i also have a simular problem to the CWS, ive tried a few anti-spy's, still loads to www.superbookmark.com with http://t.rack.cc/hp.php in my default homepage. Please tell me what to delete cause i keep trying and it keeps returning Logfile of HijackThis v1.97.7 Scan saved at 8:47:28 PM, on 12/9/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\BANDWI~1\BWMNT.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\PC-cillin 2000\Tmntsrv.exe C:\WINDOWS\System32\BRMFRSMG.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\RunDll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\DAP\DAP.exe C:\Program Files\PC-cillin 2000\Pop3trap.exe C:\Program Files\PC-cillin 2000\WebTrapNT.exe C:\Program Files\Winamp\Winampa.exe C:\WINDOWS\System32\ctfmon.exe C:\PROGRA~1\BANDWI~1\BandwidthMonitor.exe C:\PROGRA~1\POP-UP~1\PSFree.exe C:\Program Files\PC-cillin 2000\PNTIOMON.exe C:\Program Files\PC-cillin 2000\pccntupd.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Tim Roberts\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/sp.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/hp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/sp.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/hp.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/sp.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/sp.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/hp.php O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2} - C:\WINDOWS\mslgbc.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.exe /STARTUP O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\PC-cillin 2000\Pop3trap.exe" O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\PC-cillin 2000\WebTrapNT.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [sys] regedit -s sys.reg O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [BandwidthMonitor.exe -CFG0] C:\PROGRA~1\BANDWI~1\BandwidthMonitor.exe -CFG0 O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe" O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Real-time Monitor.lnk = ? O4 - Global Startup: Reboot.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Run DAP (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37963.9285416667 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Try adaware 6 from www.lavasoft.com It should tell u what to delete

Run HijackThis again and place a check in the box next to the following items. Doublecheck so as to be sure not to miss one. Next, close all browser Windows, and have HT 'fix checked'. You Must restart your computer when you're done. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/sp.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/hp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/sp.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/hp.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/sp.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/sp.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/hp.php O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2} - C:\WINDOWS\mslgbc.dll O4 - HKLM\..\Run: [sys] regedit -s sys.reg O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O4 - Global Startup: Reboot.exe After restarting delete the following: sys.reg C:\Program Files\Common Files\GMT folder.

Running Ad Aware, Spybot Search & Destroy, virus scans and spyware removers will not work to remove the hijacker http://t.rack.cc/hp.php. Do a search for this hijacker on the Symantec corporate website. I found removal instructions for a Trojan horse called Trojan.Digits. It looks exactly like the crap has infected my own computer including the allneedsearch.com and cool-search.com websites that keep popping up, as well as the default http://t.rack.cc/hp.php that I can't get rid of as my Internet Explorer default homepage. I recommend that you look up the information on Symantec and try it for yourself. I will be doing this procedure on my own computer tonight. The link to the Symantec information is http://securityresponse.symantec.com/avcenter/venc/data/trojan.digits.html. I sincerely hope this works for me and everyone else.

tom41, your advice worked. thanks, very much appreciated

Trojan.digits Trojan.byteverify Trojan.download Trojan.downloader I finally got rid of it and in retrospect, it removes fairly easily, or so it seems when you're done! 20-20 hindsight! Install latest Microsoft patches! Disable system restore then: 1. Boot computer in "Safe Mode" without network support 2. Run anti-virus with latest updates 3. Follow symantec's instructions for removal from the registry. 4. Delete files from Temp and Temp internet file folders. 5. Reboot your computer normally Be sure to check that HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer \search.URL\www.allneedsearch (or variant) key as symantec doesn't list it. I added the temp folders because my laptop was trying to access the sites even when off the network, so it seemed some program was pointing to this garbage. But after doing all of the above I've been porno free for over a day now. BTW Netscape install didn't help either! It seems that once infected the trojan is running,it slows the computer down. Following the suggestions and instructions from Symantec and The CoolWebSearch Chronicles without doing the above steps only delayed it's return until the browser was opened again and even off network the browser would try to access a web page. Running AD-Aware6, Spybot Search and Destroy, CWShredder and the latest Symantec updates didn't offer the final solution by themselves but were very educational. I hope this is of some use! Dennis Hockla Complete Printer Repair Pearland, TX www.cprtx.us cpr-tx@sbcglobal.net