Adaware has helped to temporarily remove these darn parasites. They constantly change my IE main page I ran HijackThis and will post below. I have read responses to similar inquiries since end of April. I don't know how to work with registry files and will need help please. I also get pop-ups. Webenhancer is a pain, as is LookToMe and zestyFind, allaboutsearch,etc This is my 1st Scan 5.17.04 I don't know how to remove registry files or dll's. Thank you in advance for your help. Jane Logfile of HijackThis v1.97.7 Scan saved at 11:28:55 PM, on 5/17/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.exe C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\EXPLORER.exe C:\WINDOWS\RUNDLL32.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\SYSTEM\IRMON.exe C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.exe C:\WINDOWS\SYSTEM\QTTASK.exe C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.exe C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.exe C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.exe C:\PROGRAM FILES\ADSGONE\ADSGONE.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.exe C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.exe C:\WINDOWS\SYSTEM\SPOOL32.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://xtpmws.t.muxa.cc/s.php?aid=420 (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yie6/*http://www.yahoo.com/search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo! R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTM R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032 R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) R3 - URLSearchHook: (no name) - _{87766247-311C-43B4-8499-3D5FEC94A183} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file) O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [IrMon] IrMon.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~2\DEFALERT.exe O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.exe /LOADQUIET O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe" O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.exe O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe" O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.exe O4 - Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38104.8983912037 O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll

Here is the scan report from CWShredder Thanks again Jane CWShredder v1.57.0 scan only report Please understand that a CWShredder 'Scan only' report might not be sufficient to troubleshoot an infected system. You can use HijackThis for that: http://www.merijn.org/files/hijackthis.zip http://www.spywareinfo.com/~merijn/files/hijackthis.zip Windows 98 (4.10.2222 A) Windows dir: C:\WINDOWS Windows system dir: C:\WINDOWS\system AppData folder: C:\WINDOWS\Application Data Username: Jane Infected Registry value: HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant Infected data: http://xtpmws.t.muxa.cc/s.php?aid=420 (obfuscated) Found Hosts file: C:\WINDOWS\hosts (448 bytes, R) Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\SYSTEM\Userinit.exe Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A) Registry value: DefaultPrefix (should be http://) [] http:// Registry value: WWW Prefix (should be http://) [www] http:// Registry value: Mosaic Prefix (should be http://) [mosaic] http:// Registry value: Home Prefix (should be http://) [home] http:// Found Win.ini file: C:\WINDOWS\win.ini (9002 bytes, A) Found line in Win.ini: load= Found line in Win.ini: run= Found System.ini file: C:\WINDOWS\system.ini (1828 bytes, A) Found line in System.ini: shell=explorer.exe

I am not familiar with Symantec products but I see you have Cleansweep running. Can you use that to uninstall MyWebSearch? Otherwise I believe SpyBot S&D gets rid of that. Bryan

IMHO, goto www.mozilla.org or netscape.com and download either firbird/firefox or netscape, repsectively. Since I've started using firefox exclusively about 4 months ago, I just don't have these problems any more

justin_b31 I've used IE since 1995 and am still doing so. Never had any of these problems. Derek.W

Bryan: Thank you so much for your quick response. I removed MyWebSearch from programfiles may 17. Great idea to use Clean Sweep, which i should be using anyway on regular basis. I have now downloaded Spybot S+D which has removed many serious trojans that I previously have not been able to get rid of on my computer. Thank you for the suggestion.

Justinb: Thank you for telling me about firebox. I downloaded it from www.mozilla.org. After being attacked from 50 to 200+ times per day by hijackers trying to direct my internet browser to other sites, I am relieved to get some respite. I am sending others here to this site for help from yall. Thank you all for your quick responses and simple solutions. Jane