I’ve been getting hijacked today too. It says mygeek.com in the address bar and it shows a search page in the body. I am really new at this place and been mostly reading everyone else’s problems here. I have down loaded Ad-ware and ran it a lot but just quarantined the items it has already placed checks on. The latest quarantined items were newdotnet4_88.dll' and I added to this quarantine the possible hijacked items that were in there also but I am still getting hijacked. I have not deleted anything because I don’t know what I am doing. I have used this computer and the internet for almost a couple of years and I figured it probably has a lot of bad stuff on it. I had a couple of viruses a while back but they are gone or I think they are. I had done a complete system restore about 4 weeks ago. I just down loaded the hijackthis program today. So do I need any other programs to get this thing taken care of and can someone help tell me Slowly, step by step of what to do. because I am the type of person who deleted the windows program when I got my first 3.1 Windows computer, so I learned how to be aware and scared at the same time of computers. I didn’t have any one to help me at that time and didn’t know a thing about computers.

Hello, 1)Do you have a firewall installed? If not, I suggest you use ZoneAlarm as your firewall. You can get it at www.zonealarm.com (its FREE) 2)Was your adware updated? Run the update within ad-aware. And rescan. 3)Download and install "Spybot, Search And Destroy", goto www.download.com and type in spybot in the search field. After its installed, open it, and click update to update it, then scan. Allow it to fix anything it finds 4)Do you have a virus scanner? If so, make sure it is also updated. If not, try a scan at housecall.antivirus.com or download AVG free virus scanner from www.grisoft.com(make sure its updated, and scan) 5)goto "http://www.tomcoyote.org/hjt" and download and install HiJackThis (click the left link under lurkhere, that says "highjackThis from here". Open up HiJackThis and click "Scan". After you do that, click "Save Log" and save it to your desktop, Exit HighjackThis and open the new file on your desktop and copy and paste the results here.

I’m sure my computer has a lot of issues, so I am going to try answer your questions and give you a little more detail about how it has been responding. I hope I didn’t go overboard, but I rather be safe than sorry. 1) About a week ago I had downloaded the free Zone Alarm. After the first day of it being installed I had trouble with it starting up automatically a few times. So I took it out of startup and I haven’t had that problem so far. I was getting a blue screen that said ERROR OE 1087 BFF8E64B. Then just a couple of days ago I had gotten this error, Hpfpegn0 error in HPFEGNO.exe and Hpfpegn0 will have to close. Everything seems to still work fine after closing this message out. My kids and I sometimes forget to activate the Zone Alarm when first getting on the computer. I would really like to be able to run this program in startup for the safety of my computer. 2) I always check for updates before running the adware. Please would you explain why I need to rescan after doing the first scan. Do I need to save a log of each scan and each quarantine. Some of the quarantined folders have the same items in them, looks like duplicates of the day before scan. What do I do with all those scans of the quarantine items that I have? 3) Yes I have the Norton 2001 AV. I have it set for automatic updates and sometimes I also do manual updates. I just recently set it up for the deep scan and bloodhound. I have manually scanned for viruses twice in the last 3 days and it hasn’t found anything. A while back I was having a problem with it taking more than twice as long as it should on virus scanning. I was told to go into safe mode and run Norton AV scan and that did cleared up this problem. A little history info: But I know for fact that I have not been able to run the Norton defrag/speed disk since before May 2003. I have never had to use the Windows scan and defrag disk before this period. They both say that there is another utility program running or something similar to this. I can only run Windows scan disk and the defrag in the safe mode. The first virus I had was last April and was the JS Exception Exploit. I was told to just delete it and I did not do any system restore with it. I didn’t know anything about system restore at that time. Now I know to check with Symantec on virus’s and how to remove them. Some of their stuff is a little confusing to me though. I had not done any system restores ever until in September with this last virus, which was the Downloader Dluca B virus. That’s when I emptied everything in the System restore and started fresh. I believe I have 2 good restore points, I hope. I spent many hours learning this stuff before doing anything. Better safe than sorry. I also do a lot of praying that I won’t do something stupid. I am also thinking that there might be something wrong in my Microsoft word program. First of all back in July, it just disappeared. I did had a short cut on my desktop. But I looked for the original program in the start\programs and it wasn’t in there nor was it in Windows Explorer. I had to reinstall it from my Windows disk. Now I noticed in the Microsoft Word program, when I go to File/Open, there are some flies that are lighter than all the others and have the (W) on them and in the title they have (~$) in front of them and part of the first word. I assumed that these were files that were in use. Maybe I was wrong though. There are 18 of these. They were created at different times between May 2003 through Nov 2003. In the Properties of each one is checked for hidden and archive. Each one says they are a word doc and that they have the size162 bytes. Size on disk 32 KB. They are old files and I’m sure I have deleted them or tried to delete them. Why can’t they be deleted? I can only take an uneducated guess it can’t be done while they are hidden? I will wait for you to respond to this question before I do anything. Could you tell me what each of these programs do, how they work or what they are looking for and what is the difference in between each of these programs. I think I know what Zone Alarm and Ad-Ware does, but not the other programs. Another question, Does any of these adware or Trojan programs need to be disabled when doing any downloads? I am going to run Norton AV after I down load Spybot Search & Destroy. Then I will (1) open it and check for updates (2) run it and allow it to fix all that it finds. (3)I will run the HiJackThis program (1)click on scan and (2)then "Save Log" and save it to my desktop. Do I need a destination folder on my desk top for the results? I have a print out of the instructions on how to copy and paste for HiJackThis. I just hope it works for me. As you probably noticed, I’m a cautious person, the more details the better. Sorry but that’s how I am, but I am willing to learn. Thanks so much.

Hello again :-) I'll help you to the best of my knowledge. And it's also better to go overboard stating your problems as to not giving enough info. Lets start with.. 1)The error you are getting with "HPFEGN0.EXE". That file is for your printer, Have you tried to update your printers driver from HP? I searched the net and found others having a problem with that file, although not related to zonealarm, but updating fixed their problems. Also, I know you had that error, But If you have DSL or Cable, It is strongly recommend you get a firewall working (fulltime) on your computer, even if it is not zonealarm. I would first try to update the printers driver and reboot after putting a shortcut to zonealarm back in your startup. If that clears everything.. good. If not, Uninstall zonealarm, and download and install another firewall. Three I would recommend (after zonealarm of course) would be.. Kerio's Firewall from www.kerio.com (free) Norton's Personal Firewall from www.symantec.com ($)free trial Or McAfee's Personal Firewall from www.mcafee.com ($)free trial 2) Glad to hear you keep everything updated as that's your best defence against major problems. I asked you to rescan, after updating, as you didn't mention it was updated. As for the objects in quarantine, If you are not having major problems, besides the webpage hijacking and the hp file error, you can delete the files in quarantine, or save a week or two more.. just to be safe, then delete them. A hint tho, before you run ad-aware next time, If you have Internet Explorer 6. Open it, click on tools, Internet options, under the "general" tab (on top, it should open in it), you'll see a button saying delete cookies. Press it to delete your cookies. Cookies hold info used by websites to keep track of where you go, a user name you have, shopping cart items.. etc.. You can always re-enter your user name at the website as needed, So deleting them will do no harm. It will just make working with ad-aware more eaiser. If you look in the quarantined items in ad-aware, you'll see most files are indeed just cookies. While you have the internet options window open, click Delete files.. That will clean out your (cashe) Temporary Internet Files. That will also make less work for ad-aware. 3a)I'm also using Norton AV, best on the market in my opinion. But..you knew there was a but lol, While it does a great job on monitoring for viruses, It does not detect trojans and keyloggers. That's where spybot comes in. Spybot cant detect and delete trojans, keyloggers, and spy-ware. Scanning my computer, A slow/old 475mhz PC with 8 GB harddrive takes me a good amount of time, I would normally allow it to scan as I sleep. b)Seeing you mentioned Norton speed disk, I assume you have Nortons Utilites or Systemworks. I use systemworks, And it has kept by PC in great shape. You should run Norton Disk Doctor once a month. And run Speeddisk about every other, but before defrag click analysis, within speeddisk, it will till you if you need to defrag. Now why can't you use it? I'm hoping you have the problem I had, Where it keeps restarting? I turn of my internet, close all other programs and disable Norton AV by right clicking the Norton AV icon near the clock on my taskar. Norton Av will always keep writing to the harddrive and keeps restarting speeddisk due to disk writes. Thats why I disable..But remember to re-enable it once its done. Again, this is a thing to do as you sleep.. takes me 4 hours. also I also had a JS Exception Exploit, But norton caught, and stopped it before any harm could be done. Cleaning your Internet Temporary files should of deleted it. (thats the only fix) c) I don't use Microsoft Word, So I can't really comment on it usage. Why you can't delete those files I don't know. What directory are those files found in? d)zonealarm = firewall :-) You knew that Ad-aware = Scans for spyware and adware Spybot = Scans for spyware, adware, trojans, keyloggers HighJackThis = A utility this shows what is running on your computer, what runs from start, what starts from registry entries, what starts from win.ini run section. shows what your homepage is, what your search is using. what browser helpers you have installed. Basically it details everything running, and started on your PC. e)ok great, do that and post it back here. "Do I need a destination folder on my desk top for the results?" No, I just had you place it there so you remember where it is :-). I also hope it fixes your problems. spybot should kill/repair your hijacked homepage. If not, Thats where posting the highjackthis will come in handy. :-) phew alotta typing.. hope I explained enough for you. I'll chack back tomorrow night after work and see how it went.. good night.. or good morning depending on when you read this :-)

One last thing I meant to add seeing you have Nortons Utilities. Run Norton WinDoctor if you haven't. It will scan your registry, and repair any problems it finds. After it scans, click repair all. I have used it since 98 and has never failed me. :-) good luck. P.S You dont have to run this again until after you have uninstalled a few programs.

I thought I had this posted last night but I guess I did something wrong, so I am trying to post again. I will answer the questions and try to update my printer drivers later today when I have the time. Logfile of HijackThis v1.97.3 Scan saved at 10:27:25 PM, on 11/5/2003 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\STIMON.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.exe C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.exe C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.exe C:\WINDOWS\SYSTEM\WF2K.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.exe C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.exe C:\WINDOWS\LOADQM.exe C:\WINDOWS\MSMGT.exe C:\WINDOWS\RUNDLL32.exe C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.exe C:\PROGRAM FILES\AIM95\AIM.exe C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe C:\PROGRAM FILES\CENTURYTEL\FPTOOL.exe C:\PROGRAM FILES\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.exe C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.exe C:\PROGRAM FILES\CALLWAVE\IAM.exe C:\PROGRAM FILES\NIKON\NKVIEW4\NKVWMON.exe C:\WINDOWS\SYSTEM\TAPISRV.exe C:\WINDOWS\SYSTEM\HPZSTATX.exe C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://categories.mygeek.com/sidecat.jsp?p=98567&id=160106209206179157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://totalinternet.snap.com:8005/channel/search/0,11,totalinternet-0,00.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.centurytel.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://totalinternet.snap.com:8005/channel/search/0,11,totalinternet-0,00.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://totalinternet.snap.com:8005/channel/search/0,11,totalinternet-0,00.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://totalinternet.snap.com:8005/channel/search/0,11,totalinternet-0,00.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://categories.mygeek.com/sidecat.jsp?p=98567&id=160106209206179157 F1 - win.ini: run=hpfsched O2 - BHO: (no name) - {F8A53FBE-5846-11D2-A022-006097D2400E} - C:\PROGRAM FILES\MINDMAKER\COMMON FILES\WINDOWS\IELINK.DLL O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\GSIM.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.exe O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\SYSTEM\WF2K.exe O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~2\DEFALERT.exe O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.exe /LOADQUIET O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [Total Internet] C:\PROGRAM FILES\CENTURYTEL\FPTOOL.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.exe O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe O4 - Startup: Event Minder Reminders.lnk = C:\HALLMARK\EMREMIND.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe O4 - Startup: Image.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\IMAGE32.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: AIM (HKLM) O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/ACTXCAB.CAB O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?4,0,1323,0 O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.exe O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www110.coolsavings.com/download/cscmv5X.cab O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://www.iwon.com/ct/pm2/iwonpm1,0,2,3.cab

I forgot to tell you that I think I had made a little mistake in Spybot. I had told it not to start when I restarted my computer. I was thinking that it wanted to be placed in my start menu and the after thought tells me that wasn't true. Is there any way to change this or do I need to wory about it?