CWS.GoogleMS.3-Have I been Hijacked?

After discovering and deleting CWS.GoogleMS.3 with updated PestPatrol, and updated CWShredder, I open the latest version of SpywareBlaster only to find that the xxxtoolbar has been unchecked in my restricted sites list. Re-running Pest Patrol And CWShredder don't find anything until I re-check xxtoolbar int SpywareBlaster's restricted list. Now when I run PestPatrol and CWShredder, in any order, CWShredder picks up nothing and PestPatrol once again finds CWS.GoogleMS.3. Without deleting the CWS.GoogleMS.3 with PestPatrol, SpywareBlaster still has everything checked in the restricted list...Until I once again delete the CWS.GoogleMS.3 with PestPatrol, at which time the xxxtoolbar in SpyBlaster becomes, once again unchecked. This cycle is an endless toggle game between PestPatrol and SpywareBlaster. CWShredder seems to play NO part in this exchange.

I notice no other new behavioral problems with my computer.

After once again cleaning everything up with PestPatrol and CWShredder and re-checking xxxtoolbar, I ran the latest version of HiJackThis with the following results:

Logfile of HijackThis v1.97.7
Scan saved at 12:47:56 PM, on 4/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NAV 2004\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NAV 2004\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sony\Giga Pocket\usbsircs.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\default\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Presented by: Jeep's, Ro's & Alice's Internet Explorer (Jeep Loves Ro)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=LocalHost:1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\NAV 2004\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\NAV 2004\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NAV200~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Giga Pocket Initialize.lnk = C:\Program Files\Sony\Giga Pocket\initovl.exe
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = C:\Program Files\Sony\Giga Pocket\usbsircs.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Girafa (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://mailcenter.comcast.net
O15 - Trusted Zone: http://www.comcast.net
O15 - Trusted Zone: http://update.zonelabs.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon...gctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc.../swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedC...vSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupda...t/opuc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/o...winrep.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupda...t/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe
O16 - DPF: {6B401179-541E-4BF3-800F-10C39B529DB9} - http://ftp.gurunet.com/pub/cabs/GNInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...61.7940625
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/o...leXfer.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedC.../cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup...mAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} (OcarptMain Class) - https://oca.microsoft.com/secure/OCARPT.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup...veData.cab
O16 - DPF: {EB289CB4-C028-4883-92D4-E430BC7D45A7} (Sm3LicenseCheck Library) - http://www.iolo.com/sm/ocx/Sm3LicenseCheck.ocx
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral4.sel.sony.com/sdc...onyctl.CAB

Can you tell me what's going on?

 

I think I may have found a solution for this? Could it be a PestPatrol "False Positive"?
The following Request for support to PestPatrol explains where I'm at now:

-----

"I think I found a "False Positive" on CWS.GoogleMS.3 spyware.

The following was my problem:

After discovering and deleting CWS.GoogleMS.3 with updated PestPatrol, and updated CWShredder, I open the latest version of SpywareBlaster only to find that the xxxtoolbar has been unchecked in my restricted sites list. Re-running Pest Patrol And CWShredder don't find anything until I re-check xxtoolbar int SpywareBlaster's restricted list. Now when I run PestPatrol and CWShredder, in any order, CWShredder picks up nothing and PestPatrol once again finds CWS.GoogleMS.3. Without deleting the CWS.GoogleMS.3 with PestPatrol, SpywareBlaster still has everything checked in the restricted list...Until I once again delete the CWS.GoogleMS.3 with PestPatrol, at which time the xxxtoolbar in SpyBlaster becomes, once again unchecked. This cycle is an endless toggle game between PestPatrol and SpywareBlaster. CWShredder seems to play NO part in this exchange.

After manually attempting to delete ALL Instances of xxxtoolbar.com-(several) and CWS.GoogleMS.3-(none) from my registry, I discovered that xxxtoolbar.com in my IE Security Restricted Sites list was gone!

After rechecking and activating xxxtoolbar in SpywareBlasters Restricted Sites List, I once again found xxxtoolbar.com in my IE Security Restricted Sites list.

Once again I ran PestPatrol Scan, found and deleted CWS.GoogleMS.3 and the xxxtoolbar. com was missing from my IE Restricted Sites list...etc...

Once again I ran PestPatrol Scan, found and deleted CWS.GoogleMS.3 and the xxxtoolbar.com was missing from my IE Restricted Sites list...etc...

Apparently The IE Security Restricted sites list in my computer, (where PestPatrol finds xxxtoolbar.com), is in the Registry at:
HKEY_CURRENT_USER\software\microsoft\windows\current version\internet settings\zonemap\domains\...

No other Spyware Program I use could find xxxtoolbar.com as a pest on my computer so it seems as if this could be a "false positive" that you folks at PestPatrol can easily correct?...Or do I still need to keep looking for a solution?"

-----

If anyone reads this, What do you think?