Turn your back for five minutes and some ruffian has run off with your home page.

Delete all the registry entries and go to bed for a good nights kip, wake up and they are all back laughing at me.....

Let me explain, I use win 98se. My home page is blank, well it was until "Best-Search" takes control of.

I want to keep it blank but somehow it keeps getting changed to "Best-Search".

I go to 'tools' internet ops' select blank. It works for little while. Then I turn off the puter, come back and agghhh!!!



I delete all registry entries that refer to it but the little blighter keeps coming back. Can anyone help

I appears that you have been hijacked... Please download and run both Spybot and AdAware. Update both before running. Fix the items checked in RED on Spybot and fix whatever AdAware indicates is a problem. Then download and run HijackThis. To run HJT, extract it to a permanent folder such as C:\Documents or one you create like C:\HJT. Close all programs you have opened and make sure that all programs are enabled if you use msconfig. Run it and Scan, then Save the log. When the log window appears, Right click to Copy it, open your browser and come here to Paste the log. Do not make any changes until it is checked since most items are either benign or essential to the computer.

Links for them all are in my signature....

Oh, and Welcome to http://www.pcguide.com/ubb/pcgubb.gif

Best search is a tough one, I cleaned it off a machine a couple of weeks ago. Took me a half dozen tries, using AdAware and HJT. Boot into Safe Mode and get ready for a bumpy ride.

Depends on what it looks like, but it is probably CWS and should be possible to fix it with CWShredder, but need to see the log to be sure....

Budfred, You suggested using HJT to get rid of that pesky best-search...

I would like you to raise your right hand above your head.. go on raise it high....reach over the back of your head and pat yourself on the back.


Your suggestion worked first time, best search is dead.

Thank you and thank HJT

Yes, but please post that HJT log showing it is clean.
:D

HJT should not have fixed BestSearch by itself unless you just started fixing things with it. If you did that, it is very likely that you didn't get it all.... If you used CWShredder it may have killed BestSearch, but keep in mind that it usually travels with friends and you are probably still infected.... Please post a log as PrntRhd said...

When I returned to your postings I was re-infected. So I downloaded CWS shredder and that did the trick. However I was advised to download a patch from Uncle Microsoft to prevent the security breach in the Java virtual machine. This I am about to do.

In the meantime here is the log file from HJT. Cheers.

Logfile of HijackThis v1.97.7
Scan saved at 19:16:38, on 26/04/04
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Clipboard Pile] C:\PROGRAM FILES\CLIPBOARD PILE\CLIPBOARD PILE.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Keep It Alive.lnk = C:\Program Files\Keep It Alive\Kpalive.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .jsp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.ntlworld.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} - http://www2.getmapping.com/ecwplugins/ncs.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FIX19105/flash.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.98.2.231:8030/activex/AxisCamControl.cab

Is there anything to fear from the last two entries ?

Well one of those last two are bad, but you have a real nasty in there that will take a lot more effort to kill..... First, let's start with the easy part. Download and run AdAware after updating it. When it finishes, it will probably tell you there is one file it can't fix. Write down whatever it tells you about that file... it will be the key to the fix. Once you are done, reboot and post a fresh HJT log here. Make sure all windows and your browser are closed when you run it. We will look at what is left, clean it up and then take out the really bad one.....

I have a nurse mopping my fevered brow, there are a team of surgeons standing by prep'd in the near-by hospital. An ambulance is waiting outside my home ready to rush me there when I have a heart attack after you tell me what the REALLY NASTY thing I have lurking in my beloved computer....

Hang on, I'll close my eyes....ok tell me....


I did what you asked including an update to adaware which resulted in 10 objects found. However there were none left un-removed !

I also re-booted and ran HJT again, the results are below.

Logfile of HijackThis v1.97.7
Scan saved at 00:06:27, on 27/04/04
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CLIPBOARD PILE\CLIPBOARD PILE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\KEEP IT ALIVE\KPALIVE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Clipboard Pile] C:\PROGRAM FILES\CLIPBOARD PILE\CLIPBOARD PILE.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Keep It Alive.lnk = C:\Program Files\Keep It Alive\Kpalive.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .jsp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.ntlworld.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} - http://www2.getmapping.com/ecwplugins/ncs.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FIX19105/flash.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.98.2.231:8030/activex/AxisCamControl.cab


OK whisper it to the nurse....

The nasty is called Look2Me or a couple of other things. The question is how bad it is. Sometimes it will just nicely die, sometimes there is an easy fix and sometimes we have to pry it out with a crowbar. We will hope it is one of the fist two since AdAware didn't get it. Did you update AdAware before you ran it?? If not, do that first with the instructions I noted above. If you did, close all open windows and your browser, run HJT and mark/fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...19105/flash.cab

Unless you have absolute trust in this site to not exploit your system, it would be a good idea to fix this:

O15 - Trusted Zone: http://www.ntlworld.com

These may be ok, but they are restored when you visit the site again anyway, so I would fix them just in case...

O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} - http://www2.getmapping.com/ecwplugins/ncs.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.98.2.231:8030/activex/AxisCamControl.cab

Then reboot and post a fresh log along with details about what happened with AdAware... It is VERY important that we figure out which type of Look2Me you have....

I did as you asked and Adaware was updated before my previous post.

Below is the log of the latest HJT from your last post.

Logfile of HijackThis v1.97.7
Scan saved at 08:39:14, on 27/04/04
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CLIPBOARD PILE\CLIPBOARD PILE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\KEEP IT ALIVE\KPALIVE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NTLDIAL\NTLDIAL.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Clipboard Pile] C:\PROGRAM FILES\CLIPBOARD PILE\CLIPBOARD PILE.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Keep It Alive.lnk = C:\Program Files\Keep It Alive\Kpalive.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .jsp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.ntlworld.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

Thanks

Looks much better, but I have a question for you...

This one seems like it is the autop-start for a connection keep alive program, right?

O4 - Startup: Keep It Alive.lnk = C:\Program Files\Keep It Alive\Kpalive.exe

If that is the case it would probably be better to put a shortcut for it on the Quicklaunch bar or the desktop and remove it from the StrartUp folder.

You may decrease you boot time some and will increase the availble free resources with out it running until you get online.

You are right of course about "Keep it Alive" it would save boot time to have it out of the start-up folder.
I only keep it there because I will forget to engage it when online and get disconnected after ten minutes on staying on one site. A small price to pay for free internet access.

I guess that is that, I guess the work has been done and now I just get on my pony and trot off into the sunset...

I have enjoyed my visit to your little canteena on the prairy of cyberland. I don't like to ask for help because it is so difficult to repay this type of help.

If you were a shop then I would gladly part with the cash.
If you were neighbours then I would mow your lawn or fix your fence.

If you were friends then I'd fit your curtain tracks or cook you a meal or lay that patio you had always wanted.

But, what do you do if you are grateful to people who may live thousands of miles away, whom you do not know and most likely never will know.

You might not think that you have done anything! You did not have to do anything, but you still did. Which is something these days.

I can only think of donating money to a charity on your behalf.

If you have any particular preferances please let me know.

Thankyou one and all. Steve

Yep, it looks clean.... Congrats...:D

As for donations, this forum could always use the support or one of the other spyware fighting forums...:)

And since I have your attention... Here is my speech for staying clean:

This is a good time to set up protection against further attacks. You need an antivirus that is updated, a good firewall and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....