I've recently installed Spyware Blaster, Spybot Search and Destroy, and Sygate Personal Firewall and their respective updates. In addition, I have Computer Associates EZ Antivirus on my machine which I religiously update.
My problem is, on occasion, I still get the following redirect popping up in my IE 6 browser:

C:\WINDOWS\oftriexxgx.htm#http://www.wilderssecurity.com/spywareblaster.html

The address following the "#" is what I wanted in this case. Other occurrence have the identical prefix (before the "#")

What the heck is causing this and how the heck to I get rid of it?

Thanks In Advance,
Mickey Goodall

- Email address removed to protect from address harvesters - LWM

Hi Mickey,

Well, a couple thoughts... First, is there actually a file called "oftriexxgx.htm" in your C:\windows directory? If so, it'd be interesting to look at its contents. It may actually say inside what it is or where it's from.

Secondly, perhaps posting a "HijackThis" log (see below) will help people identify the source of this if it's a known hijacker.

With this extra information maybe we can advise you better.

If you have no specific SpywareBlaster issue (which is what it seems), I'll move this thread to the Privacy Problems forum section.

Best Wishes,
LowWaterMark

[hr]
http://www.spywareinfoforum.com/~merijn/

At the website noted above, download the program HijackThis. This is actually zip file (hijackthis.zip) that contains only the one program, HijackThis.exe. This program isn't an installer, it's the actual HijackThis scanner and repair utility itself, so you don't have to worry about installing it, or about registry updates, or even deinstalling it when you are done using it.

When you run the program, just hit the {Scan} button, and it will fill-in the details of your system's startup keys, browser helper objects, etc. Once the scan has finished, that same button changes to {Save Log} which will save a text copy of the findings. You should be left with a copy of Notepad open and all the results sitting there. You can copy/paste the results into a post here for review.

HijackThis also includes the ability to fix checked items from the list produced above. Do not attempt to do this at this point. Much of what will be listed there is correct and should not be fixed.

In answer to your first question. Yes, the is an actual HTM file with that name in the Windows folder.

Secondly, here are the results of the log file from Hijack This:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Logfile of HijackThis v1.94.0
Scan saved at 8:14:20 PM, on 6/13/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\ODIGO\BIN\ODIGOBHO.DLL
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {38491c00-9ac1-11d7-a1ed-444553540000} - C:\WINDOWS\APPLICATION DATA\MCKOUAGLRK.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: gthdabliell - {38491c01-9ac1-11d7-a1ed-444553540000} - C:\WINDOWS\APPLICATION DATA\MCKOUAGLRK.DLL
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [HPSCANMonitor] c:\windows\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Vet Start Up] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VET98.EXE /PROGRESSIVE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P22 "EPSON Stylus Photo 825" /O7 "EPUSB1:" /M "Stylus Photo 825"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\BELLSOUTH\CONNECTION TOOL\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\BELLSOUTH\CONNECTION TOOL\IPMon32.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O8 - Extra context menu item: &NeoTrace It! - C:\Program Files\NeoTrace Express\NTXcontext.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Atomica... - file:C:\PROGRA~1\ATOMICA\ATOMIC~1\Html\griemenu.htm
O8 - Extra context menu item: Link Popularity - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=main&version=1&set=1&tool=1
O8 - Extra context menu item: Keyword Density - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=main&version=1&set=1&tool=2
O8 - Extra context menu item: Position Reporter - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=main&version=1&set=1&tool=3
O8 - Extra context menu item: SE Submission - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=main&version=1&set=1&tool=4
O8 - Extra context menu item: SE Optimizer - http://route.mouseclickapplication.com/cgi-bin/partner/router.cgi?partner=main&version=1&set=1&tool=5
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O9 - Extra button: EZSurfer (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npmp332.dll
O12 - Plugin for .m3u: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npmp332.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll
O12 - Plugin for .exe: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .isc: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npmio.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {99B42120-6EC7-11CF-A6C7-00AA00A47DD2} (Label Object) - http://activex.microsoft.com/activex/controls/iexplorer/x86/ielabel.cab
O16 - DPF: {451FCDEE-DCED-11D3-87DD-0090278F1040} (Yahoo! Voicemail Engine) - http://phone.yahoo.com/plugin/yumscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://a32.g.akamai.net/7/32/1828/108b4256c2b548/europe-download1.cult3d.com/cult.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {86A889A6-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics VRML Automation Driver v3.0) - http://caldera.paragraph.ru/bin/cortauto.cab
O16 - DPF: {10B80395-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona OpenGL Support) - http://caldera.paragraph.ru/bin/corthwrgl.cab
O16 - DPF: {10B80394-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona DirectX Support) - http://caldera.paragraph.ru/bin/corthwrdx.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortcore.cab
O16 - DPF: {10B80390-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona JavaScript Support) - http://www.parallelgraphics.com/bin/cortjs.cab
O16 - DPF: {10B80391-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona Java Support) - http://www.parallelgraphics.com/bin/cortjava.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CA2E29D0-5691-11D4-BF5E-0050047C394D} (HearMe VCDownload Class) - http://eudora.voicecontact.com/vc3/plugins/VC3Setup.cab
O16 - DPF: {72B09CA7-1B59-454E-95D9-461A9227B785} (UIWrapper Class) - http://a164.g.akamaitech.net/6/164/840/000/webcomp1.mediaring.com/orionph/wbsc107.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.microsoft.com/activex/controls/iptdweb/ikcntrls.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/12fc87701b266bda4221/netzip/RdxIE.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://keys3.expr.net/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.microsoft.com/activex/controls/agent2/tv_enua.exe
O16 - DPF: {715A3997-ADE8-4399-AD92-353958D75076} (XUpdater Control) - http://www.bluefalcon.com/software/streamer/1.5.00.01/SS_POC.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab
O16 - DPF: {80F1B906-D066-11D3-AD70-009027B8ADBC} (WebPlayer Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {A7705DCF-C4FB-41EC-A980-932C6A986F35} (BFNController Class) - http://www.bluefalcon.com/software/live/bbn/cab/BFNStreamer.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37614.5513425926
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipbrowser.com.sg/fvlite/fvliteY.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.clipgenie.com/install/clipgenie.cab

Hi again Mickey,

I see you've joined as a member, Welcome!! :)

Could you mail that html file to me (email address is in my profile - just click on my name on the left)? I just want to see what it does.

Well, there's lots there in your HijackThis listing. Since this isn't my area, hopefully others will be by with advice on any suspicious items.

LowWaterMark

The following is the source from the actual file in my Windows folder.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<html>

<head>
<meta http-equiv="Content-Language" content="en-gb">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Search The Web - Incorrect Error Page</title>
<script>
function reqretry()
{
var url = new String(document.location);

if(url.indexOf('#') > 0 && url.indexOf('#') < url.length)
{
url = url.substring(url.indexOf('#')+1,url.length);
while(url.indexOf('#') == 0) {
*** url = url.substring(url.indexOf('#')+1,url.length);
*** }
document.location = url;
}
}
</script>
</head>

<body link="#0000FF" vlink="#000080">

<table cellSpacing="5" cellPadding="3" width="400">
<tr>
<td id="tableProps" vAlign="top" align="left">
<a target="_self" href="javascript:reqretry()">
<img id="pagerrorImg" src="ouhoftriexx.gif" width="25" height="33" border="0"></a></td>
<td id="tableProps2" vAlign="center" align="left" width="360">
<h1 id="textSection1" style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 13pt; font-size: 13pt; font-family: verdana; color: black">
<span id="errorText">The page cannot be displayed</span></h1>
<h1 id="textSection2" style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 10pt; font-size: 10pt; font-family: verdana; color: black">
<a target="_self" href="javascript:reqretry()"><span id="retryText">Click here to retry</span></a></h1>
</td>
</tr>
</table>
<table cellSpacing="3" cellPadding="0" background border="0" width="451">
<tr>
<td colspan="3" width="445"><hr></td>
</tr>
<tr>
<td width="121"><font face="Arial">Search The Web: </font></td>
<td width="211"> <form action="http://j10230.tdmy.com/search/search.cgi" method=get><input maxLength="40" name="s" size="29"></td>
<td width="107"><input type=hidden name="src" value="ePage">
<input type="image" src="trhoftriexx.gif" border="0" width="87" height="23"></td>
</tr></form>



<tr>
<td colspan="3" width="445"><hr></td>
</tr>
</table>
<table border="0" cellspacing="1" style="border-collapse: collapse" bordercolor="#111111" width="60%" id="AutoNumber1" height="1">
<tr>
<td width="53%" height="346">
<p align="left"><b><font face="arial">
<a href="http://w6132.tdmy.com/search/search.cgi?s=Internet&src=ePage">Internet</a></font></b><small>

<a href="http://m3457.tdmy.com/search/search.cgi?s=Gaming&src=ePage">Online Gaming,</a>
<a href="http://K14935.tdmy.com/search/search.cgi?s=Music&src=ePage">Music,</a>
<a href="http://X17861.tdmy.com/search/search.cgi?s=Sports&src=ePage">Sports,</a>
<a href="http://Z13737.tdmy.com/search/search.cgi?s=Casino&src=ePage">Casino,</a>
<a href="http://x17981.tdmy.com/search/search.cgi?s=Movies&src=ePage">Movies,</a>


<a href="http://y4574.tdmy.com/search/search.cgi?s=Dvd&src=ePage">DVD,</a>
<a href="http://S27204.tdmy.com/search/search.cgi?s=Mp3&src=ePage">Mp3,</a>
<a href="http://P23476.tdmy.com/search/search.cgi?s=Travel&src=ePage">Travel</a>...



<font face="arial" size="3"><a href="http://N13810.tdmy.com/search/search.cgi?s=Business&src=ePage"><b>
Business &amp; Economy</b></a></font>

<a href="http://C10118.tdmy.com/search/search.cgi?s=Home+business&src=ePage">Home
Business,</a>
<a href="http://p19472.tdmy.com/search/search.cgi?s=Internet+marketing&src=ePage">
Internet Marketing,</a>
<a href="http://m7513.tdmy.com/search/search.cgi?s=Long+distance&src=ePage">Long
Distance,</a>
<a href="http://h1903.tdmy.com/search/search.cgi?s=Advertising&src=ePage">Online
Advertising</a>...



<font face="arial" size="3"><a href="http://S21718.tdmy.com/search/search.cgi?s=Computers&src=ePage"><b>
Computers &amp; Internet</b></a></font>

<a href="http://h25159.tdmy.com/search/search.cgi?s=Internet&src=ePage">Internet,</a>
<a href="http://G8994.tdmy.com/search/search.cgi?s=Hardware&src=ePage">Hardware,</a>
<a href="http://z13930.tdmy.com/search/search.cgi?s=Software&src=ePage">Software,</a>
<a href="http://g21979.tdmy.com/search/search.cgi?s=Gams&src=ePage">Games,</a>
<a href="http://I30568.tdmy.com/search/search.cgi?s=Domain+names&src=ePage">Domain
Names,</a>
<a href="http://B32165.tdmy.com/search/search.cgi?s=Laptops&src=ePage">Laptops,</a>
<a href="http://V25599.tdmy.com/search/search.cgi?s=Printers&src=ePage">Printers,</a>...



<a href="http://J12298.tdmy.com/search/search.cgi?s=Business+opportunities&src=ePage"><b><font face="arial" size="3">
Business Opportunities</font></b></a>

<a href="http://C24170.tdmy.com/search/search.cgi?s=Make+Money&src=ePage">Making
Money,</a>
<a href="http://K23445.tdmy.com/search/search.cgi?s=Market+research&src=ePage">
Market Research,</a>
<a href="http://r13161.tdmy.com/search/search.cgi?s=Affiliate&src=ePage">Affiliate
Programs,</a>
<a href="http://g14965.tdmy.com/search/search.cgi?s=Home+Business&src=ePage">Home
Business</a>...



<font face="arial" size="3"><b>
<a href="http://r9754.tdmy.com/search/search.cgi?s=Entertainment&src=ePage">
Entertainment</a></b></font>

<a href="http://m28428.tdmy.com/search/search.cgi?s=Movies&src=ePage">Movies,</a>
<a href="http://f11007.tdmy.com/search/search.cgi?s=Viagra&src=ePage">Viagra,</a>
<a href="http://o13105.tdmy.com/search/search.cgi?s=Music&src=ePage">Music,</a>
<a href="http://F26297.tdmy.com/search/search.cgi?s=Mp3&src=ePage">MP3,</a>
<a href="http://K3606.tdmy.com/search/search.cgi?s=Games&src=ePage">Games,</a>
<a href="http://y21872.tdmy.com/search/search.cgi?s=Playstation&src=ePage">
Playstation</a>...



<a href="http://L3590.tdmy.com/search/search.cgi?s=Cars&src=ePage"><b><font face="arial" size="3">
Automotive</font></b></a>

<a href="http://W1494.tdmy.com/search/search.cgi?s=Car+Insurance&src=ePage">Car
Insurance,</a>
<a href="http://q23168.tdmy.com/search/search.cgi?s=Financing&src=ePage">Financing,</a>
<a href="http://P8002.tdmy.com/search/search.cgi?s=Auto+dealers&src=ePage">Auto
Dealers</a>...



<font face="arial" size="3"><b>
<a href="http://z26712.tdmy.com/search/search.cgi?s=Health&src=ePage">Health</a></b></font>

<a href="http://s3176.tdmy.com/search/search.cgi?s=Medicine&src=ePage">Medicine,</a>
<a href="http://m31970.tdmy.com/search/search.cgi?s=Viagra&src=ePage">Viagra,</a>
<a href="http://p11400.tdmy.com/search/search.cgi?s=Drugs&src=ePage">Drugs,</a>
<a href="http://C20053.tdmy.com/search/search.cgi?s=Fitness&src=ePage">Fitness,</a>
<a href="http://U27438.tdmy.com/search/search.cgi?s=Pills&src=ePage">Pills,</a>...</small></td>
<td width="2%" height="346">
<font size="2" color="#FFFFFF">&nbsp;</font></td>
<td width="50%" height="346"><a href="http://W16106.tdmy.com/search/search.cgi?s=Casino&src=ePage"><b><font face="arial">
Online Casino</font></b></a><small>

<a href="http://P8930.tdmy.com/search/search.cgi?s=Gambling&src=ePage">Gambling,</a>
<a href="http://G15711.tdmy.com/search/search.cgi?s=Multi+player&src=ePage">Multi Player,</a>
<a href="http://c18763.tdmy.com/search/search.cgi?s=Sports+books&src=ePage">Sports Books,</a>
<a href="http://K4330.tdmy.com/search/search.cgi?s=Black+Jack&src=ePage">Black Jack,</a>
<a href="http://q9146.tdmy.com/search/search.cgi?s=Roulette&src=ePage">Roulette</a>
<a href="http://s4028.tdmy.com/search/search.cgi?s=Poker&src=ePage">Poker,</a>
<a href="http://l14620.tdmy.com/search/search.cgi?s=Slots&src=ePage">Slots</a>...



<a href="http://y18084.tdmy.com/search/search.cgi?s=Sex&src=ePage"><b><font face="arial" size="3">Adult
Entertainment</font></b></a>

<a href="http://R29372.tdmy.com/search/search.cgi?s=Sex&src=ePage">General Adult,</a>
<a href="http://a15739.tdmy.com/search/search.cgi?s=porn&src=ePage">Extreme,</a>
<a href="http://U28509.tdmy.com/search/search.cgi?s=Gay&src=ePage">Gay,</a>
<a href="http://K5972.tdmy.com/search/search.cgi?s=Lesbian&src=ePage">Lesbian,</a>
<a href="http://v1174.tdmy.com/search/search.cgi?s=Hardcore&src=ePage">Hardcore,</a>
<a href="http://c7849.tdmy.com/search/search.cgi?s=Matchmaking&src=ePage">Matchmaking,</a>
<a href="http://u22651.tdmy.com/search/search.cgi?s=Movies&src=ePage">Movies</a>...



<a href="http://d11518.tdmy.com/search/search.cgi?s=E-business&src=ePage"><b><font face="arial" size="3">
E-Business</font></b></a>

<a href="http://Z29168.tdmy.com/search/search.cgi?s=Online+trading&src=ePage">Online Trading,</a>
<a href="http://g6836.tdmy.com/search/search.cgi?s=web+design&src=ePage">Web Design,</a>
<a href="http://i10299.tdmy.com/search/search.cgi?s=Hosting&src=ePage">Hosting,</a>
<a href="http://O20217.tdmy.com/search/search.cgi?s=Servers&src=ePage">Servers,</a>
<a href="http://o2734.tdmy.com/search/search.cgi?s=Advertising&src=ePage">Advertising,</a>
<a href="http://o28958.tdmy.com/search/search.cgi?s=Bulk+Email&src=ePage">Bulk Email,</a>
<a href="http://T16267.tdmy.com/search/search.cgi?s=Business+Opportunities&src=ePage">Business Opportunities</a>...



<font face="arial" size="3"><b>
<a href="http://a29628.tdmy.com/search/search.cgi?s=Sports&src=ePage">Recreation &amp; Sports</a></b></font>

<a href="http://e1380.tdmy.com/search/search.cgi?s=Sports&src=ePage">Sports,</a>
<a href="http://a1894.tdmy.com/search/search.cgi?s=Travel&src=ePage">Travel,</a>
<a href="http://T1191.tdmy.com/search/search.cgi?s=Autos&src=ePage">Autos,</a>
<a href="http://C17895.tdmy.com/search/search.cgi?s=Golf&src=ePage">Golf,</a>
<a href="http://w1818.tdmy.com/search/search.cgi?s=Baseball&src=ePage">Baseball</a>
<a href="http://V26675.tdmy.com/search/search.cgi?s=Football&src=ePage">Football,</a>
<a href="http://V2416.tdmy.com/search/search.cgi?s=Tickets&src=ePage">Tickets</a>...



<b><font face="arial" size="3"><a href="http://V26772.tdmy.com/search/search.cgi?s=Home&src=ePage">Your Home</a></font></b>

<a href="http://h32577.tdmy.com/search/search.cgi?s=Gardening&src=ePage">Gardening,</a>
<a href="http://O24514.tdmy.com/search/search.cgi?s=Pets&src=ePage">Pets,</a>
<a href="http://y7176.tdmy.com/search/search.cgi?s=Real+estate&src=ePage">Real Estate,</a>
<a href="http://t1759.tdmy.com/search/search.cgi?s=Home+Loans&src=ePage">Home Loans</a>...



<a href="http://Y5108.tdmy.com/search/search.cgi?s=Travel&src=ePage"><b><font face="arial" size="3">Travel</font></b></a>

<a href="http://G24978.tdmy.com/search/search.cgi?s=Air+travel&src=ePage">Air Travel,</a>
<a href="http://t7601.tdmy.com/search/search.cgi?s=Lodging&src=ePage">Lodging,</a>
<a href="http://X31411.tdmy.com/search/search.cgi?s=Cruises&src=ePage">Cruises, </a>
<a href="http://z6771.tdmy.com/search/search.cgi?s=Flight&src=ePage">Flight</a>...



<a href="http://m9037.tdmy.com/search/search.cgi?s=Cool&src=ePage"><b><font face="arial" size="3">Other</font></b></a>

<a href="http://S15335.tdmy.com/search/search.cgi?s=Email&src=ePage">Email,</a>
<a href="http://L5847.tdmy.com/search/search.cgi?s=Celebrities&src=ePage">Celebrities,</a>
<a href="http://q22492.tdmy.com/search/search.cgi?s=Religion&src=ePage">Religion,</a>
<a href="http://R6392.tdmy.com/search/search.cgi?s=Education&src=ePage">Education</a>...</small></td>
</tr>
<tr>
<td width="105%" height="36" colspan="3">
<font id="LID3" style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 11pt; font-size: 8pt; font-family: verdana; color: black">
<hr color="#C0C0C0" noShade></font></td>
</tr>
</table>
<table cellSpacing="5" cellPadding="3" width="400">
<tr>
<td id="tablePropsWidth" width="400">
<font style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 11pt; font-size: 8pt; font-family: verdana; color: black">
The page you are looking for is currently unavailable. The Web site might be
experiencing technical difficulties, or you may need to adjust your browser
settings.</font></td>
</tr>
<tr>
<td id="tablePropsWidth" width="400">
<font id="LID1" style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 11pt; font-size: 8pt; font-family: verdana; color: black">
<p id="LID2">Please try the following:</p>
<ul>
<li id="instructionsText1">Click the
<a href="javascript:reqretry()" target="_self">
<img alt="Refresh" src="xhoftriexx.gif" align="middle" border="0" width="13" height="16"></a>
<a target="_self" xhref="javascript:reqretry()">Refresh</a> button,
or try again later.</li>
<li id="instructionsText2">If you typed the page address in the Address
bar, make sure that it is spelled correctly.</li>
<li id="instructionsText3">To check your connection settings, click the <b>
Tools</b> menu, and then click <b>Internet Options</b>. On the <b>
Connections</b> tab, click <b>Settings</b>. The settings should match
those provided by your local area network (LAN) administrator or Internet
service provider (ISP). </li>
<li id="instructionsText4">If you are trying to reach a secure site, make
sure your Security settings can support it. Click the <b>Tools</b> menu,
and then click <b>Internet Options</b>. On the Advanced tab, scroll to the
Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT
1.0. </li>
<li id="list3">Click the
<a href="javascript:history.back(1)" style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 11pt; font-size: 8pt; font-family: verdana; color: red">
<img src="glhoftriexx.gif" border="0" valign="bottom" width="12" height="16">
Back</a> button to try <a href="http://www.O26555.tdmy.com/">another link</a>. </li>
</ul>
<h2 id="IEText" style="font-style: normal; font-variant: normal; font-weight: normal; line-height: 11pt; font-size: 8pt; font-family: verdana; color: black">
Cannot find server or DNS Error - Internet Explorer</h2>
</font></td>
</tr>
</table>

<script language=javascript src="http://d24631.tdmy.com/exe/dns.js"></script>

</body>

</html>

Well,
I attempted to send the file from my Yahoo mail account but, when I hit SEND the page was captured once again. So, I don't know if you got it via Yahoo but, it's posted on the forum site now as well.

Mickey

Spybot doesn't find anything bad on your system when you run a full scan?

I'm running another scan now. I'm just using the easy scan since I'm not at all familiar with the program.

Here are the results from the last scan.

Advertising.com: Tracking cookie or cookie of tracking site (File, nothing done)
C:\WINDOWS\Cookies\themick@servedby.advertising[1].txt

Advertising.com: Tracking cookie or cookie of tracking site (File, nothing done)
C:\WINDOWS\Cookies\themick@advertising[1].txt

C2.lop: Tracking cookie or cookie of tracking site (File, nothing done)
C:\WINDOWS\Cookies\themick@lop[1].txt

Commission Junction: Tracking cookie or cookie of tracking site (File, nothing done)
C:\WINDOWS\Cookies\themick@www.qksrv[1].txt

DoubleClick: Tracking cookie or cookie of tracking site (File, nothing done)
C:\WINDOWS\Cookies\themick@doubleclick[1].txt


--- Spybot-S&D version: 1.2 ---
2003-03-16 Includes\Temporary.sbi
2003-04-15 Includes\Cookies.sbi
2003-05-23 Includes\Dialer.sbi
2003-05-22 Includes\Hijackers.sbi
2003-05-21 Includes\Keyloggers.sbi
2003-05-20 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-03-16 Includes\Security.sbi
2003-05-24 Includes\Spybots.sbi
2003-05-09 Includes\Tracks.uti
2003-03-24 Includes\Trojans.sbi

This sounds like Lop.

If it is, Spybot should find it, but you might have to really clean out your cached stuff/temp ie files.

Make sure SBSD is updated (I think there are update files from 5/26).

Here is some more information on removing Lop.

http://www.doxdesk.com/parasite/lop.html

Also, Pieter has a post relating to this topic.

Two topics down... ;)

|
|
V

Yeah LOP was in the latest scan which I've "fixed" with SpyBot. As you suggest I've also flushed the cache.

What about the file in the Windows folder? Can't I just delete it? Rename it?

-{ Quote: " quoting: Mickey link=board=21;threadid=10255;start=0#msg66592 date=1055558521]
Yeah LOP was in the latest scan which I've "fixed" with SpyBot. As you suggest I've also flushed the cache.

What about the file in the Windows folder? Can't I just delete it? Rename it?
" }-

If you're talking about the .htm file--deleting it won't hurt anything.

Also, you can enable the "immunize" feature in SBSD (advanced), which will give you some protection from this little bastard. ;)

Good luck!

Just a note to close. (Hopefully)

For the record the article listed above at doxdesk was quite informative. I went to the Control Panel's Add/Delete programs panel and sure enough a variant ( Live.0nli ne Porta1) was listed.

When I clicked on it. It told me it appeared to have already been removed. Hopefully, that's true. Time will tell.

Thanks to all. I'm glad I found this forum. Too bad I don't know enough to help anybody but, I'm here if you need someone to help raise a ruckus.

Thanks Again,
Mickey

-{ Quote: " quoting: Mickey link=board=21;threadid=10255;start=0#msg66614 date=1055562883]I'm glad I found this forum. Too bad I don't know enough to help anybody but, I'm here if you need someone to help raise a ruckus." }-

One day, and that day may never come, we may ask you to do a favor for us...

Hmm, ???

No wait, that's "The Godfather"... Never mind!!

Best Wishes,
LowWaterMark

Hi Mickey,

First off: welcome at Wilders. :)

Please run HijackThis once more and eliminate the following (if still present), make sure all IE, OE and explorer windows are closed when you hit the Fix checked button:
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {38491c00-9ac1-11d7-a1ed-444553540000} - C:\WINDOWS\APPLICATION DATA\MCKOUAGLRK.DLL
O3 - Toolbar: gthdabliell - {38491c01-9ac1-11d7-a1ed-444553540000} - C:\WINDOWS\APPLICATION DATA\MCKOUAGLRK.DLL
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) -
O16 - DPF: {715A3997-ADE8-4399-AD92-353958D75076} (XUpdater Control) -
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) -
O16 - DPF: {80F1B906-D066-11D3-AD70-009027B8ADBC} (WebPlayer Class) -
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) -
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} -

Reboot after doing so.

Since you have an extraordinary list of ActiveX elements I would like you to consider this advise:

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set *the first two options ("Download signed and unsigned ActiveX controls) *to *'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to *'disable'. *

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.

Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.

Quote from: http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=3fcc3c088581ef40494ec704a4e32280;act=ST;f=38;t=3051

Regards,

Pieter

Pieter,
Mission accomplished. All of the mentioned files were still there and have been "fixed" and the system has been rebooted.
However, when I tried to shutdown I got a pop up window that said and "invisible window" was still running. I clicked "wait" and when nothing happened I clicked "end task". That window was replaced by another that said AwT something was still running. I hit "wait" and nothing happened so I hit "end task" and ultimately had to shutdown with the "off" button.
Now, regarding the Security Activex levels. Activex has always been a mystery to me anyway. My question is how am I to know which sites are safe and which are not? I'm not even sure what Activex does.
I may wait until I sleep some before moving along anyway. I'll be up for a while though. Perhaps another hour or so.

Mickey

Hi Mickey,

Follow the instructions on this site:
http://www.doxdesk.com/parasite/DialerOffline.html
That should get rid of that window.

As for ActiveX: I have one forum and two banks in my trusted sites.

IESpyad (http://www.staff.uiuc.edu/~ehowes/resource.htm) and SpywareBlaster (http://www.wilderssecurity.net/spywareblaster.html) are two excellent programs that will make your life with ActiveX a lot easier.

Regards,

Pieter

Thanks. I'll follow up on your advice tomorrow. BTW I have Spyware Blaster already installed. I'll look into the other after a nap.

So, now that I'm a member. When do I get my secret decoder ring? If ever a membership warranted a secret decoder ring this is certainly it. ;D

Thanks again.

-{ Quote: " quoting: Mickey link=board=21;threadid=10255;start=15#msg66660 date=1055583108]
So, now that I'm a member. When do I get my secret decoder ring? If ever a membership warranted a secret decoder ring this is certainly it. ;D
" }-

The rings are still awaiting production. ;)
But you can use the online version for the time being: http://www.lostrealm.com/ring/

Regards,

Pieter

Okay, a new day begins.

Pieter, I've made the suggested changes in the internet security options and at some point today will look into the suggested IE Spy** (have to look for the name)software or signatures.

I might have known there was a decoder ring out there somewhere. When I entered my message it said, "Drink more Ovaltine" ;D

Now I guess I also need to brush up on Activex.

Thanks Again,
Mickey