Blender requested that I put up my HijackThis log file for him to look at. My computer has been taken over by searchpage.html, about:blank and now some kind of tool bar...revenge of the nerds!!! Logfile of HijackThis v1.97.7 Scan saved at 5:59:07 PM, on 5/6/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe C:\WINDOWS\System32\igfxtray.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe C:\Program Files\Apoint\Apntex.exe c:\progra~1\Support.com\client\bin\tgcmd.exe C:\WINDOWS\System32\w32sup.exe C:\WINDOWS\System32\wuauclt.exe C:\documents and settings\art\local settings\temp\i68gang.exe C:\documents and settings\art\local settings\temp\xs5frbzhX.exe C:\Program Files\Sony\VAIO Action Setup\VAServ.exe c:\exactSetup.exe C:\Program Files\Winamp3\Studio.exe C:\WINDOWS\System32\IEHost.exe C:\WINDOWS\System32\mplsion.exe C:\PROGRA~1\WHENUS~1\Search.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet KSC Explorer R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://ucsbuxa.ucsb.edu:9000/ucsblibrary R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com* R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {CB722AA3-2884-4741-B205-EAA6734D199A} - C:\WINDOWS\System32\dcelp.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe O4 - HKLM\..\Run: [QXFMTZAHR] C:\WINDOWS\QXFMTZAHR.exe O4 - HKLM\..\Run: [oisen] C:\WINDOWS\System32\oisen.exe O4 - HKLM\..\Run: [eScorcher] C:\Program Files\eScorcher\eScorcher.exe O4 - HKLM\..\Run: [supporter5] C:\WINDOWS\System32\supporter5.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [i68gang.exe] C:\documents and settings\art\local settings\temp\i68gang.exe O4 - HKLM\..\Run: [xs5frbzhX.exe] C:\documents and settings\art\local settings\temp\xs5frbzhX.exe O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe O4 - HKLM\..\Run: [3s3T3qP] mplsion.exe O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" "+b1" O4 - Global Startup: PowerPanel.lnk = ? O4 - Global Startup: VAIO Action Setup (Server).lnk = ? O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O13 - DefaultPrefix: c:\searchpage.html?page= O13 - WWW Prefix: c:\searchpage.html?page= O13 - Home Prefix: c:\searchpage.html?page= O13 - Mosaic Prefix: c:\searchpage.html?page= O13 - FTP Prefix: O13 - Gopher Prefix: O14 - IERESET.INF: START_PAGE_URL=http://www.ksc.net.th O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://www.escorcher.com/webone/supporter5.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

http://smb.sygate.com/products/spf_standard.htm ------------- FREE FOR PERSONAL USE

Have a look at all these options- FREE TO HOME USER SYGATE FIREWALL, easy to use, protect yourself from outside probes: http://smb.sygate.com/products/spf_standard.htm Here is a spyware program you need, Spybot Search & Destroy: http://www.spychecker.com/program/spybot.html After you install it, clik the update button and scan it again, all you see in the results are buggering you up, you can check the information about each one before you delete, read carefully. This is a great program. If you dont have an Anti-virus program i recommend Free Edition AVG can be gotten at http://www.grisoft.com/ Update the program definations often, set a scheduler up on the program. Lastly download 'Stinger' from: http://vil.nai.com/vil/stinger/ it will scan for 41 current virus's and worms. If running winXP or ME versions, read info here first before you scan: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm You can get your Free Edition PopUp killer from http://www.panicware.com get the download here: http://download.com.com/3001-7786-10246779.html Additional information: After you install it, clik the update button and scan it again, all you see in the results are buggering you up, you can check the information about each one before you delete, read carefully. This is a great program. If you dont have an Anti-virus program i recommend Free Edition AVG can be gotten at http://www.grisoft.com/ Update the program definations often, set a scheduler up on the program. You should increase your privacy/security settings, right clik My Computer , go to properties, then to the Security/Privacy tabs and try increasing your control over imposing website and hijackers. Lastly, you should if you havent already, delete your temporary internet files and cookies often, from the IE Browser icon, right clik on it, select properties, at the General tab, clik the buttons that delete your Temps and cookies. Let me know if this works for you - Dont forget to do regular maintenance, Defrag often -Lots of Luck - Lee

m-eezey Ok...several issues here.. Have you rebooted since running Ad-aware? To get rid of that extra toolbar; go to add/remove programs in your control panel and remove WhenUsearch toolbar While you are there look for a listing for eScorcher antivirus....it is adware. Remove that if it is there. If there is a listing for exactbar or exact search bar or ezula top text....remove that too. Uninstalling that ezula leaves the installer file entact...so next time you visit a website infected with it...it gets re-installed.. Ad-aware should kill that. Next start hijackthis and check the following: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com* R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe O4 - HKLM\..\Run: [QXFMTZAHR] C:\WINDOWS\QXFMTZAHR.exe O4 - HKLM\..\Run: [oisen] C:\WINDOWS\System32\oisen.exe O4 - HKLM\..\Run: [eScorcher] C:\Program Files\eScorcher\eScorcher.exe O4 - HKLM\..\Run: [supporter5] C:\WINDOWS\System32\supporter5.exe O4 - HKLM\..\Run: [i68gang.exe] C:\documents and settings\art\local settings\temp\i68gang.exe O4 - HKLM\..\Run: [xs5frbzhX.exe] C:\documents and settings\art\local settings\temp\xs5frbzhX.exe O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe O4 - HKLM\..\Run: [3s3T3qP] mplsion.exe O13 - DefaultPrefix: c:\searchpage.html?page= O13 - WWW Prefix: c:\searchpage.html?page= O13 - Home Prefix: c:\searchpage.html?page= O13 - Mosaic Prefix: c:\searchpage.html?page= O13 - FTP Prefix: O13 - Gopher Prefix: O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://www.escorcher.com/webone/supporter5.exe Once all are checked close all open windows and click fix checked. Reboot to safe mode and delete: c:\searchpage.html c:\windows\system32\w32sup.exe <-file c:\windows\system32\oisen.exe <--file c:\windows\system32\supporter5.exe<--file c:\windows\system32\IEHost.exe <--file c:\windows\system32\dp-him.exe <--file c:\windows\system32\mplsion.exe <--file c:\windows\QXFMTZAHR.exe <--file c:\program files\eScorcher <--folder c:\documents and settings\art\local settings\temp <--empty out entire contents Reboot to normal windows and clean out temporary internet files... Start> settngs> control panel> internet options. Click delete files Check "delete offline content at popup" Click ok Click delete cookies Yes to confirm Click "clear history" Yes to confirm Click the "programs tab" Click "reset web settings" Yes at the popup Ok your way out Next do an online scan here: http://www.ravantivirus.com/scan Shut off your own antivirus, check autoclean in the online scanner, allow it to clean what it can. Reboot when done if they cleaned anything. If there are any results...post RAV's findings here along with a fresh hijack log. BTW..sorry for taking so long to get to you....lots of logs to hack thru. I never give up! Windows Update

hey Blender, Thanks for the response, I've gone through hijackThis and fixed what you told me to fix but it looks like my log has changed quite a bit since i posted it..could you please take one more look. Items are being renamed and look suspicious to me. Logfile of HijackThis v1.97.7 Scan saved at 3:18:37 PM, on 5/7/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe C:\WINDOWS\System32\igfxtray.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe C:\Program Files\Apoint\Apntex.exe c:\progra~1\Support.com\client\bin\tgcmd.exe C:\WINDOWS\System32\w32sup.exe C:\WINDOWS\System32\wuauclt.exe C:\documents and settings\art\local settings\temp\i68gang.exe C:\documents and settings\art\local settings\temp\xs5frbzhX.exe C:\WINDOWS\System32\IEHost.exe C:\Program Files\Sony\VAIO Action Setup\VAServ.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\WINDOWS\System32\cidppp.exe C:\Program Files\SysAI\SysAI.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bkceg.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bkceg.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bkceg.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bkceg.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bkceg.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bkceg.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet KSC Explorer R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://ucsbuxa.ucsb.edu:9000/ucsblibrary R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {CB722AA3-2884-4741-B205-EAA6734D199A} - C:\WINDOWS\System32\dcelp.dll (file missing) O2 - BHO: (no name) - {D847ABCC-86F6-4640-AB9A-7EBB49638FCF} - C:\WINDOWS\System32\bkceg.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - Global Startup: PowerPanel.lnk = ? O4 - Global Startup: VAIO Action Setup (Server).lnk = ? O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.ksc.net.th O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

m-eezey Ok...I see you have a new varient of cool web search which takes specific instructions and knowledge I don't quite know yet..The experts are working on an automated fix but for now it is manual removal. Please don't try fixing with hijack. Go to this forum, register and click on new subject in the hijackthis logs section: http://forums.tomcoyote.com/index.php?showforum=27 Post your hijack log there and wait for further help...there are experts there with more knowledge than I. Be patient..it may take a day or 2 before they respond...but they will. If you find it is taking long....bump your post up..it will go back to the top of the list. Post a link for them to this thread so they know the before and after logs. Let them know what you have tried. ___________________________________ I never give up! Windows Update