• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0

Removing search engine hijacker

5 posts in this topic

...what that 15 hours? First, I've read the Preparation and done it all.


I do a search with Google or Yahoo and get take to a second pornagrafic portal. I also am getting sent to thispageisnotavailable.com another porn-like portal. It doesn't occur every time but one it starts it doesn't stop. The Back function in the browser won't work but if I use it's dropdown box I can hop over tthe bad portal's first occurrence.


I started with Adaware and AVG then Advanced Windows Care. They showed me clean but I did XosoftSpy's free scan and found many, like motor media, and more crptic ones. It won't let me print or even cut and paste it's log though. So all day I've been downloading spyware fighters like Spybot, AVG's Spyware, Spycaytcher, Spyware Terminator, The Spyware Doctor with mixed luck but never coming anywhere near to clearing the ones found in XsoftSpy or the PCTools one was even more depressing.


I looked in the registry in the P3P section and I hope it is supposed to be a list of sites Windows lists as bad because it is a huge list of porn sites in my registry.


One last thing before I post my logs. A second poup window, a third porn portal, comes up after I click on the desired google link. Unfortunately I never wrote it's URL and wouldn't you know it, I can't duplicate it right now. The darn thing won't do it!


So first here is my AVG Spyware log which is the new Ewido...

Now I DID go ahead and clean these but the newest Hijack-This which follows the AVG log was LEFT ALONE.


AVG Anti-Spyware - Scan Report



+ Created at: 09:57:08 p.m. 01/06/2007


+ Scan result:




C:\Documents and Settings\USUARIO\Cookies\usuario@3.adbrite[1].txt -> TrackingCookie.Adbrite : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@ads.adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@site.www.adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@www.adbrite[1].txt -> TrackingCookie.Adbrite : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@www.belstat[4].txt -> TrackingCookie.Belstat : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@com[1].txt -> TrackingCookie.Com : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@tracking.g3x[1].txt -> TrackingCookie.G3x : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@max.i12[1].txt -> TrackingCookie.I12 : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@idot[1].txt -> TrackingCookie.Idot : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@ilead.itrack[2].txt -> TrackingCookie.Itrack : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@image.masterstats[2].txt -> TrackingCookie.Masterstats : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@data2.perf.overture[1].txt -> TrackingCookie.Overture : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@pocitadlo[1].txt -> TrackingCookie.Pocitadlo : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@euro.real[1].txt -> TrackingCookie.Real : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@realguide.real[2].txt -> TrackingCookie.Real : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@revsci[2].txt -> TrackingCookie.Revsci : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@starware[2].txt -> TrackingCookie.Starware : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@anad.tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@ad.text.tbn[2].txt -> TrackingCookie.Texttbnru : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@toplist[1].txt -> TrackingCookie.Toplist : No action taken.

C:\Documents and Settings\USUARIO\Cookies\usuario@m.webtrends[2].txt -> TrackingCookie.Webtrends : No action taken.

C:\RECYCLER\S-1-5-21-1417001333-1383384898-1060284298-1003\Dc269.txt -> TrackingCookie.Zedo : No action taken.



::Report end


Now the Hijackthis log.....


Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 12:04:49 a.m., on 02/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Safe mode with network support


Running processes:













C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe

C:\Documents and Settings\USUARIO\Configuración local\Archivos temporales de Internet\Content.IE5\DU05YBUP\HiJackThis_v2[1].exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mx.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mx.yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Archivos de programa\SpyCatcher\SCActiveBlock.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Archivos de programa\Yahoo!\Common\yiesrvc.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\ARCHIV~1\SPYWAR~2\tools\iesdsg.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Archivos de programa\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar3.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [spyCatcher Reminder] C:\Archivos de programa\SpyCatcher\SpyCatcher.exe

O4 - HKLM\..\Run: [spywareTerminator] "C:\Archivos de programa\Spyware Terminator\SpywareTerminatorShield.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ares] "C:\Archivos de programa\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [Malware Sweeper] C:\Archivos de programa\MalwareSweeper.com\MalwareSweeper\MalSwep.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\palmOne\HOTSYNC.EXE

O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe

O4 - Global Startup: SpyCatcher Protector.lnk = C:\Archivos de programa\SpyCatcher\Protector.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Archivos de programa\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Archivos de programa\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Archivos de programa\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Researcher\EROPROJ.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.publiweb.com

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0364a1c2e3b449...RdxIE601_es.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O17 - HKLM\System\CCS\Services\Tcpip\..\{A2738C26-4E8C-4745-9634-41027D88905E}: NameServer =,

O17 - HKLM\System\CCS\Services\Tcpip\..\{A8803E24-C3B9-470C-A826-7817503C1FE3}: NameServer =,

O17 - HKLM\System\CCS\Services\Tcpip\..\{FE9459BA-A37C-4926-9FB6-295373C551B5}: NameServer =,

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =

O20 - AppInit_DLLs: secuload.dll

O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Archivos de programa\Canon\CAL\CALMAIN.exe

O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe

O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe

O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe

O23 - Service: iPod Service - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe

O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe

O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Archivos de programa\Spyware Doctor\sdhelp.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Archivos de programa\Spyware Terminator\sp_rsser.exe

O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe

O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

O23 - Service: Servicio de uso compartido de red del Reproductor de Windows Media (WMPNetworkSvc) - Unknown owner - C:\Archivos de programa\Windows Media Player\WMPNetwk.exe



End of file - 9801 bytes



OK, if anyone can help it would be great. I'm mostly paralyzed and al this typing has been agonizingly painful.

Share this post

Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.


Thank you for your patience.


[this is an automated reply]

Share this post

Link to post
Share on other sites

Hi Canexicans, and Welcome to SWI


Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.


I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier, and you will need to reboot during this fix.


All the HijackThis logs should be run in Normal mode, NOT in Safe mode, because the log will not be complete (there will be items that won't load in Safe mode, and they won't show in the log if not loaded). Please ensure you next HijackThis log is run from Normal mode. Also, you should not really be running in Safe Mode with Networking support at all, it bypasses any antivirus of firewall you may have installed, as they will usually not load in Safe mode, and it leave your system very vulnerable to further infection.


You seem to have quite a bit of antispyware software installed, some of which I would not recommend using.


You are running Spyware Terminator, which was previously listed on the Rogue Anti-Spyware list for installing asware. While they are no longer doing that, I would not recommend this program and I highly recommend removing it.

To remove Spyware Terminator, go to Start > Control Panel > Add or Remove Programs and remove the following programs:

Spyware Terminator


Using Windows Explorer delete associated program folder located under C:\Archivos de programa (do NOT delete the Archivos de programa folder, but the Spyware Terminator folder found under it).


You are running SpyCatcher from Tenebril. I would not recommend that program due to the high false alarm rate it has had in the past, and would instead recommend uninstalling it also.


If the PC Tools software you installed (Spyware Doctor?) is a trial version, I recommend you uninstall it, as it won't clean anything it finds.


Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

Please download FixWareout from one of these sites:




Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.


Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

Share this post

Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.


If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.


Everyone else please begin a New Topic.

Share this post

Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.


If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.


Everyone else please begin a New Topic.

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.
Sign in to follow this  
Followers 0