# need to remove the adware that hijack into my system



## Lisa_Illusia (Jul 24, 2003)

hi... I have been trying to get rid of whatever that is that had altered my browser and keep popping up adverts everywhere I go. I can't seem to find the hijacking programme that smuggle through my system. Worse! I don't even know how it went in in the first place! 

This is the list from my hijack programme. Can somebody tell me which is to remove?



> Logfile of HijackThis v1.94.0
> Scan saved at 4:34:33 PM, on 7/24/03
> Platform: Windows 98 SE (Win9x 4.10.2222A)
> MSIE: Internet Explorer v6.00 (6.00.2600.0000)
> ...


----------



## Guest (Jul 24, 2003)

You have several BHOs, Browser "helper" Objects in there. First of all do a clean up with these three programs.

Install SpyBot S&D and AdAware, update them and run a scan.

Then run BHO Demon to see if it finds anything left.

Now add SpywareBlaster, update it, and run and it will stop these programs coming on to your system in the first place.

Also: In Internet Explorer, Tools, IE Options, Advanced, Uncheck:

"Activate install on demand" [Other] , and, "Activate install on demand" [Internet Explorer]

SPYBOT S&D http://beam.to/spybotsd
INSTALL VIEW http://tomcoyote.org/SPYBOT
DOWNLOAD http://studserver.uni-dortmund.de/~su1669/spybotsd12.exe

AdAware 6.0 http://www.networkingfiles.com/Cookie/adaware.htm
DOWNLOAD http://www.majorgeeks.com/getfile.php?file=506&site=2

BHO DEMON http://www.spywareinfo.com/downloads/bhod

SpywareBlaster http://www.wilderssecurity.net/spywareblaster.html

You should be able to uninstall NEWONE.NET from add-remove programs, btw.

See also:

WINDOWS ARTICLE http://forums.techguy.org/t147287/s.html WIN ME/98. Scroll down page.
REFERENCE PAGE http://forums.techguy.org/showthread.php?s=&postid=973946#post973946
REMOVING BLOAT FILES http://forums.techguy.org/t147727/s.html

And:

http://www.eventsounds.com/wav/systems.wav

http://mr-31238.mr.valuehost.co.uk/assets/Flash/psychic.swf

;-)


----------



## amthmi (Mar 23, 2002)

Check all of the following in Hijack This, and then press "fix checked"
Close your Browser and Windows Explorer before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.gocybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.gocybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.gocybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.gocybersearch.com/ie/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.gocybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.gocybersearch.com/ie/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.gocybersearch.com/ie/

R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\PROGRAM
FILES\XUPITER\XTSEARCH.DLL (file missing)

O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRAM FILES\ACCELERATION
SOFTWARE\STOPSIGN\WEBCBROWSE.DLL (file missing)
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\PROGRAM FILES\HOTBAR\BIN\4.2.4.0\HBHOSTIE.DLL (file
missing)

O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
O4 - HKLM\..\Run: [Hotbar] C:\PROGRAM FILES\HOTBAR\BIN\4.2.4.0\HBINST.EXE /Upgrade
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [babeie] rundll32 "C:\Program Files\CommonName\Toolbar\CNBabe.dll",DllStartup
O4 - HKLM\..\Run: [sp] regedit -s C:\sp.reg
O4 - HKLM\..\Run: [MemoryMeter] C:\PROGRAM FILES\MEMORYMETER\MEMORYMETER.EXE
O4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.EXE

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.clock-sync.com/ClockSyncAutoSYNC0009.cab
O16 - DPF: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C} - http://www.xupiter.com/search2/inst...olbarLoader.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.adtomi.com/ads/ystckAO32.exe

Now restart your computer, and delete:
C:\PROGRAM FILES\MEMORYMETER
C:\WINDOWS\TVTMD.EXE

(below are borrowed instructions from TonyKlein)
Next, download Spybot - Search & Destroy.
http://tomcoyote.org/SPYBOT/

Now press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

Now restart your computer

After you've done all this repost a hijackthis log


----------



## Lisa_Illusia (Jul 24, 2003)

well... I should have come here sooner  

Thank you thank you thank you! it works! it works my puter is pop up free!!! weee!!!

*do happy dance now lol*


----------



## amthmi (Mar 23, 2002)

Pleasure !
Thanks for posting back.
Happy dancing !


----------

