel Guest

    do you know how to post without adding a hundred lines ?
     
    samuel, Sep 7, 2004
    #5
  6. rednose

    rednose Guest

    When I fix the above it reappears when I run IE6

    here is log after fix and the log after IE restart

    Logfile of HijackThis v1.97.7
    Scan saved at 16:55:17, on 07/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Smart Address 2000\SAENGINE.EXE
    C:\Program Files\Smart Address 2000\SARemind.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\STEVE\Local Settings\Temp\HijackThis.exe
    C:\Program Files\Agent\agent.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.wanadoo.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.wanadoo.co.uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.wanadoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    Microsoft Internet Explorer provided by Wanadoo
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    /STARTUP
    O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe
    -CheckReg
    O4 - HKLM\..\Run: [PinnacleDriverCheck]
    C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
    Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
    Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program
    Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!
    3\MsgPlus.exe"
    O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad
    Filter\PopFilter.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
    Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr
    SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
    C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program
    Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Icatch(VI) SnapDetect.lnk =
    C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet
    Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
    http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
    http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC}
    (MessengerStatsClient Class) -
    http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab27571.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
    Control) -
    http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
    Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
    (PPSDKActiveXScanner.MainScreen) -
    http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
    (MessengerStatsClient Class) -
    http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37994.5167939815
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class)
    - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
    http://messenger.zone.msn.com/binary/ZIntro.cab27571.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
    Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune
    Object) - http://messenger.zone.msn.com/binary/WoF.cab27758.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class)
    - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl
    Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown
    Class) -
    http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab


    After IE restart

    Logfile of HijackThis v1.97.7
    Scan saved at 16:55:41, on 07/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Smart Address 2000\SAENGINE.EXE
    C:\Program Files\Smart Address 2000\SARemind.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\STEVE\Local Settings\Temp\HijackThis.exe
    C:\Program Files\Agent\agent.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.wanadoo.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.wanadoo.co.uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.wanadoo.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    =
    http://www.ndplphgjxkzexkpuvkbqmx.u...WBEPJw8qyeHEPpMCdmgGueIhKTiONxIm/ZphGHF7.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    Microsoft Internet Explorer provided by Wanadoo
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    /STARTUP
    O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe
    -CheckReg
    O4 - HKLM\..\Run: [PinnacleDriverCheck]
    C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
    Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
    Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program
    Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!
    3\MsgPlus.exe"
    O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad
    Filter\PopFilter.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
    Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr
    SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
    C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program
    Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Icatch(VI) SnapDetect.lnk =
    C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet
    Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
    http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
    http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC}
    (MessengerStatsClient Class) -
    http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab27571.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
    Control) -
    http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
    Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
    (PPSDKActiveXScanner.MainScreen) -
    http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
    (MessengerStatsClient Class) -
    http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37994.5167939815
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class)
    - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
    http://messenger.zone.msn.com/binary/ZIntro.cab27571.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
    Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune
    Object) - http://messenger.zone.msn.com/binary/WoF.cab27758.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class)
    - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl
    Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown
    Class) -
    http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
     
    rednose, Sep 7, 2004
    #6
  7. rednose

    °Mike° Guest

    I don't know why I missed it originally, but your
    version of HijackThis is out of date. Install the
    latest version and repost your log, taken DIRECTLY
    after a reboot, before opening ANYTHING else.

    HijackThis
    http://aumha.org/downloads/hijackthis.zip
    http://aumha.org/downloads/hijackthis.exe


    On Tue, 07 Sep 2004 18:05:04 +0100, in
    <>
    rednose scrawled:

    <snip>
     
    °Mike°, Sep 7, 2004
    #7
  8. rednose

    rednose Guest

    OK done that

    Logfile of HijackThis v1.98.2
    Scan saved at 21:20:25, on 07/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    C:\WINDOWS\system32\RUNDLL32.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\STEVE\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.wanadoo.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.wanadoo.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.wanadoo.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    =
    http://www.qrxrjvojiiboiixrzeuxp.uk...WBEPJw8qyeHEPpMCdmhbwzLh9ALlQRIm/ZphGHF7.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    Microsoft Internet Explorer provided by Wanadoo
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    /STARTUP
    O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe
    -CheckReg
    O4 - HKLM\..\Run: [PinnacleDriverCheck]
    C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
    Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
    Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program
    Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!
    3\MsgPlus.exe"
    O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [UpDefy] C:\PROGRA~1\RDRARM~1\AnteShowSite.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program
    Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad
    Filter\PopFilter.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
    Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr
    SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
    C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program
    Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Icatch(VI) SnapDetect.lnk =
    C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console -
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
    C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
    C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
    - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet
    Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
    http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC}
    (MessengerStatsClient Class) -
    http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab27571.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
    Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
    (PPSDKActiveXScanner.MainScreen) -
    http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
    (MessengerStatsClient Class) -
    http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class)
    - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
    http://messenger.zone.msn.com/binary/ZIntro.cab27571.cab
    O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune
    Object) - http://messenger.zone.msn.com/binary/WoF.cab27758.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class)
    - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl
    Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown
    Class) -
    http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
     
    rednose, Sep 7, 2004
    #8
  9. rednose

    °Mike° Guest

    On Tue, 07 Sep 2004 21:22:40 +0100, in
    <>
    rednose scrawled:

    End task the above two processes (CTRL+ALT+DEL).
    You have Internet Explorer set to run on startup?

    And WinZIP?



    Ok, lets get aggressive with this Internet Explorer.
    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Have HijackThis fix ALL of the 016-DPF entries. They are
    ActiveX entries, and will be redownloaded as and when
    necessary.


    <snip>
     
    °Mike°, Sep 8, 2004
    #9
  10. rednose

    rednose Guest

    Not intentionally
    Not intentionally again


    I tried all your suggestions and then ran IE, the toolbar was still
    appearing.
    I then ran msconfig and disabled messenger plus from startup,
    restarted and the toolbar no longer appears.

    I really appreciate all your help
    Many thanks
    Steve

     
    rednose, Sep 8, 2004
    #10
  11. rednose

    °Mike° Guest

    You're welcome.


    On Wed, 08 Sep 2004 20:50:01 +0100, in
    <>
    rednose scrawled:

    <snip>
     
    °Mike°, Sep 8, 2004
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.