# [Resolved] is this web enhancer ?



## ree (Oct 18, 2002)

Hi, my daughter accidentally visited a site or downloaded this not sure how this was added to my computer, or what it is other than spyware when I try to do a search i get an annoying query with about 5 other suggestions with a divider seperating it from my initial query it will either say :recommended firsts or enhanced help: making it hard to read my selection without having to move the bottom slider back and forth I have tried using adaware and spybot to no avail and its not in add and remove I would appreciate any help please. I have downloaded my start up list 
. Thank you CSINJECT.EXE	c:\program files\norton systemworks\norton cleansweep\csinject.exe	All Users	HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
LoadPowerProfile	rundll32.exe powrprof.dll,loadcurrentpwrscheme	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LoadPowerProfile	rundll32.exe powrprof.dll,loadcurrentpwrscheme	All Users	HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
NAV Agent	c:\progra~1\norton~1\norton~1\navapw32.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NPROTECT	c:\program files\norton systemworks\norton utilities\nprotect.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NPROTECT	c:\program files\norton systemworks\norton utilities\nprotect.exe	All Users	HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
PE2CKFNT SE	c:\program files\ulead systems\ulead photo express 2 se\chkfont.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QD FastAndSafe	c:\program files\norton systemworks\norton cleansweep\qdcsfs.exe /scheduler	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry	c:\windows\scanregw.exe /autorun	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScriptBlocking	"c:\program files\common files\symantec shared\script blocking\sbserv.exe" -reg	All Users	HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
SymTray - Norton SystemWorks	c:\program files\common files\symantec shared\symtray.exe "norton systemworks"	All Users	HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
SystemTray	systray.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TaskMonitor	c:\windows\taskmon.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Yahoo! Pager	c:\program files\yahoo!\messenger\ypager.exe -quiet	.DEFAULT	HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


----------



## Corrosive (Jan 9, 2003)

When you do a _search_? This isn't spyware, it's more of a slightly mean and unsophisticated trick. It has set the search facility to "use one service for all searches" (click on "search => customise" to do this yourself) and then changed the registry entry at -

*HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main*

- to the sites own URL. Change it to the you're choice of search engine. I'm assuming you are fairly comfortable about delving into the registry, so I won't bother patronising you here. However, if you are unsure, post back and ask. We are all willing to help.

Oh, and welcome to TSG!


----------



## ree (Oct 18, 2002)

Thanks for the reply i'm not sure I asked the question correctly I still get the query I asked for so my search isn't completely hijacked I still have internet explorer as my main search engine, I went to customize but not sure what to do there ? I'm really new at this if it takes going to into the registry to be rid of this I will try it and once again thank you


----------



## Rollin' Rog (Dec 9, 2000)

Download, unzip and run the HijackThis application from the site below. Click the 'scan' tab and then copy/paste the log it creates to a reply.

http://www.lurkhere.com/~nicefiles/

The info you posted is not a full 'startuplist' file. Startuplist is also integrated into HijackThis and can be run by clicking 'config' > 'misc tools' > 'generate startuplist'

Posting a full startuplist would be helpful also.


----------



## ree (Oct 18, 2002)

Sorry I couldn't get back sooner I had to leave for awhile . Here is my startup list I hope this will help . Thank you for helping and the welcoming.StartupList report, 2/7/2003, 9:36:29 PM
StartupList version: 1.51
Started from : C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0100)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\KAZAA LITE\KAZAA.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
PE2CKFNT SE = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
NAV Agent = C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
NPROTECT = C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
QD FastAndSafe = C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.exe /scheduler
TaskMonitor = C:\WINDOWS\taskmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
CSINJECT.EXE = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
NPROTECT = C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 7/2/2003, 21:12:22)

[rename]

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 7/2/2003, 3:23:26)

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE
NUL=C:\PROGRA~1\WEBHAN~1\PROGRAMS\WHIEHLPR.DLL
NUL=C:\PROGRA~1\WEBHAN~1\PROGRAMS\WHIESHM.DLL
[Rename]
NUL=C:\WINDOWS\TEMP\A~NSISU_.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

Enumerating Browser Helper Objects:

NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\SYSTEM\SBSRCH_V2.DLL - {4C4871FD-30F6-4430-8834-BC75D58F1529}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Symantec NetDetect.job
Norton SystemWorks One Button Checkup.job
Norton AntiVirus - Scan my computer.job
Norton AntiVirus 2002.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37614.5666319444

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.7.150/297a8f782d795cf4fe19/netzip/RdxIE601.cab

[{53E10C2C-43B2-4657-BA29-AAE179E7D35C}]
CODEBASE = http://207.44.176.11/auth/IE_InstllC.exe

--------------------------------------------------
End of report, 6,043 bytes
Report generated in 0.097 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Rollin' Rog (Dec 9, 2000)

I think we see part of the search problem illustrated here:

(no name) - C:\WINDOWS\SYSTEM\SBSRCH_V2.DLL - {4C4871FD-30F6-4430-8834-BC75D58F1529}

This is what is known as a "Browser Helper Object" or BHO. If you run the HijackThis application as suggested and post the SCAN log I should be able to tell you exactly how to remove it and a couple of ActiveX objects from the Downloaded Programs folder as well.


----------



## ree (Oct 18, 2002)

Rolling Rog i'm still working on the hijacked browser you told me to run the program pertaining to web enhancer, which is actually a hijacker and then a scan log to post here ok not sure what i'm suppose to do to run it, could you help please or anyone ? thank you


----------



## rugrat (Dec 17, 2001)

Refering to your earlier thread,

http://forums.techguy.org/showthread.php?threadid=117558

In the beginning of post #4, Rog was asking you to run the "Hijack This" program. Not the web enhancer. Use his instructions to scan and post the results.

SeeYa


----------



## ~Candy~ (Jan 27, 2001)

ree, I've merged your two threads...keep replying back to this one...otherwise Rog won't be notified by email that you've tried to request more help.


----------



## ree (Oct 18, 2002)

I'm sorry I hate to keep beating a dead horse to death but I don't know exactly what you're asking me to do : run the application: "Hijack This" please explain . Thank you


----------



## rugrat (Dec 17, 2001)

You need to download "Hijack This" from the website Rog gave you and run it as per his instrutions.

http://www.lurkhere.com/~nicefiles/

HijackThis 1.91 : A first of it's kind, general browser hijacker detector and removal tool. Merijn is continually updating HijackThis, to stay abreast of this ever expanding exploit that takes over your prefered Home page and Search features. HijackThis includes a copy of StartupList v1.51, that can be run from the HijackThis interface. Updated January 16th, 2003

Let us know


----------



## ree (Oct 18, 2002)

* HijackThis v1.91 *
Written by Merijn - [email protected]
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
http://www.spywareinfo.com/~merijn/index.html

* Version history *
[v1.91] Added rd.yahoo.com to the Nonstandard But Safe Domains list. Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18).Added listing of programs/links in Startup folders (O4).Fixed 'Check for Update' not detecting new versions.
[v1.9] Added check for Lop.com 'Domain' hijack (O17). Bugfix in URLSearchHook (R3) fix. Improved O1 (Hosts file) check. Rewrote code to delete BHO's, fixing a really nasty bug with orphaned BHO keys. Added AutoConfigURL and proxyserver checks (R1). IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected. Added check for extra protocols (O18).
[v1.81] Added 'ignore non-standard but safe domains' option. Improved Winsock LSP hijackers detection. Integrated StartupList updated to v1.4.
[v1.8] Fixed a few bugs. Adds detecting of free.aol.com in Trusted Zone. Adds checking of URLSearchHooks key, which should have only one value. Adds listing/deleting of Download Program Files. Integrated StartupList into the new 'Misc Tools' section of the Config screen!
[v1.71] Improves detecting of O6. Some internal changes/improvements.
[v1.7] Adds backup function! Yay! Also adds check for default URL prefix, changing of IERESET.INF and changing of Netscape/Mozilla homepage and default search engine.
[v1.61] Fixes Runtime Error when Hosts file is empty.
[v1.6] Adds enumerating of MSIE plugins, and extra options in 'Advanced' tab of 'Internet Options'.
[v1.5] Adds 'Uninstall & Exit' and 'Check for update online' functions. Also expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service)
[v1.4] Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer, plus a few bugfixes/enhancements
[v1.3] Adds detecting of extra MSIE context menu items, extra 'Tools' menu items and extra buttons, and 'Confirm deleting/ignoring items' checkbox
[v1.2] Adds 'Ignorelist' and 'Info' functions
[v1.1] Supports BHO's, some default URL changes
[v1.0] Original release

A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes.

The different sections of hijacking possibilities have been separated into these groups: 
R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols

You can get more detailed information about an item by selecting it from the list of found items or highlighting the relevant line above, and clicking 'Info on selected item'.
Thank you Rug Rat is this what you mean if not let me know ?


----------



## Rollin' Rog (Dec 9, 2000)

Not quite there yet Ree, you posted the "help file". What we need is for you to run HijackThis and then click *scan*

Once you do that you will see a display of numbered entries (it will look somewhat like what you just posted, but will be specific to your computer). Click *Save Log* (save it to the desktop by selecting the desktop icon).

Once it is on the desktop, click it to open it. Then click Edit>Select All>Edit> Copy.

Now you can right click on a message window here and select "paste". Then you will see the entire log displayed in the message window.


----------



## ree (Oct 18, 2002)

I hope this works fingers crossed or is it still scrambled ?

Logfile of HijackThis v1.91.2
Scan saved at 11:08:04 PM, on 2/8/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.rr.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=http=proxy-server:8080;https=proxy-server:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=ams-server*
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4C4871FD-30F6-4430-8834-BC75D58F1529} - C:\WINDOWS\SYSTEM\SBSRCH_V2.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: Yahoo! Spades (YInstStarter Class) - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: Yahoo! Literati (YInstStarter Class) - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Gin (YInstStarter Class) - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
O16 - DPF: Yahoo! Pool 2 (YInstStarter Class) - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37614.5666319444
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/297a8f782d795cf4fe19/netzip/RdxIE601.cab
O16 - DPF: {53E10C2C-43B2-4657-BA29-AAE179E7D35C} - http://207.44.176.11/auth/IE_InstllC.exe


----------



## Rollin' Rog (Dec 9, 2000)

Ok, that's what we wanted to see.

Run HijackThis again if you've closed it out and once again click 'scan'

put a check in this item and then click 'fix checked'.

*O2 - BHO: (no name) - {4C4871FD-30F6-4430-8834-BC75D58F1529} - C:\WINDOWS\SYSTEM\SBSRCH_V2.DLL*

>> make sure you check the right entry, the one with sbsrch_V2.dll in it.

Then reboot the computer and let me know if you still have the problem. I think we can just leave everything else as is.


----------



## The_Egg (Sep 16, 2002)

Enumerating Download Program Files:

[{53E10C2C-43B2-4657-BA29-AAE179E7D35C}] 
CODEBASE = http://207.44.176.11/auth/IE_InstllC.exe

I think this is adsrvr.com spyware

Not sure what this is though . . . could be dodgy also ?!

[RdxIE Class] 
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.7.150/297a8f782d795cf4fe19/netzip/RdxIE601.cab

Though you've definitely caught the main culprit:
SBSRCH_V2.DLL

Probably best to run Spybot or Ad-Aware to automatically get rid of any leftovers


----------



## ree (Oct 18, 2002)

That did it no more annoying hijacker I really appreciate your help couldnt have done it without you , this is the best sight i've found yet for computer problems. Thanks again rolling rog and all .


----------



## Rollin' Rog (Dec 9, 2000)

You're very welcome. Happy surfin'.

Egg, I was curious about that too, but not being sure what it was I decided not to mess with it unless the problem was unresolved.

Most anything in the Downloaded Programs folder can be removed without risk though, just some inconvenience at best.

ree: you might want to remove this one as well, it does seem to be ad related:

O16 - DPF: {53E10C2C-43B2-4657-BA29-AAE179E7D35C} - http://207.44.176.11/auth/IE_InstllC.exe


----------

