Browser hijacked

edna_clouds

Congratulations on your 100th post......:T Looks VERY confusing tho

I hope you get your puter sorted out soon.

abwsco

Housecall just shows it unable to delete the same MS office things as before.

I was able to find and delete paytime.exe, rules.dat and country.exe - I think I've done it properly.

Here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 09:22:30, on 10/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Anne1\Desktop\DO NOT DELETE\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thedibb.co.uk
O2 - BHO: (no name) - !!53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [CheckMsgPlus] C:\WINDOWS\System32\Rundll32.exe C:\PROGRA~1\MESSEN~1\MsgPlusH.dll,VerifyInstallation
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: !!00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: !!193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: !!2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: !!4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: !!6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136714814380
O16 - DPF: !!6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: !!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: !!90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: !!9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A59F2033-0BE0-405F-983A-EFA1E725720C}: NameServer = 85.255.113.148,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8F8263C-E238-4394-973D-F59D47C84F7C}: NameServer = 85.255.113.148,85.255.112.20
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I hope I've been doing things correctly.

The PC is running so much better so far.

pchelpman

Well done again, abwso. You're working hard and it's paying off.

The HJT log is clean.

---

Comments on the PAS scan...

Go to this file and DELETE IT IMMEDIATELY....

C:\WINDOWS\kl.exe

kl.exe is another process which allows attackers to access your computer, stealing passwords, internet banking and personal data.

Again, check with your financial institutions - by PHONE -that all your cash is safe.

---

This one....

Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\!!014DA6C9-189F-421A-88CD-07CFE51CFF10}

...relates usually to the MyWay search toolbar and related spyware. Not a desperate issue.

Is this a Dell PC by any chance? I ask because Dell now installs this MyWay search stuff on its PCs in the factory so - when you buy one - it comes pre-installed with spyware. Great isn't it??

This seems to be the only instance of MyWay on the PC which makes me wonder how it got there.

Let me know ... is this a Dell PC? Do the user(s) of this PC use MyWay search "facilites"? Shall we try to remove MyWay?

Some folk use it, most don't. I therefore ask before removing.

---

Dont worry about these....

Potentially unwanted toolapplication/Processor Not disinfected C:\Documents and Settings\Anne1\Desktop\smitRem\Process.exe

Potentially unwanted toolapplication/Processor Not disinfected C:\Documents and Settings\Anne1\Desktop\smitRem.exe[Process.exe]

...they relate to you using smitrem (which I presume you got to work OK eventually).

---

These are all minor stuff in Spybot S&D…

Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer24.zip[anne1@realmedia[1].txt]

Spyware:Cookie/Xmts Not disinfected C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer24.zip[anne1@xmts[1].txt]

Spyware:Cookie/go Not disinfected C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer27.zip[anne1@go[1].txt]

Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer27.zip[anne1@realmedia[1].txt]

You indicate your copy of Spybot doesn't seem to be working correctly. I suggest you uninstall S&D completely then reinstall latest version 1.4 here….

http://www.safer-networking.org/en/download/

Rescan with it and, as usual, have it fix any problems it finds.

---

Don't worry about this either...

Possible Virus. Not disinfected C:\WINDOWS\system32\ZoneLabs\srescan.dll

It's OK…it's NOT a virus … just a left over from a ZoneAlarm scan

---

Did you manage to upload that Notepad file to jotti as I asked in my last post? If not please do it now and post the results of the jotti scan back here for me to see.

---

Now you have AVG antivirus and ZoneZAlarm firewall you might want to act on what you said earlier and remove the Symantec/Norton things. If so use this tool...

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=pfdocs&dtype=&prod=&ver=&osv=&osv_lvl=

...but BE WARNED it will remove EVERYTHING "Norton". If you have program you want to keep - like Ghost, for example - you will need to reinstall it after using this tool.

---

The comment was made in an earlier post that the Messenger program on this PC may have been the source of your LOP infection. This is a possibilty but not very likely as this PC only has Messenger2. It's the Messenger Plus 3 that comes bundled with LOP (for some unknown reason). IF you allow the Plus 3 version to be installed on this PC DO NOT accept LOP when going through the installation routine.

---

I hope all your money's safe and it seems those angel smilies occur in the PAS reports on the letter "A" for some reason. I don't think it's anything to worry about.

---

Let me know about the kl.exe file, the Notepad jotti scan and your comments on the MyWay question. We'll move on from there. Not much left to sort out by the looks of things.

abwsco

Thanks again and so glad that I'm getting there with all your help.

Is this a Dell PC by any chance? I ask because Dell now installs this MyWay search stuff on its PCs in the factory so - when you buy one - it comes pre-installed with spyware. Great isn't it??

The infected one isn't Dell but this one is. We did have them networked together although we don't now use that facility. I would like to remove it off both pc's though so would appreciate help doing that. Should I also disable the networking option somehow as we don't use it.

I'm also going to remove all Norton stuff.

All our money, or lack of it seems to be safe according to the banks. The infected PC is not used for doing any online banking and I have also run Ewido, Pandascan, Spybot etc on the un infected PC with everything being clean as far as I can tell.

You indicate your copy of Spybot doesn't seem to be working correctly. I suggest you uninstall S&D completely then reinstall latest version 1.4 here….

http://www.safer-networking.org/en/download/

Rescan with it and, as usual, have it fix any problems it finds

I tried removing this last night, before running the panda scans etc. When I go to Add/remove it is showing S & D 89.88MB. I then click on Remove and then a Wizard opens up. Click on English and it then takes me S & D 1.2. I don't know how else to remove it. I did download S & D 1.4 again(already had that on the PC) thinking that may help. S & D 1.4 is also showing in the add/remove option as 6.82MB. So I'm a bit stuck on how to get rid of 1.2. Ran 1.4 and it didn't find any problems.

I've deleted kl.exe file.

Did you manage to upload that Notepad file to jotti as I asked in my last post? If not please do it now and post the results of the jotti scan back here for me to see.

Sorry I seem to have missed doing this. Will go back and have a look and do it.

abwsco

Here are the jotti results.

Service
Service load: 0% 100%

File: notepad.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 388b8fbc36a8558587afc90fb23a3b99
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

abwsco

Another HJT log though I know you didn't ask for it.

Logfile of HijackThis v1.99.1
Scan saved at 12:43:17, on 10/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Anne1\Desktop\DO NOT DELETE\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thedibb.co.uk
O2 - BHO: (no name) - !!53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [CheckMsgPlus] C:\WINDOWS\System32\Rundll32.exe C:\PROGRA~1\MESSEN~1\MsgPlusH.dll,VerifyInstallation
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: !!00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: !!193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: !!2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: !!4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: !!6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136714814380
O16 - DPF: !!6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: !!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: !!90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: !!9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A59F2033-0BE0-405F-983A-EFA1E725720C}: NameServer = 85.255.113.148,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8F8263C-E238-4394-973D-F59D47C84F7C}: NameServer = 85.255.113.148,85.255.112.20
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

pchelpman

OK. Working in reverse order...

The HJT log is clean. There are two "left over" entries realting to Norton. Both irrelevant. If you want to remove them scan with HJT, as you did before, then tick these two, close all browsers and click "Fix Checked"...

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...ta/SymAData.dll

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tec.../ActiveData.cab

If you ever go back to the site to download anything these will just be reinstalled. No problem.

---

The jotti scan came up clean too. All well there.

---

If Spybot 1.4 didn't find anything I shouldn't worry about the other version. I expect you'll get rid of it somehow one day. Just be certain you scan with the right one.

---

How to disable networking ...

http://compnetworking.about.com/od/windowsxpnetworking/ht/conndisenable.htm

Hope that helps.

---

Now to the MyWay removal.

You don't seem to have the full-blown My Way search bar on this PC. Just the one entry appears in your registry....

Potentially unwanted tool:application/myway Not disinfected

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\!!014DA6C9-189F-421A-88CD-07CFE51CFF10}

You will have to very careful when fixing a registry. Get it wrong and you could trash the PC.

My advice is to leave it alone if it's not "popping up", adding an unwanted toolbar to the browser or otherwise appearing during the genral use of the PC.

The trouble with this MyWay that, although the Dell My Way Search Assistant is listed in the Control Panel, Add/Remove programs utility, there is no functional 'Remove' button available for user selection. There is no "My Way" folder present in the Program Files folder nor is there an autostart present in MSConfig. In short, there is nothing available to uninstall the tool bar in the customary manner. Dell has intentionally coded their installer package to make the 'remove' button non-functional.

Here is a good step by step instruction on removing it (if you want to go that far) .....

http://www.tech-forums.net/computer/topic/10632.html

Remember you MUST make a full copy of your registry before you change it. That way you can recover it if anything goes wrong.

Other than that .... all seems to be fine with the PC now.

Safe surfing!

tigermatt

abwsco wrote:

Another HJT log though I know you didn't ask for it.

Logfile of HijackThis v1.99.1
Scan saved at 12:43:17, on 10/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)...

I've just checked your HiJack This log and everything that appears in there looks fine - no nasties are appearing. The only think I will point out is (I think it may already have been pointed out actually) "Messenger Plus" (add on for MSN Messenger I think) can be nasty if it is installed with the sponsor program. If it's installed with the sponsor I suggest you remove it and the sponsor, then re-install without the sponsor program.

abwsco

tigermatt wrote:

I've just checked your HiJack This log and everything that appears in there looks fine - no nasties are appearing. The only think I will point out is (I think it may already have been pointed out actually) "Messenger Plus" (add on for MSN Messenger I think) can be nasty if it is installed with the sponsor program. If it's installed with the sponsor I suggest you remove it and the sponsor, then re-install without the sponsor program.

I've already deleted MSN plus off the PC through Add/remove so should I delete it using hijack this? or by using windows explorer like I did for some of the other things?

pchelpman

The LOP infection is "offered" as an optional install with Messenger Plus 3. Avoid it like the plague.

Abwsco ... you should be OK now. Your PC looks fine to me, as I say.

What you need to consider is your attitude to MyWay. If it's not causing any real problems leave it alone (unless you are confident with changing the registry of the PC).

All the best.