Just ran PestPatrol, and apparently I'm infected with LinkGrabber99. Havent noticed a problem yet, but how do I delete this?

Here is my HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 19:09:28, on 29/10/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\CSAFE\AUTOCHK.EXE
C:\IBMTOOLS\APTEZBTN\APTEZBP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\WINDOWS\SYSTEM\E_S4I0S2.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\IBMTOOLS\REGISTER\REMIND.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT BROADBAND\HELP\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\SYSTEM\E_S10MT2.EXE
C:\WINDOWS\SYSTEM\E_S10RN2.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iesearch.freeserve.com/iesearch/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program Files\Netscape\Users\g_tsav\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ConfigSafe] C:\CSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\SYSTEM\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O7 "EPUSB1:" /M "Stylus C66"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KPF4] c:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKCU\..\Run: [EPSON Stylus C20 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /A "C:\WINDOWS\SYSTEM\E_S1385.TMP"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\SYSTEM\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /M "Stylus C66" /EF "HKCU"
O4 - Startup: Reminder.lnk = C:\IBMTOOLS\Register\remind.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...345/mcfscan.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab


Thanks for your help!

Hi zago2,

Your log is clean. Where does PestPatrol say it is?

Bobbi is asking that question since if a PC is really infected with that exploit we would expect to see some or all of the entires below and none seem to be present.


http://sarc.com/avcenter/venc/data/pf/adwa...inkgrabber.html




How to Remove LinkGrabber 99 Adware?

LinkGrabber 99 Description:
From the doc: 'iTimesSquare Advertising module- LinkGrabber '99 is free to use. It is advertising supported software. The iTimesSquare advertising module that accompanies LinkGrabber '99 is designed to display attractive, high quality ads in its pop up window.'

LinkGrabber 99 Automatic Removal:
Using PESTPATROL to remove KeySnatch AUTOMATICALLY.

Sponsored Links:

LinkGrabber 99 Manual Removal:
Follow these steps to remove LinkGrabber 99 from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.

Kill these running processes with Task Manager:
linkgrabber99.exe

Unregister these DLLs with Regsvr32, then reboot:
programfilesdir+\mywebsearch\bar\2.bin\f3cjpeg.dll
programfilesdir+\mywebsearch\bar\2.bin\f3htmlmu.dll
programfilesdir+\mywebsearch\bar\2.bin\f3popswt.dll
programfilesdir+\mywebsearch\bar\2.bin\f3reprox.dll

Remove these registry items (if present) with RegEdit:
HKEY_LOCAL_MACHINE\software\mywebsearch\bar\build
HKEY_LOCAL_MACHINE\software\mywebsearch\bar\cachedir
HKEY_LOCAL_MACHINE\software\mywebsearch\bar\configdatestamp
HKEY_LOCAL_MACHINE\software\mywebsearch\bar\configrevision
HKEY_LOCAL_MACHINE\software\mywebsearch\bar\configrevisionurl
HKEY_LOCAL_MACHINE\software\mywebsearch\bar\historydir
HKEY_LOCAL_MACHINE\software\mywebsearch\bar\htmlmenurevision
HKEY_LOCAL_MACHINE\software\mywebsearch\bar\id
HKEY_LOCAL_MACHINE\software\mywebsearch\bar\lastconfigrequest
HKEY_LOCAL_MACHINE\software\mywebsearch\bar\maximized
HKEY_LOCAL_MACHINE\software\mywebsearch\bar\nextconfigrequest
HKEY_LOCAL_MACHINE\software\mywebsearch\bar\settingsdir
HKEY_LOCAL_MACHINE\software\mywebsearch\bar\visible
HKEY_LOCAL_MACHINE\software\mywebsearch\mwsoeplg\promo\yahoo.0.old
HKEY_LOCAL_MACHINE\software\mywebsearch\mwsoeplg\promo\yahoo.1.old
HKEY_LOCAL_MACHINE\software\mywebsearch\mwsoeplg\promo\yahoo.2.old
HKEY_LOCAL_MACHINE\software\mywebsearch\mwsoeplg\promo\yahoo.3.old
HKEY_LOCAL_MACHINE\software\mywebsearch\mwsoeplg\promo\yahoo.4.old
HKEY_LOCAL_MACHINE\software\mywebsearch\mwsoeplg\promo\yahoo.numactive
HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mywebsearch.com
HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mywebsearch.com\*
HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mywebsearch.net
HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mywebsearch.net\*

Remove these files (if present) with Windows Explorer:
commonprograms+\startup\mywebsearch email plugin.lnk
gdipfontcachev1.dat
install.log
installation.htm
lg99.reg
linkgrabber 99.txt
linkgrabber99.exe
mainpage.htm
programfilesdir+\mywebsearch\bar\2.bin\f3cjpeg.dll
programfilesdir+\mywebsearch\bar\2.bin\f3htmlmu.dll
programfilesdir+\mywebsearch\bar\2.bin\f3popswt.dll
programfilesdir+\mywebsearch\bar\2.bin\f3pssavr.scr
programfilesdir+\mywebsearch\bar\2.bin\f3reprox.dll
tipandtricks.htm
tsimage.dat

PestPatrol says its in two places:

HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mywebsearch.net

HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mywebsearch.net\*


Can I safely ignore it (PestPatrolsays delete or ignore)??

Question for you first..do you by any chance also have on your PC either Spybot S and D or Spyblasters or any other progams like that where in you are having it do "immunize" or blocking lists ?


You see i have seen this happen before where a program like Pest Patrol was coded badly and started calling out not only things placed in your RESTRICTED ZONE in IE but also the TRUSTED ZONE.


Those are the Secuirty Setting zones you find in IE under internet options.


And I think those you just posted are really in the restricted zone place by another one of you antispyware products..and well it should.

I will give you more info on that in a minute..in which case do not pay any attention to that Pest partol call out.

This is the discussion i am talking about...it is not pest patrol but I think the same thing has happened to you


http://www.dslreports.com/forum/remark,11591842~mode=flat

see this ..


HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\


really means all the security zones that IE has..

find them on your pc by going to the security tab in your IE Internet options

tools> internet options> security tab on top.

then you will see all the zones

next click on the icon you see there called restricted sites.

then hit the button called sites

if in there you do see mywebsearch.net\* or mywebsearch.net

that is where they should be ..but if you find them the same way with the trusted site..then that is not good.

I do have Spybot SD and Spyware Blaster.
I found mywebsearch.net in the restricted sites.
So is this OK?

Yep! This is okay. It was added to the Registry through Spyware Blaster. If you click on "Restricted Sites" and search in the list of websites you will find it as "CoolWebSearch (648) mywebsearch.net". ;)

So to explain that to you...any domains (site names) you find in the restricted zone.. your browser will never go to them or get downloads or web content from them os as far as your browsing habits go you can consider them to not evn exisit on the internet..and that IS good... :thumb:

that will cut down on hijacks and redirects to nasty sites.

Some think of them as blocked lists..black lists..etc etc. another way this can be done is with a feature that All Microsoft OS has available is called the HOSTS files.

It is possible with that feature to also block bad sites..or even redirect from badsites taken over by nasty buggers..to good site.


But using the restriced site method is better in many case and faster for your browser to realize that you are in control and not the internet taking control of you and the information then that will be viewed in your browser window is exactly how you want...think about it as customizing.

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.