# Internet Options cancelled due to restrictions in effect ....



## moose69 (Aug 20, 2003)

I am running windows 2000 pro and my default home page has been taken over. When I go to Internet Options I get the message "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator." The system has no restrictions except the ones imposed by this alien home page. How do I get rid of it?


----------



## BlueSpruce (Jul 24, 2003)

Hi moose69 ,

Please do the following ,

First , Update your virus definitions and run a scan in Safe Mode
The following link can assist you in starting your computer in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Or , Have your computer scanned at one of the following free online Virus Scanners , 
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/

If you happen to have Kazaa , Remove it in Add/Remove programs in the control panel , reboot your computer and follow-up with KazaaBegone v1.01 http://www.spywareinfo.com/~merijn/files/kazaabegone.zip
Unzip KazaaBegone to your Desktop , Close all browser windows and run KazaaBegone. Reboot your computer.

Next , Download CWShredder , Unzip to the Desktop www.spywareinfo.com/~merijn/files/cwshredder.zip
Close all browser windows , check the Taskbar for minimized windows as well , Run CWShredder , Reboot your computer

Followed by , Downloading , configuring , and runing Ad-aware 6.0 Personal , Build 6.181 following winchester73's Reference Guide http://forums.techguy.org/t164245/s0bd00da6e0f7008495f1c26aa8c2e08c.html

Also consider installing SpywareBlaster v2.6.1 and SpywareGuard v2.2 for the prevention of both Spyware Active X installation and running , and Browser Hijacking protection in real-time http://www.wilderssecurity.net/index.html

Finally , Download Hijack This version 1.97 www.tomcoyote.org/hjt/ Unzip Hijack This to the Desktop , Press the scan button , the scan button becomes save log button , (Do not fix anything yet) save the log to the Desktop , Return to this thread copy and paste the log to the forum

Good luck


----------



## moose69 (Aug 20, 2003)

Hi BlueSpruce 

CWShredder did the job. Thanks for the comprehensive reply

moose69


----------



## moose69 (Aug 20, 2003)

Hi BlueSpruce 

CWShredder did the job. Thanks for the comprehensive reply

moose69


----------



## Miz (Jul 2, 2002)

If you haven't already, go into Internet Explorer>Tools>Internet Options>Advanced tab and uncheck all references to "Install on Demand," click OK. Although nobody has yet found out how Cool Web Search installs itself, having install on demand enabled might open an avenue for it.


----------



## Topkat (Aug 10, 2003)

Just to be on the safe side you should post A HijacjThis log here, and we can tell you if you're cleaned up completely or if there's anything else still hiding on your machine.

go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


----------



## moose69 (Aug 20, 2003)

Hi Topkat
this is the hijack this logfile seems ok to my untrained eye, i would welcome any expert advice,thanks.

Logfile of HijackThis v1.97.2
Scan saved at 20:16:05, on 29/09/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
E:\WINNT\system32\nvsvc32.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\system32\ZONELABS\vsmon.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
E:\Achronet\Achronet.exe
J:\PFiles\adobe\Acrobat\5\Distillr\AcroTray.exe
E:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\PROGRA~1\WINZIP\winzip32.exe
E:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://u.tv/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://u.tv/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - j:\pfiles\adobe\acrobat\5\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - E:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\winnt\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\winnt\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [internat.exe] E:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Startup: disk2disk scheduler.lnk = E:\Program Files\disk2disk\d2dsched.exe
O4 - Startup: AladdinSoft Genie.lnk = E:\Program Files\AladdinSoft\genie.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\WINNT\twain_32\ScanWiz5\SDII.exe
O4 - Global Startup: Numlock.vbs
O4 - Global Startup: Numlock.wsh
O4 - Global Startup: Achronet.lnk = E:\Achronet\Achronet.exe
O4 - Global Startup: Acrobat Assistant.lnk = J:\PFiles\adobe\Acrobat\5\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Si&milar Pages - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://K:\SuperCD\IntraLaunch.CAB
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

moosr69


----------



## moose69 (Aug 20, 2003)

Hi Topkat
this is the hijack this logfile seems ok to my untrained eye, i would welcome any expert advice,thanks.

Logfile of HijackThis v1.97.2
Scan saved at 20:16:05, on 29/09/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
E:\WINNT\system32\nvsvc32.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\system32\ZONELABS\vsmon.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
E:\Achronet\Achronet.exe
J:\PFiles\adobe\Acrobat\5\Distillr\AcroTray.exe
E:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\PROGRA~1\WINZIP\winzip32.exe
E:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://u.tv/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://u.tv/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - j:\pfiles\adobe\acrobat\5\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - E:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\winnt\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\winnt\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [internat.exe] E:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Startup: disk2disk scheduler.lnk = E:\Program Files\disk2disk\d2dsched.exe
O4 - Startup: AladdinSoft Genie.lnk = E:\Program Files\AladdinSoft\genie.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\WINNT\twain_32\ScanWiz5\SDII.exe
O4 - Global Startup: Numlock.vbs
O4 - Global Startup: Numlock.wsh
O4 - Global Startup: Achronet.lnk = E:\Achronet\Achronet.exe
O4 - Global Startup: Acrobat Assistant.lnk = J:\PFiles\adobe\Acrobat\5\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Si&milar Pages - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://K:\SuperCD\IntraLaunch.CAB
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

moosr69


----------



## moose69 (Aug 20, 2003)

Hi Topkat
this is the hijack this logfile seems ok to my untrained eye, i would welcome any expert advice,thanks.

Logfile of HijackThis v1.97.2
Scan saved at 20:16:05, on 29/09/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
E:\WINNT\system32\nvsvc32.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\system32\ZONELABS\vsmon.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
E:\Achronet\Achronet.exe
J:\PFiles\adobe\Acrobat\5\Distillr\AcroTray.exe
E:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\PROGRA~1\WINZIP\winzip32.exe
E:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://u.tv/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://u.tv/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - j:\pfiles\adobe\acrobat\5\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - E:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\winnt\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\winnt\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [internat.exe] E:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Startup: disk2disk scheduler.lnk = E:\Program Files\disk2disk\d2dsched.exe
O4 - Startup: AladdinSoft Genie.lnk = E:\Program Files\AladdinSoft\genie.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\WINNT\twain_32\ScanWiz5\SDII.exe
O4 - Global Startup: Numlock.vbs
O4 - Global Startup: Numlock.wsh
O4 - Global Startup: Achronet.lnk = E:\Achronet\Achronet.exe
O4 - Global Startup: Acrobat Assistant.lnk = J:\PFiles\adobe\Acrobat\5\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Si&milar Pages - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://e:\winnt\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://K:\SuperCD\IntraLaunch.CAB
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

moosr69


----------



## TonyKlein (Aug 26, 2001)

One question:

Did you yourself put the following two files in your Startup folder, presumably in order to set the NUM LOCK State at Logon?

*Numlock.vbs
Numlock.wsh*


----------



## moose69 (Aug 20, 2003)

Hi TonyKlein
I had to in order to get the numpad to work. 
moose69


----------



## TonyKlein (Aug 26, 2001)

I understand. Just wanted to make sure nothing untoward is starting up. 

Otherwise it's a clean log!


----------



## moose69 (Aug 20, 2003)

Hi TonyKlein
Gald to hear everything is ok for now thank you for your most welcome input.

moose69


----------



## moose69 (Aug 20, 2003)

Hi TonyKlein
Gald to hear everything is ok for now thank you for your most welcome input.

moose69


----------



## $teve (Oct 9, 2001)

Is there an echo in here?


----------



## dparyee (Oct 17, 2003)

I used HijackThis to see what was running on my computer and this came up. Please can someone tell me what to check on Hijack This so i can get rid of stuff that shouldn't be there.

Logfile of HijackThis v1.97.3
Scan saved at 18:28:04, on 17/10/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\msblast.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\System Soap Pro\soap.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Our Family\My Documents\My Received Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://tooncomics.com/main/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://tooncomics.com/main/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://tooncomics.com/main/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.40.16.131 livesexlist.com
O1 - Hosts: 66.40.16.131 lanasbigboobs.com
O1 - Hosts: 66.40.16.131 thumbnailpost.com
O1 - Hosts: 66.40.16.131 adult-series.com
O1 - Hosts: 66.40.16.131 www.livesexlist.com
O1 - Hosts: 66.40.16.131 www.lanasbigboobs.com
O1 - Hosts: 66.40.16.131 www.thumbnailpost.com
O1 - Hosts: 66.40.16.131 www.adult-series.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DNSErr object - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINDOWS\DNSErr.dll
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E0B9B5FE-B66E-4FB0-A1D9-726F0E743CFD} - C:\WINDOWS\System32\SurfairyPP.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Suggestions (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://rsharp.net/nohotlink/webcamplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37858.5350810185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F2E6C7F-5956-4012-979D-194F09D43594}: NameServer = 195.92.195.94 195.92.195.95


----------



## Topkat (Aug 10, 2003)

dparyee's question has been answered here for anyone interested


----------



## tat2_quake (Nov 1, 2003)

Logfile of HijackThis v1.97.3
Scan saved at 2:02:30 PM, on 11/1/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NVATray.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tat2.BLULITE\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Startup: PowerReg Scheduler V3.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.internetwasher.com/iwasher/pptproactauthakamai/internetwasherpro.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.4590277778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TIA
Tat2


----------



## stgudon (Nov 8, 2003)

The following is the content of the log created by HiJack. Anything I need to remove?

Logfile of HijackThis v1.97.3
Scan saved at 6:31:29 PM, on 11/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Documents and Settings\Don\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-big.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [Wallchanger] C:\COPERN32\wallchanger.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKCU\..\Run: [PPWebCap] d:\PAPRPORT\PPWebCap.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.charter.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.60-big/GoogleNav.cab
O16 - DPF: {73954DC6-A1B2-4157-966F-D9914A39F59C} (ConnectorLauncherCtrl Class) - http://task.vividence.com/download/ConnectorLauncher.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37735.3050925926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Flrman1 (Jul 26, 2002)

Welcome to TSG stgudon !

Nothing major there.

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

Restart.


----------



## mannivw (Nov 14, 2003)

BlueSpruce 

CWShredder also worked for me. Thanks a lot.


----------



## m018691 (Mar 11, 2006)

Just want to say THANKS to BlueSpruce for helping me with this problem. I've looked at several other sites but this one fixed it in a heartbeat. I found this site via a Google search and just joined. I'm sold. Thanks, thanks, thanks!


----------

