"Search@Hand" intercept on webpages

[ElTigre]

For about the past two weeks certain sites which I have bookmarked for a long time and use regularly bring up an intercept.  These sites are still good sites as friends say they can still access them.  An example is "Ceebaileys.com", an airplane/motorcycle accessories site.  The problem occurs no matter whether I try to access through bookmarks, Google or direct address.  The intercept shows a page with the following "The Domain "Ceebaileys.com" is not available."  It is an otherwise bare page with the heading "Search @ Hand" across the top.  I have run Norton, both in normal and safe modes and I have run SpyBot and LavaSoft AdAware a number of times.  The problem persists.  Computer is also running slower and starting up slower.   I ran Panda and it shows a plethora of spyware/adware issues.  I did not  spring for the pay version because I am skeptical.  If AdAware and SpyBot found none and Panda finds 50, well, as I said I'm skeptical about committing the dollars.  If I'm gonna spend money I want to get the best bang for the buck, both in safety and performance.  

Many thanks to any and all for assistance.

HP Pavilion 2.6 chip 512 Megs ram Windows XP home.

[Dilbert]

Can you please download HiJack This, run it, save and WinZip a log file, and attatch that .zip file to your next post? Sounds like a Domain Hijacker.

[dl65]

 ElTigre.......  

http://www.ceebaileys.com/       ....... this site works just fine ....... what other sites are you having issue with?
It sounds like perhaps your machine requires a good cleaning up .

dl65  

[ElTigre]

Yes, that's the problem.  It doesn't work on my computer, I get the "Search@Hand" bad domain intercept.  It occurs on a number of sites.  That was the point of the original request.

[ElTigre]

Dilbert,

Thanx for the suggestion.  I am a real Troglodyte.  I have tried to run Hijack this and am having trouble.  I have downloaded and now it says Hijack is in a temp file and should be saved to "C" drive.  I can't seem to be able to do this.  I keep getting a screen that says,"How do you want to open this?"  the only thing it will let me open it in is Spybot.   When I hit open, all I get is spyboa.  The downloaded log is somewhere in my computer.  I saw it.  Once.  When I run a search for Hijack this I get the same thing.  All my futile attempts show up on search.  When I try to open, I get Spybot again.  I'm going nuts.  Please help.

[ElTigre]

Logfile of HijackThis v1.99.1
Scan saved at 4:02:34 PM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\OfferApp\OfferApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 3 for HijackThis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: (no name) - {6B58D8C9-8464-0368-6B93-588413D97D73} - MSTCPDLL.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\nomah.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\nomah.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\sxchost.exe
O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:

[dl65]

 ElTigre.....  Ok .... lets try this again ..... First , when you d/l hijackthis, you should save it to your desktop ........  When you click on the link to download , you will be asked what do you want to do .....?  Run hijackthis or Save it ......choose save it , then choose save to desktop and carry on D/l it...... when its finished and you will have the hijack icon on your desktop , create a new folder there and drag the hijack icon into it .  Now just open that folder , click on the icon and hijackthis will open ....now in hijackthis ,click and scan and save a logfile ........ the scan will be completed and the log file it generates will be in the same folder on your desktop .  then just open the log ..... click edit , up top ...then pick select all and the the entire log will be hilited ...now right click on the hilited area an choose copy ........ then go back to computer hope and your thread and copy it in ..... ( note if the log is too large to all fit in one post , post it in 2 parts ) ..... And the log you posted isn't complete ..... the last entries should be number 023   ....so I think you should go back and copy the 09 entries down to the end ...... and repost those ......... then it will be all there .

If theres any thing you don't understand please ask.

dl65  

[ElTigre]

I have downloaded the entire log but when I paste it here for message reply the forum only allows 5500 characters so it doesn't accept the entire log.  Perhaps I should put it into MS Word and send it as an attachment.  Can you advise.  Again, thanx so much for our patience.

[SilentAssasin64]

I have downloaded the entire log but when I paste it here for message reply the forum only allows 5500 characters so it doesn't accept the entire log.  Perhaps I should put it into MS Word and send it as an attachment.  Can you advise.  Again, thanx so much for our patience.

That is what they told you to do.  However, it will not work with just doing that.  You will need to put the file into a zip archive as it is (I think) the only type of file that CH will let you attach.  To do this, right click on the log file, go to "Send To", and choose "Compressed (zipped) Folder".  Then go ahead and attach it to your next post.

[dl65]

ElTigre......  Just copy the part of the log that exceeded the max of 5500 ....and post that prt as a new reply then it will all be here and I can join it up .....

dl65  

[ElTigre]

Here is second half of scan.  Thanx

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dl/denis/x.chm::/load.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149328937296
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{015CE0E9-2C19-49C0-AA7F-403DA7B939C9}: NameServer = 85.255.115.58,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DEE2875-1641-4802-9EAC-9903E75C2FCF}: NameServer = 85.255.115.58,85.255.112.16
O17 - HKLM\System\CS1\Services\Tcpip\..\{015CE0E9-2C19-49C0-AA7F-403DA7B939C9}: NameServer = 128.186.6.103,199.44.2.10
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~2\LUCOMS~1.EXE