[aimee]

I don't even want to know how this got on my system but it looks like the search engine tricks IE into thinking that all queries are being sent to an msn server when they are really being sent to the ramgo search site. This means that you end up using a p0rn search engine every time you search in the address bar. The problem is that ad-ware won;t fix it and I don;t know how to get rid of it. I'd really appreciate some help on this one.
Thx

[Top Banana]

Download HijackThis. Unzip, run, "Scan", "Scan" changes to "Save log". Save the log and copy and paste the HijackThis log into your next post.

Do not fix anything in HijackThis. Most entries will be harmless.

[aimee]

Ok, here ya go!


Logfile of HijackThis v1.95.0
Scan saved at 7:09:05 PM, on 7/1/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Washer Pro\iw.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Amy\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://pages.ebay.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.ramgo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.ramgo.com/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O1 - Hosts: 64.159.91.200 auto.search.msn.com
O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Internet Washer Pro] C:\Program Files\Internet Washer Pro\iw.exe min
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Shutdown.lnk = C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproacta...twasherpro.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

[Top Banana]

Scan with HijackThis, put a checkmark at and "Fix checked" the following entries.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.ramgo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.ramgo.com/search.html
O1 - Hosts: 64.159.91.200 auto.search.msn.com

Program Files\Httper Do you know what this program is?

[aimee]

Done.

Nope not familiar with that program...but I'm trainable

[aimee]

I found Httper though ,, now what?

[Top Banana]

Could you look at the Properties > Version > Company. What does it say?

[aimee]

File version - 1.0.0.1
Company name is blank

[Top Banana]

Thanks. I cannot find any info on this program. If you do not know what it is I suggest you close Internet Explorer and "Fix checked" the following entry.

O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll

Then delete the C:\Program Files\Httper folder.

[aimee]

ahhh, I think it's fixed! I'm not getting that search engine when I type in an addres. Thanks so much. BTW, what should I do that I didn't do before to prevent this from happening again?

Again, thanks!

[Top Banana]

Ah, good news!

Installing SpywareBlaster would be worthwhile.

[aimee]

Will do! Thanks so much!

[Top Banana]

You're welcome.

[OCAT]

i HAVE ALSO A PROBLEM WITH RAMGO.COM. i WOULD LIKE HELP PLEASE.
OCAT

[Top Banana]

Download HijackThis. Unzip, run, "Scan", "Scan" changes to "Save log". Save the log and copy and paste the HijackThis log into your next post.

Do not fix anything in HijackThis. Most entries will be harmless.