how do i get rid of sexpatriot?!

Computing.Net > Forums > Security and Virus > how do i get rid of sexpatriot?!

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to get for your free account now!

how do i get rid of sexpatriot?!

Name: Danmasta
Date: November 28, 2003 at 10:48:10 Pacific
OS: windows xp home
CPU/Ram: 256 mb

Comment:

ever since i clicked that link.. whoa.. look at this! on my friends profile, my homepage to the internet has been sexpatriot.com. no matter what i do i can't get rid of this, i've gotten rid of the whoa look at this problem, but the sexpatriot homepage is still there, and there is also some links on my favorites that wont go away no matter what i do. the links are called 'ALL PREMIUM SEARCHES FOR YOU' and 'FREE PORN SEARCHES' someone please help me get rid of these. i would be ever thankful

Report Offensive Message For Removal

Sponsored Link

Ads by Google

Response Number 1

Name: dw226
Date: November 28, 2003 at 10:59:29 Pacific

Reply:

Download Ad-Aware 6 AND SpyBot Search and Destroy. Both should kill it off. Make sure you run both programs though, to make sure one program isn't missing anything.

Report Offensive Follow Up For Removal

Response Number 2

Name: Danmasta
Date: November 28, 2003 at 11:06:05 Pacific

Reply:

i did download ad-aware 6.0 and have run that, spybot, mc affe virus scan.. and numerous other virus scanners, trojan, spyware and adware scanners and nothing has been able to get rid of it... it is extremely annoying and i would appreciate any help from anyone. everytime i load internet explorer, my homepage is changed to sexpatriot and those favorites links are re-added.

Report Offensive Follow Up For Removal

Response Number 3

Name: efabes
Date: November 28, 2003 at 11:58:51 Pacific

Reply:

Download and run HijackThis. Place a checkmark next to the offending entries and have Hijack this Fix said entries.

Report Offensive Follow Up For Removal

Response Number 4

Name: Danmasta
Date: November 28, 2003 at 13:16:30 Pacific

Reply:

how do i get hijack this? and what does it do?

Report Offensive Follow Up For Removal

Response Number 5

Name: efabes
Date: November 28, 2003 at 13:24:47 Pacific

Reply:

You can read about and get it at
www.tomcoyote.org/hjt/.
From the website: "HijackThis examines certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It's up to you to decide what should be removed."
If you check a few of the posts here at this forum, you will see many HijackThis logs posted, for help identifying things that should be removed.

Report Offensive Follow Up For Removal

how do i get rid of phantom drives in win2k how do i get rid of backdoor trojan win2000 "how do i get rid of"	how do i get rid of backdoor.graybird how do i get rid of DRVSPACE.001 how do I get rid of a wallpaper
See More

Response Number 6

Name: Danmasta
Date: November 28, 2003 at 13:36:18 Pacific

Reply:

ok, i downloaded hijack this and ran it.. here is the log file.
Logfile of HijackThis v1.97.7
Scan saved at 1:34:19 PM, on 11/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Kazaa\kazaa.exe
C:\WINDOWS\mkucfvsz.exe
C:\WINDOWS\System32\fkffcltr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\Documents and Settings\Dan\Desktop\my stuff\SpyKiller\spykiller.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\Temp\BullGuard\bulldownload.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sexpatriot.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.royalsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sexpatriot.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.royalsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O1 - Hosts: 64.246.33.179 auto.search.msn.com
O1 - Hosts: 64.246.33.179 search.msn.com
O1 - Hosts: 64.246.33.179 msn.com
O1 - Hosts: 64.246.33.179 www.msn.com
O1 - Hosts: 64.246.33.179 yahoo.com
O1 - Hosts: 64.246.33.179 www.yahoo.com
O1 - Hosts: 64.246.33.179 google.com
O1 - Hosts: 64.246.33.179 www.google.com
O1 - Hosts: 64.246.33.179 thenun.com
O1 - Hosts: 64.246.33.179 www.thehun.com
O1 - Hosts: 64.246.33.179 thehun.net
O1 - Hosts: 64.246.33.179 www.thehun.net
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: (no name) - {E5DDCF9A-C97C-9B84-F921-71CDCE61A9B2} - C:\WINDOWS\system32\szuzrcss.dll
O2 - BHO: (no name) - {FDA42C23-B51D-7ABC-1D97-85D342C81CD9} - C:\WINDOWS\system32\aiwefmuq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [hiyeueqr] C:\WINDOWS\mkucfvsz.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [lxcyomem] C:\WINDOWS\System32\fkffcltr.exe
O4 - HKLM\..\Run: [AdobeFonts] C:\WINDOWS\Fonts\fonts.hta
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Documents and Settings\Dan\Desktop\my stuff\SpyKiller\spykiller.exe /startup
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Report Offensive Follow Up For Removal

Response Number 7

Name: Danmasta
Date: November 28, 2003 at 14:44:06 Pacific

Reply:

ok,i ran cwshredder then ran hijackthis again.. this is what happened.. if there is anything else that looks to suspicious, please tell me so i can get rid of it. thanks :)

Logfile of HijackThis v1.97.7
Scan saved at 2:42:42 PM, on 11/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Kazaa\kazaa.exe
C:\WINDOWS\mkucfvsz.exe
C:\WINDOWS\System32\fkffcltr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: (no name) - {E5DDCF9A-C97C-9B84-F921-71CDCE61A9B2} - C:\WINDOWS\system32\szuzrcss.dll
O2 - BHO: (no name) - {FDA42C23-B51D-7ABC-1D97-85D342C81CD9} - C:\WINDOWS\system32\aiwefmuq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [hiyeueqr] C:\WINDOWS\mkucfvsz.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [lxcyomem] C:\WINDOWS\System32\fkffcltr.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Documents and Settings\Dan\Desktop\my stuff\SpyKiller\spykiller.exe /startup
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Report Offensive Follow Up For Removal

Response Number 8

Name: efabes
Date: November 28, 2003 at 14:54:30 Pacific

Reply:

You have some exe files I am not familiar with. Someone might post about them. Get rid of the following:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: (no name) - {E5DDCF9A-C97C-9B84-F921-71CDCE61A9B2} - C:\WINDOWS\system32\szuzrcss.dll
O2 - BHO: (no name) - {FDA42C23-B51D-7ABC-1D97-85D342C81CD9} - C:\WINDOWS\system32\aiwefmuq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL

Report Offensive Follow Up For Removal

Response Number 9

Name: Danmasta
Date: November 28, 2003 at 17:55:16 Pacific

Reply:

thanks a lot :)
is the mywebsearch toolbar something i shouldn't use? i was using it because of the popswatter that came with it, but after deleting the files you told me to just now, it's gone... if it really is a program i should stay away from then i will, please let me know.

Report Offensive Follow Up For Removal

Response Number 10

Name: suzi
Date: November 28, 2003 at 23:08:00 Pacific

Reply:

Here's a link about mysebsearch toolbar and why it's considered to be a hijacker and adware.
http://www.safersite.com/PestInfo/m/mywebsearch.asp
It is a variant of this:
http://www.doxdesk.com/parasite/MySearch.html
It's up to you if you want to use it. Personally I would not use it. It's likely to cause you more problems in the future. Every anti-spyware program targets it. Why not use the google toolbar instead?

Report Offensive Follow Up For Removal

Response Number 11

Name: efabes
Date: December 1, 2003 at 13:25:55 Pacific

Reply:

Just read a post up a few. Tom41 said belt.exe (one of the exe files I was not sure of) is a trojan.
You should run an anti-trojan. I am not sure, but you may have more than the one.

Report Offensive Follow Up For Removal

Response Number 12

Name: de1770
Date: December 4, 2003 at 17:10:35 Pacific

Reply:

help! I has sex patriot on my comp but now its turned into start-space.com. Can i still use hijackthis for it? Here is the log. Thanks!
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\BQTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\msrexe.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.exe
C:\WINDOWS\System32\wjview.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\svchost.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\windows\winlogon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.exe
C:\Program Files\Norton CleanSweep\CsinsmNT.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbates.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\DOCUME~1\default\LOCALS~1\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.snapy.net/index2.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.98.142.163/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://66.98.142.163
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://66.98.142.163/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://66.98.142.163/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://66.98.142.163/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://66.98.142.163/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.98.142.163/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://66.98.142.163/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://66.98.142.163/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-space.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://findloss.com/srchasst.html
O1 - Hosts: 66.98.142.163 auto.search.msn.com
O1 - Hosts: 66.98.142.163 search.msn.com
O1 - Hosts: 66.98.142.163 msn.com
O1 - Hosts: 66.98.142.163 www.msn.com
O1 - Hosts: 66.98.142.163 yahoo.com
O1 - Hosts: 66.98.142.163 www.yahoo.com
O1 - Hosts: 66.98.142.163 google.com
O1 - Hosts: 66.98.142.163 www.google.com
O1 - Hosts: 66.98.142.163 thenun.com
O1 - Hosts: 66.98.142.163 www.thehun.com
O1 - Hosts: 66.98.142.163 thehun.net
O1 - Hosts: 66.98.142.163 www.thehun.net
O2 - BHO: (no name) - {00000000-5eb9-11d5-9d45-009027c14662} - C:\WINDOWS\VX2.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_50.dll
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\default\Application Data\winshow\winshow.dll
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL
O2 - BHO: SmartPops - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\NETWORK ESSENTIALS\V11\NE.DLL
O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - C:\WINDOWS\madise.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\FONTS\msoffice.hta
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [GameSpot] "C:\Program Files\Kontiki\bin\kontiki.exe" -s GameSpot -q
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton CleanSweep\CsinsmNT.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37655.8322453704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -

Report Offensive Follow Up For Removal

Response Number 13

Name: JG
Date: December 5, 2003 at 18:10:37 Pacific

Reply:

I am having the same problem. I scan with AdWare and Spybot and it comes back from time to time. Not sure why sometimes my home page comes up normally. One thing I noticed is that it also hijacked the phone number my machine dials to access the web....
Here is the scan from today. Any suggestions for what can/should be removed?
Logfile of HijackThis v1.97.7
Scan saved at 6:06:30 PM, on 12/5/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\msrexe.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\EarthLink 5.0\conmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Directory 6 for hijackthis[1].zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)

Report Offensive Follow Up For Removal

Response Number 14

Name: gforce17
Date: December 5, 2003 at 20:45:12 Pacific

Reply:

I am still having trouble with mine. Here is my latest log from hijack this. I'd appreciate any help you could offer. Thanks...
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\DELLMMKB.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\windows\winlogon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Greg\Local Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com/?fr=ad-kw-findwhat-general-general
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.royalsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sexpatriot.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.royalsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Greg\Application Data\Mozilla\Profiles\default\jij7oldc.slt\prefs.js)
O1 - Hosts: 66.98.142.163 yahoo.com
O1 - Hosts: 66.98.142.163 www.yahoo.com
O1 - Hosts: 66.98.142.163 google.com
O1 - Hosts: 66.98.142.163 www.google.com
O1 - Hosts: 66.98.142.163 thenun.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5,0,8,0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.exe
O4 - HKLM\..\Run: [WorkFlo] D:\Installs\WorkFlow.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} - http://www.real.com/vivo/index.html
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/013cccb653c6f057c519/netzip/RdxIE2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.7709606482
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4305/mcfscan.cab

Report Offensive Follow Up For Removal

Response Number 15

Name: gripgoofy
Date: December 6, 2003 at 18:25:13 Pacific

Reply:

Is the first time i am using HijackThis. I tried AdAware6 but it didn't help to get rid of sexpatriot. Here is my log file any suggestions on what i should delete are highly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 9:09:10 PM, on 12/6/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\ATI2PLAB.exe
C:\WINDOWS\SYSTEM\ATIPTAAB.exe
C:\WINDOWS\SYSTEM\ATI2CWXX.exe
C:\WINDOWS\SYSTEM\INTERNAT.exe
C:\WINDOWS\SYSTEM\QTTASK.exe
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.exe
C:\WINDOWS\SYSTEM\E_S0EIC1.exe
C:\WINDOWS\SYSTEM\LMSCRWIPT.exe
C:\WINDOWS\RUNDLL32.exe
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\SPYWARE BLOCKER\SPYWAREBLOCKER.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.exe
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.exe
C:\PROGRAM FILES\WINZIP\WZQKPICK.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sexpatriot.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.royalsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sexpatriot.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.royalsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.royalsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\oq3ps6wr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CNetscape_UK.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\oq3ps6wr.slt\prefs.js)
O1 - Hosts: 66.98.142.163 auto.search.msn.com
O1 - Hosts: 66.98.142.163 search.msn.com
O1 - Hosts: 66.98.142.163 msn.com
O1 - Hosts: 66.98.142.163 www.msn.com
O1 - Hosts: 66.98.142.163 yahoo.com
O1 - Hosts: 66.98.142.163 www.yahoo.com
O1 - Hosts: 66.98.142.163 google.com
O1 - Hosts: 66.98.142.163 www.google.com
O1 - Hosts: 66.98.142.163 thenun.com
O1 - Hosts: 66.98.142.163 www.thehun.com
O1 - Hosts: 66.98.142.163 thehun.net
O1 - Hosts: 66.98.142.163 www.thehun.net
O2 - BHO: (no name) - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {F4A645D0-D4D5-439E-9DBC-B31BBD9CB890} - C:\WINDOWS\SYSTEM\BPV2T.DLL
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~2\TOOLBAR\PWRSWMDA.DLL (file missing)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\SYSTEM\E_S0EIC1.exe /P29 "EPSON Stylus Photo 820 Series" /O7 "EPUSB1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [CharityBuy IE Plugin] C:\CHARITYBUY
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\FONTS\msoffice.hta
O4 - HKLM\..\Run: [lmscrwipt.exe] C:\WINDOWS\SYSTEM\lmscrwipt.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\SYSTEM\KEYHOST.exe
O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRAM FILES\INTERNET WASHER PRO\IW.exe min
O4 - HKCU\..\Run: [lmscrwipt.exe] C:\WINDOWS\SYSTEM\lmscrwipt.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SPYWAREBLOCKER.exe" /0
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.exe
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.exe
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.exe
O4 - Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.exe
O4 - Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\Plus!\CMPAGENT.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\Updater\wupdater.exe
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37871.7447569444
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15166021edb901544300/netzip/RdxIE601.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4305/mcfscan.cab

Report Offensive Follow Up For Removal

Response Number 16

Name: gripgoofy
Date: December 7, 2003 at 15:13:20 Pacific

Reply:

Sorry for the long log file before, I just used Adaware, Spyblok, and then i scanned with HijackThis so here is the new smaller log file. Of course sexpatriot is still there so my question is what should i start deleting. Thank you in advance

Logfile of HijackThis v1.97.7
Scan saved at 6:09:40 PM, on 12/7/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\ATI2PLAB.exe
C:\WINDOWS\SYSTEM\ATIPTAAB.exe
C:\WINDOWS\SYSTEM\ATI2CWXX.exe
C:\WINDOWS\SYSTEM\INTERNAT.exe
C:\WINDOWS\SYSTEM\QTTASK.exe
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.exe
C:\WINDOWS\SYSTEM\E_S0EIC1.exe
C:\WINDOWS\SYSTEM\LMSCRWIPT.exe
C:\WINDOWS\RUNDLL32.exe
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\SPYWARE BLOCKER\SPYWAREBLOCKER.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.exe
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.exe
C:\PROGRAM FILES\WINZIP\WZQKPICK.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\MGLEXICO\POLYLEX.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sexpatriot.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sexpatriot.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\oq3ps6wr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CNetscape_UK.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\oq3ps6wr.slt\prefs.js)
O1 - Hosts: 66.98.142.163 yahoo.com
O1 - Hosts: 66.98.142.163 www.yahoo.com
O1 - Hosts: 66.98.142.163 google.com
O1 - Hosts: 66.98.142.163 www.google.com
O1 - Hosts: 66.98.142.163 thenun.com
O2 - BHO: (no name) - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {F4A645D0-D4D5-439E-9DBC-B31BBD9CB890} - C:\WINDOWS\SYSTEM\BPV2T.DLL
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~2\TOOLBAR\PWRSWMDA.DLL (file missing)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\SYSTEM\E_S0EIC1.exe /P29 "EPSON Stylus Photo 820 Series" /O7 "EPUSB1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [CharityBuy IE Plugin] C:\CHARITYBUY
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\FONTS\msoffice.hta
O4 - HKLM\..\Run: [lmscrwipt.exe] C:\WINDOWS\SYSTEM\lmscrwipt.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\SYSTEM\KEYHOST.exe
O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRAM FILES\INTERNET WASHER PRO\IW.exe min
O4 - HKCU\..\Run: [lmscrwipt.exe] C:\WINDOWS\SYSTEM\lmscrwipt.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SPYWAREBLOCKER.exe" /0
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.exe" /autocheck
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.exe
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.exe
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.exe
O4 - Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.exe
O4 - Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\Plus!\CMPAGENT.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\Updater\wupdater.exe
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37871.7447569444
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15166021edb901544300/netzip/RdxIE601.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4305/mcfscan.cab

Report Offensive Follow Up For Removal

Response Number 17

Name: htblow
Date: December 17, 2003 at 18:31:20 Pacific

Reply:

Ok, I had a recent problem like this, but norton had caught a malicious script called fonts.hta, which was the cause of the deal. It hides in your windows\fonts dir, and you cant even see it (hidden files on and all). The only way to get to it is by running a find in C: properties. If you read the file in a text doc, you'll get an idea of what it does. Maybe this is the problem....

Report Offensive Follow Up For Removal

Response Number 18

Name: Abnormal
Date: December 18, 2003 at 11:51:19 Pacific

Reply:

A good tool that will help.
cwshredder.zip

cwshredder.exe
More help sites.
http://www.lavasoftsupport.com/
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/archive/
http://www.spywareinfo.com/forums/

Block the bad sites.
http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

Report Offensive Follow Up For Removal

Response Number 19

Name: usefulguy
Date: December 24, 2003 at 03:59:07 Pacific

Reply:

Dear friends,
I had the same problem.Today I solved that.
I don't know it will happen again or not but it is worth trying because I got rid of "premium searches" .Just download zone alarm free edition.And carefully examine its questions and permissions.And do not give any file permission to access the internet unless u know that file's function very well. Probably some kind of exe file updating itself whenever u connect to the internet.I am looking forward to all your comments bad or good ones.Take care u all.

Report Offensive Follow Up For Removal

Email Virus

Desktop items & Favor...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: how do i get rid of sexpatriot?!

How do I get rid of hacktool flooder????

Summary

www.computing.net/answers/security/how-do-i-get-rid-of-hacktool-flooder/1715.html

how do i get rid of .exe's?

Summary

www.computing.net/answers/security/how-do-i-get-rid-of-exes/20132.html

How do I get rid of I-Worm/Opas

Summary

www.computing.net/answers/security/how-do-i-get-rid-of-iwormopas-/3835.html

From the Geek Dictionary
LAN - A LAN (Local Area Network) is a computer or data network that is contained ...

Ask a Question!

Weekly Poll
Do you think suing spammers will make any difference?

Poll Finishes In 7 Days.
Discuss in The Lounge
Poll History

Recent Posts
Hard Drive error nos

Accidental client SID change. Locked out.

PC rebooting randomly

Fitting a new harddrive phoenix trustedcore

how to write client side script?????

All Awaiting Reply

Tom's News
A Single Text Message Can Cripple Your iPhone

Apple Shoots Down Obama's Hope

Japan Thinking of Making Quiet Hybrids Noisy

iPhone 3GS Jailbroken, Unlocked

Man Shoots Up Apple Store

More Tom's Guide News

Tom's Games
Redneck Olympics

Tasty Planet

More Tom's Games

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE