Hi

I seem to have picked up some spy-ware that I cannot get rid of. I have already run Adaware & Hijack-this (log attached).

It redirects my IE homepage to a site called netsearchsoft.com, and adds an additional search bar at the top of the screen. Sometimes it will open an additional IE window with another search bar at the bottom of the screen. It has also added a whole bunch of stuff to my IE favorites.

It seems to make everything run very slowly and IE crashes with irritating regularity.

When I use Hijack this to fix any of the lines with "netsearchsoft" mentioned in them most of this goes away (except the additional top search bar) but it all re-appears every time I switch on the PC.

Has anyone managed to get rid of this program?

Please note I am only minimally competent with a PC!

Thanks for any advice.
Abby


Logfile of HijackThis v1.97.7
Scan saved at 09:39:38, on 27/05/2004
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FolderShare\FolderShare.exe
C:\DOCUME~1\abby\LOCALS~1\Temp\pch7E.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Spy-detection\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = netsearchsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html
N3 - Netscape 7: user_pref("browser.startup.homepage", "netsearchsoft.com");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\abby\Application Data\Mozilla\Profiles\default\z0brperp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\abby\Application Data\Mozilla\Profiles\default\z0brperp.slt\prefs.js)
O2 - BHO: (no name) - {D4C481FF-5D8B-38F5-B908-97A6B198BAFE} - C:\PROGRA~1\32about\bluebib.dll
O3 - Toolbar: File byte flap - {5DB00EA4-860D-EE6E-37B1-3403FF857164} - C:\PROGRA~1\32about\bluebib.dll
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Software Stop] C:\PROGRA~1\REALSI~1\bias atom.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Spy-detection\Hijack_this!\Registry Mechanic\RegMech.exe /QS
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/...7664.3231944444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

Before we do anything, please move HiJackThis to a permanent folder. I suggest 'c:\program files\hijackthis\' but any folder other than the Desktop or a temporary folder is fine. This will allow us to use backups to restore entries if necessary

Reboot in Safe Mode* and run HiJackThis.

Check the following items in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = netsearchsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html

O4 - HKLM\..\Run: [Software Stop] C:\PROGRA~1\REALSI~1\bias atom.exe


Close all windows except HijackThis and click Fix checked:

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\PROGRA~1\REALSI~1\ <-- folder

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show hidden files/folders as per the instructions here http://www.tacktech.com/display.cfm?ttid=190

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

Post another HiJackThis log in this thread for review.