Have installed and run PestPatrol, spywareguard, spywareblaster, ie spyad. Still have p-gate basic lurking around. Just downloaded Hijack This and have the following log:


Logfile of HijackThis v1.97.7
Scan saved at 9:09:01 AM, on 5/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
C:\windows\temp\98v.exe
C:\windows\temp\98v.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\Program Files\spyware\SpywareGuard\sgmain.exe
C:\Program Files\spyware\SpywareGuard\sgbhp.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\One-VA VPN Client\cvpnd.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnmcmedicine.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\spyware\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [98v] C:\windows\temp\98v.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [98v.exe] C:\windows\temp\98v.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [qsmP38W] C:\WINDOWS\SYSTEM32\mssupgrd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Katherine Chretien\Application Data\urpo.exe
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\spyware\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: One-VA VPN Client.lnk = C:\Program Files\One-VA VPN Client\vpngui.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {16CBCABE-19C6-4F49-9823-A20B637A3D83} (chcs_connect.CHCS_Win) - https://icdb.wramc.amedd.army.mil/icdb/apps...hcs_connect.cab
O16 - DPF: {310689A6-A011-4C5E-ADAB-20F80EC504C9} (Reporter Class) - https://icdb.wramc.amedd.army.mil/icdb/apps...nt/OMIPrint.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8111.1596759259
O16 - DPF: {E3FE4D21-D07D-4CDF-BC7F-21F335A45A9D} (chcsTE.UserControl1) - https://icdb.bethesda.med.navy.mil/icdb/app.../chcs_TE/VT.CAB
O16 - DPF: {F51FF5AB-C49F-4D4F-AA46-315D2D55F3A0} - http://www.eisoftwareapps.com/BMApp/install.cab

Please help - I'm at a loss.

By the way, when I try to click on the link for how to operate the computer in safe mode for windows xp, I am transferred from the symantec site to a crap site.

It looks like you have or have had a Coolwebsearch hijacker. That and/or some other parasite has probably dropped a hosts file on your PC that is redirecting you when trying to visit certain security sites.

First, Please do a search on your PC for a file named: hosts (you want the one with no extension)

It is located in the folder c:\winnt\system32\drivers\etc.

Please open it up - Windows will popup a box. Put a dot in the choose program down at the bottom, and you can select a program to open it with (use Open with Notepad or Wordpad). Copy and paste them in a reply back here so we can tell you which ones are safe to delete.

Or, alternatively, if you do not use a hosts file yourself to block unwanted websites, you can use this program to reset your hosts file back to it's normal Windows default settings (and will get rid of the *bad* entries that are redirecting you).

Please note that this instruction will replace any entries in that file - so if you have added entries yourself to the Hosts file, you will need to add them back after resetting your Hosts file with this method.

Download the Host FileReader from here: http://members.shaw.ca/techcd/VB_Projects/

Install the program and run it.

Double click on the Hosts file name in the bottom window.

Press 'Reset Default' and press 'OK'

Exit Program you should be able to access the sites you need.
..................................
Next, please get this free tool and run it
CWShredder.
Download it here:
http://www.spywareinfo.com/downloads/tools/CWShredder.exe

Just download it, and click on it (You will need to have all browsers and any open windows closed). Hit the *Fix* button to run it. Let it fix what it finds. When done, press *next* and you will get the results, and then *exit*

You may need to temporarily disable SpywareGuard for CWShredder to make the necessary fixes.

Then, please reboot your PC and post a new log back here please to see what remains to be fixed.
.......................
Note - I don't see signs of the P-Gate running
It is usually best to remove it in Add/Remove programs if you see any of the following (remove them)

Delphin Media Viewer
Pomulgate or
PGate

There is also an uninstaller available here:
http://www.pgate-basic.com/uninstall.shtml

Thank you for looking into this for me. I will follow your directions once I get back home from work.

One question about p-gate basic: I still have the program in my add/delete program but I did find the pcs.exe in my system file and deleted in sucessfully. Like many, I am wary to download their own uninstall program for fear of additional risks ---has anyone done this and is it safe to do? Makes me nervous!

I did download CWShredder earlier but it did not find anything.

Thanks again. I really appreciate the help.

P-gate Basic is an adware program and not categorized as malicious. Removing it manually is explained on the page writeup by Pest Patrol

http://www.pestpatrol.com/PestInfo/d/delfin_media_viewer.asp

All of those pieces of it are not going to be visible in HijackThis logs.

Would you also please install, Update and then run also Adaware (free)

Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
(choose download from the lefthand menu)

Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from
http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)

Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.

After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You will see Reference File #01R302.03.05.2004 loaded or higher to know you have the latest update.

Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:

Scan within archives
Scan my IE Favorites for banned URLS
Scan my hosts file

Then click *proceed* to save settings.

Click on *Tweak* next. And checkmark to make this green also:

Automatically try to unregister objects prior to deletion

Click on *proceed*

Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.

Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).

Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.

Post a log from Adaware as well please, it will give us a little more info on the startups.

Hi there,

Here is my hosts file:

127.0.0.1 localhost
10.41.0.1 dhcp.washington.va.gov
10.41.0.3 dhcpserver brokerserver
10.41.0.11 testserver
10.40.112.12 martinsburg
10.42.14.13 baltimore
10.2.29.130 forum
#

127.0.0.1 www.f1organizer.com #removed adware url
127.0.0.1 www.netpalnow.com #removed adware url
127.0.0.1 www.addictivetechnologies.com #removed adware url


I'm assuming it's the last 3 to delete? How to delete them?

No, those don't look like the security sites list, I expected. Those last 3 are actually blocking the the listed. So if you want them blocked, leave them :)