HELP! I have been trying to reclaim my machine for days. I can not get rid of websearch.com, which appears to take over my browser. Any proven suggestions are welcomed. Thanks. Logfile of HijackThis v1.97.7 Scan saved at 7:20:18 AM, on 6/2/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINDOWS\System32\GEARSEC.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Timbuktu Pro\tb2launch.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common files\WinTools\WToolsS.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Timbuktu Pro\tb2pro.exe C:\WINDOWS\Explorer.EXE C:\Program Files\RightFAX\FaxCtrl.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Timbuktu Pro\tb2logon.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Home\Program Files\Programs\Roxio Easy CD Creator 5\DirectCD\DirectCD.exe C:\Home\Program Files\Programs\iTunes\iTunesHelper.exe C:\Program Files\Common files\WinTools\WToolsA.exe C:\WINDOWS\System32\ctfmon.exe C:\Home\Program Files\Programs\Spy Sweeper\SpySweeper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Home\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe C:\Program Files\Common files\WinTools\WSup.exe C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe C:\Program Files\Timbuktu Pro\TNOTIFY.EXE C:\Home\Program Files\Programs\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032 R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [SpySweeper] C:\Home\Program Files\Programs\Spy Sweeper\SpySweeper.exe /0 O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.1648611111
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.1648611111 go into the registry start>>run type "regedit" do a search for websearch and delete all keys found... (this includes redoing the search process until nothing else is found) Brian
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.1648611111 oh from what i can see the key you need to delete is at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Search Bar.... delete the entry in there.. Still so the search though cos you never know what other crap they have hidden.... also search your hard drive for anything containing websearch and delete..
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.164861 1111 Adaware will remove all this...
Your temporary solution is ad-aware. A permanent solution would be mozilla.org or opera.com web browsers. Using IE is like having sex with HIV positive male prostitutes. One day or another you will get infected no matter what you do.
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.1648611111 I do not think if Ad Aware will remove it. Last week I got same crap called TheBikeBait. Only solution to get rid of that was "System Restore". If you did not know about TheBikeBait, it came with MSN 3 Plus. When you install MSN 3Plus you need to check : I accept or I refuse. If you click I accept it means that you accept to install MSN Plus with sponsored program. That program is TheBikeBait which makes you a slave to watch any thing on the internet what "they" want not what you want.
SpySweeper is a pile of crap that gives false positives. I would remove it and install SpyBot Search & Destroy and Ad-Aware, if I were you. Terminate the above processes. Have HijackThis fix the above. Have HijackThis fix the above Have HijackThis fix the above Have HijackThis fix the above Have HijackThis fix the above Have HijackThis fix the above. See my comment above about SpySweeper.
Why do you insist on giving this BAD advice? This is precisely the kind of advice that Bullis gives. It should be ignored totally.
Download Opera with Java and use it instead of IE. Hijackers don't seem to bother with Opera and it is a good fast browser. http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.164861 1111
I have not yet tried going with Opera. However, I have tried SpyBot S&D, Adaware and SpySweeper but am losing the battle. The WinTools crap cannot be deleted by anything I have tried. Something is locking it down or re-installing it every time. I am considering a reinstall of XP but am hoping someone can save me from that. Any proven suggestions?
On 2 Jun 2004 19:12:56 -0700, in <> tired techie scrawled: Have you read my response to you? Click here: <
Mike, I read your response. I had already tried everything you suggested. I even re-ran all the programs. As I mentioned in my followup posting, I am unable to delete the WinTools program you said I should delete - something is locking it down. I need stronger medicine. Thanks.
Go through my recommendations again, thoroughly. Re-run HijackThis and re-post the NEW log file here.
Victory, I think. In the ControlPanel>AddRemovePrograms I removed every game the kids had installed. Then, and only then, was I able to delete the WinTools program. WinTools even asks negative questions on the uninstall confirmation boxes so that if you just hit OK, it is not removed. However, I was still getting browser windows popping up by themselves. Ad-aware could see the devil, but still couldn't remove it. It turns out that VX2.BetterInternet is really nasty to remove. Thanks to a thread at tek-tips.com (http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/21/pid/760/qid/666236) I was able to download the Better Internet uninstaller (http://www.look2me.com/cgi-bin/UnInstaller) and fortunately it worked for me. My computer appears cured. Thanks to all for your useful suggestions and encouragement. Please pass on my discoveries to other fellows in need of strong medicine. - a very Tired Techie
On 4 Jun 2004 04:01:38 -0700, in <> tired techie scrawled: ANOTHER ActiveX control that you have to agree to a EULA for, THEN enter a serial into it, from a known scumware site, and that is tagged as NOT SAFE! No, thank you.
Have I made my problems worse? Is there some doom looming for me? What alternatives exist? Is it too late?
I have no idea, but ask yourself these questions, bearing in mind that the very site you used this uninstaller from is a *known scumware site*, and was the very site that put the crap on you system in the first place: 1. Why on earth would you have to agree to a EULA for an ActiveX uninstaller -- this is NOT some new 3D game, or expensive application that YOU have installed? 2. Why on earth would you have to enter a serial number into an ActiveX uninstaller, BEFORE you can use? 3. Why does my system, on 'Default' settings, tell me that the ActiveX is unsafe, and that my security settings will not allow it? SOMETHING smells not right. Yes, use the method that I first gave. I don't believe there is any scumware that can't be removed by the combination of SpyBot S&D, CWShredder and HijackThis, no matter what you say.
However, I was still getting browser windows popping up by themselves. I have the same problem. After reading this I also resorted to using the 'uninstaller' apparently made by the spyware maker himself. After running, the multi-named almost-undeletable dll is still there but the pop-up's have been turned off, for now, according to the grace and good will of the spyware writer. Tried McGafee, SpyBot, SpySweeper, CWShredder (perhaps not updated), and Ad-aware, and none removed the dll which renamed with every attempt. Someone else said he fixed it by erasing the offending dll using another PC on the network. I'll try that later. See http://groups.google.com/groups?selm=&output=gplain
Correction, after running their own uninstaller, the offending dll allowed itself and its registry keys to be deleted by Ad-aware. Ad-aware and other products did not help me except to identify the problem. An alternative approach might have been this -- Since the dll may have been designed to respawn itself during logoff, I might have removed its corresponding registry keys, then performed a HARD power off (so the reg key wouldn't have a chance to be recreated), in order to guarantee problem would not be there on next boot-up -- not exactly professional.
