Help Please!!!! Problems with Search200, Allaboutsearching, (Hijackthis Log Inside)

Unknown

We have had problems with our computer for the past couple of weeks or more. We have run Ad-Aware 6.0, SpyBot, and the OmegakillerSM. We have also been to Internet Options in our Control Panel and have deleted all cookies and temporary internet files that we can delete from there (we know that this will not get rid of spyware, but have done it any way). We have also run Norton to check for viruses and such, but all scans have been negative. Even after all this we are still not able to use the internet (Note: ability to use and navigate on the internet has gradually become worse and worse until now we can do nothing). For instance, when we log onto the internet now, and enter in an address to go to, such as (www.lds.org) we get hijacked to a search page and the internet address in the address box looks like this:

res://C:\DOCUME~1\RACHAE~1\LOCALS~1\Temp\love.res/error.htm#http://www.lds.org/

Here is the Log created by Hijackthis. We appreciate any help that can be given. We are at a loss as to what we can do. Thanks for all the time and effort you guys put in. I hope I did this right.


Logfile of HijackThis v1.98.1
Scan saved at 11:41:24 AM, on 8/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\j2 Messenger\HotTray.exe
C:\Program Files\j2 Messenger\Dllcmd32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\progra~1\intern~1\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.short-media.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.obtznhuauoqdntsgakiukb.com/45XcbqKmwjibX318pEVhJ8VU5r4SwvTHBtXC/vDPZYOcaPRqQKFPTjdDLzqJvSKm.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {43636A2C-A960-5F78-6A45-5902F3E26BA6} - C:\PROGRA~1\THATTI~1\castplay.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [time heck] C:\PROGRA~1\ELSETONS\2DOES.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: j2 Tray Menu.lnk = C:\Program Files\j2 Messenger\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\j2 Messenger\Dllcmd32.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://isupport4.hp.com/awebui/jsp/answerweb/applets/HPISDiagManager.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/272092e9a75bd0e2c821/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = motacorp.com
O17 - HKLM\Software\..\Telephony: DomainName = motacorp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{87B9A43D-ACB0-4141-80C1-D1AAB08A213F}: NameServer = 63.113.48.99,63.113.48.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = motacorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = motacorp.com

Dexter

Reboot your computer in SAFE MODE. Run HJT. Fix:



R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.obtznhuauoqdntsgakiukb.com/45XcbqKmwjibX318pEVhJ8VU5r4SwvTHBtXC/vDPZYOcaPRqQKFPTjdDLzqJvSKm.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {43636A2C-A960-5F78-6A45-5902F3E26BA6} - C:\PROGRA~1\THATTI~1\castplay.exe

O4 - HKLM\..\Run: [time heck] C:\PROGRA~1\ELSETONS\2DOES.exe


After fixing those entries, exit HJT. Stay in SAFE MODE, and manually locate
those .exe files:

C:\PROGRA~1\THATTI~1\castplay.exe
C:\PROGRA~1\ELSETONS\2DOES.exe

anything with a "~" in the name is a folder with a longer name, but it starts with the letters indicated, such as "progra~1" = Program Files. Your "thatt~1" folder will start with "thatt" and have more letters after that.

Move these to a new folder called :C:\Quarantine. Rename the .exe's to .xxx. That way you can always replace them if it somehow turns out that one or more of these are necessary files....which is not likely, but quarantining is safer than deleting them.

Reboot normally, check things out and let us know. Post a fresh HJT log for review.

Dexter...

wtm2799

Yesterday we couldn't get on to the internet because of the browser hijacking that was going on. We were also having trouble sending e-mail messages, but could receive, for a little while. Yesterday we did as you said and ran Hijack This Fix. Then we quarantined all files found in either the ELSETON or THATTI file folders. Now we don't appear to be having problems with a browser hijacker (as far as we can tell with our internet service not working), but instead it keeps bringing up the page that says This Page Can Not Be Displayed. We noticed that 2 of the files you requested us to mark in the Hijack This Fix were Verizon files. Verizon is our DSL carrier. We don't know if this may have had something to do with no internet service now or not. Please offer any help that you may have. We can always unload and reload our internet service if we have to. Please let us know. Below is our latest Hijack This Log per your request. We really appreciate all of the time and energy you are putting into this.

Logfile of HijackThis v1.98.1
Scan saved at 9:22:20 AM, on 8/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\j2 Messenger\HotTray.exe
C:\Program Files\j2 Messenger\Dllcmd32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.short-media.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: j2 Tray Menu.lnk = C:\Program Files\j2 Messenger\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\j2 Messenger\Dllcmd32.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://isupport4.hp.com/awebui/jsp/answerweb/applets/HPISDiagManager.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/272092e9a75bd0e2c821/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = motacorp.com
O17 - HKLM\Software\..\Telephony: DomainName = motacorp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{87B9A43D-ACB0-4141-80C1-D1AAB08A213F}: NameServer = 63.113.48.99,63.113.48.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = motacorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = motacorp.com

Thanks again for your help.

Dexter

OK, the 2 items that are associated with your ISP are:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;


The first one just puts extra text info in the title of every Internet Explorer Window you open. If this entry said "Here is some blatant advertising for you", that would appear in every IE window. It is not a necessary item, it is just your ISP trying to look like they have provided you with some amazing, customized version of IE, when in fact they have just hacked this tiny little registry entry to advertise to you. Trust me when I tell you that this will not affect your connection at all.

The second one is a Proxy Override, which in many cases is not needed. However, it is possible that it is a necessary item in your case. So, Re-run Hijack This, and click on the CONFIG button, then find the BACKUPS button. HJT saves an "undo" for each fix it makes. Find the Proxy Override entry, click it, and press the Restore button and it will undo that fix. Reboot your computer, and see if it works.

There is also a chance that this is just a coincidence, that your ISP had a problem this morning, but restore the Proxy Override setting to be sure.

Dexter...

wtm2799

Thank you so much for your help. It ended up being a problem with one of our phone lines, and not the Proxy Server. We really appreciate your help and that of short media in providing us a fast "free" service. Everything is working great now. Keep up the wonderful work.

Dexter

You are very welcome.

Speaking of "fast" and "free" ... how would you like to put something on your computer that is free, and is very fast to install, and runs in the background of your computer, and uses your unused processor resources to try and find cures for diseases? Please click the links in my signature to find out more about Folding For a Cure. You simply install a very small program on your computer, then let it work in the background, where it will help try to solve some biological puzzles on your computer that may lead to cures for diseases. We gladly welcome any new member to join our Folding Team.

Dexter...