[mechnut]

I see 37 times the post has been read,yet no one has replied. What gets me is NO ONE has replied with even a suggestion yet other posts have had hundreds of replies. How about a moderator even replying? well I am just stummped on both the bug and lack of replies. I guess I am not the only one who cannot figure out how IWON was able to hijack my browser. Sorry most of that is just plain being at witts end, been workin on this darn bug for going on 28 hours now. Would have been alot quicker to just nuke and reload, but what the heck can anyone learn from that? :mad:

[-=jonnyrotten=-]

Wow! 100's of replies? I haven't seen that one yet, could I get a link? You only posted yesterday, sometimes when we're getting lots of posts it's hard to keep up on every single one. We may be geeks, but not 100% perfect geeks, maybe 99% For future reference just nicely remind us and we'll be happy to help.

-=jonnyrotten=-

[mechnut]

Toshay! You are right I was WRONG. I misread the list, thought it showed the replies on the right, which is the times viewed, my mistake. The most replies I saw was 83. What you read was frustration boiling over, misplaced yes, but very much boiling. I realize my hijack seems to be very well hidden and my not be reverseable without reformatting. Anyhow if anyone is offended I offer my appologies.

[-=jonnyrotten=-]

Hey it's all good, I have dealt with my share of frustrations over pc problems too. I will have instructions for you sometime today I am at school right now and during a break I will have time to dive into it. Don't reformat yet, I believe this can be fixed.

-=jonnyrotten=-

[mechnut]

Jonny,
Here is the last HJT log.

Logfile of HijackThis v1.98.2
Scan saved at 12:11:50 PM, on 12/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\DOCUME~1\Art\LOCALS~1\Temp\Temporary Directory 3 for hijackthis1977.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://inside.arb.ca.gov/index.htm"); (C:\Documents and Settings\Art\Application Data\Mozilla\Profiles\default\0yyw4xsi.slt\prefs.js)
O2 - BHO: CIEExtension Object - {B51DC573-E998-4834-9B45-BAB7C2AE0A75} - C:\Program Files\Ad-Protect\ADPIEmonitor.dll
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

I uninstalled nearly everything I had installed in the last few weeks. I have tried countless spyware programs all with current updates. I have deleted every single .tmp file I can locate while in safemode and normal startup.

I wonder if this file my be the rotten egg here: S-1-5-21-1606980848-630328440-725345543-1003, that keeps showing up in my recyclebin. I have several logical drives and if I delete it from one it seems to jump to another. That is weird, the file just pops in right after its deleted? It just hops from one drive to another

[-=jonnyrotten=-]

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

Reboot normally and post new log. How are things working so far? Did the entry stay gone?

-=jonnyrotten=-

[-=jonnyrotten=-]

Hey I found more info.

Go to control panel, add/remove programs:

Uninstall "Co-Pilot - iWon" and "iWon Prize Machine"

-=jonnyrotten=-

[mechnut]

Jonny,
DID that at least ten times. as long as I stay in safe mode its fine, as soon as I restart its right back where I am now. Can you read my last post and take a look at the file I mentioned thats running around my drives? I wonder how to delete it when it does not want to be deleted?

[mechnut]

Been there too! done searched for those found nothing. I searched in safemode and made sure the view hidden files was checked, as well as veiw system files and extensions.

[-=jonnyrotten=-]

Here's some info that may help. I am still looking. Did Iwon leave a toolbar too?

http://www.pestpatrol.com/pestinfo/i/iwon.asp

Also have you tried disabling system restore and trying it in safe mode then rebooting normally and checking to see if it's gone. Might help. Be careful while deleting stuff because you don't have a restore point to go back to now. If it works or doesn't work, make sure you enable sys restore after trying. I'm still searching.


1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

-=jonnyrotten=-

[mechnut]

System restore is off. also system restore cannot find any restore points when its on. I can search the drive and find them, but system restore cannot find or use them. I am not worried about restoring at this point because I am ready to reformat. I really want to beat this &^%*$ thing and thats keeping me from just saying f'it and reformatting. I will try anythnig, if I have to format because something goes wrong .....oh well! Thanks for your help, I will not format yet will wait to see if you come up with something new.

[Metallica]

I have a feeling that AdWatch is putting it back.

It is doing it's job and protecting your Startpage, whereas you want to get rid of it.

Disable AdWatch and try it.

Regards,

Pieter

[mechnut]

Ok after sitting here for over 24 hours trying everything under the sun I feel like a TOTAL [bleep]! Pieter you nailed it! I never even thought for a second about the adwatch, I just chalked it up as part of AdAware ad did not think it would cause this. Goes to show when workin on your own stuff you can be your own worst enemy. I am some what flabbergasted at all the crap each of the different spyware programs found. Well I have to say this group has been the best, you stuck with this and figured it out, simply awesome! I want to thank each of you for your effort, I know you spent your own time on my problem, I am truely grateful! I learned alot with this and through the help of those who replied. Thank You Thank You Thank You ! ! ! !

[Metallica]

It's what we like to do.

Safe surfing,

Pieter