1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

My startpage is Hijacked Please help

Discussion in 'Virus & Other Malware Removal' started by frankysplace, Apr 22, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. frankysplace

    frankysplace Thread Starter

    Joined:
    Apr 22, 2004
    Messages:
    9
    Can someone please help. I've been hijack and when I go to my startpage it forces me to http://searchpage.cc/1525/

    I've updated my virus software, ran adaware and spybot search and destroy, but it is still there.

    I've ran Hijack this and following is what I got.

    Can anyone please help.

    Thanks in Advance,

    Frank

    [email protected]

    -----------------------------------------------------------------------

    Logfile of HijackThis v1.97.7
    Scan saved at 1:47:43 PM, on 4/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\VetMsgNT.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    C:\Program Files\Messenger\msmsgs.exe
    D:\Program Files\Popup Ad Filter\PopFilter.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Frank\Desktop\Spyware\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\RecordNow MAX Platinum\StorageGuard\sgtray.exe" /r
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
    O4 - HKCU\..\Run: [MSMSGS] "c:\Program Files\MSN Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe -a
    O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\task_agent.exe
    O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /CompleteCache
    O4 - HKLM\..\RunOnce: [HcTSC] C:\WINDOWS\TSC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
    O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
    O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://www.nkvd.us/1525/
    O13 - WWW Prefix: http://www.nkvd.us/1525/
    O13 - Home Prefix: http://www.nkvd.us/1525/
    O13 - Mosaic Prefix: http://www.nkvd.us/1525/
    O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/webline/x/wzsex21x.exe
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/j3rk0of4.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://D:\index.mht!http://members.lycos.co.uk/moremedia//INDEX.CHM::/load.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1EDCB5B7-3212-11D7-A41E-0020781162FD} - http://www.adbros.com/toolbar/install/setup.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.4everyone.com/searchbar/Install.cab
    O16 - DPF: {4522DBFE-14CD-4A59-AC2A-54BADFDD6D53} - http://download.wangluoyouxi.com/download/inst.cab
    O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.euroklik.nl/plugins_zonder_herhaal_bezoek/jongetienersnl327.exe
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
    O16 - DPF: {66BD3ED9-31E1-11D7-A41E-0020781162FD} - http://www.adbros.com/toolbar/install/setup.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {83637DFE-6EE1-4815-B874-03449C4877B7} - http://icons.com.ne.kr/active-x/shortcut/Comnekr.cab
    O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx
    O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getmirar.com/875455/files/installer.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://212.80.66.25/activex/AxisCamControl.cab
    O16 - DPF: {9699ACAA-934A-4156-A73E-76D004A55B8E} - http://ace-casino.com/ShortCut.cab
    O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} - http://www.********com/includes/Download_UL.cab
    O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast.com/download/SBFullSInst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553555500} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E07201D0-8DA2-4BB4-87B1-C1BAACEBF8BD} - http://smartseek.info/xpy/xpy.cab
    O16 - DPF: {EEF29D20-9A47-4657-ADF7-283EC2504001} - http://toolbar2.globalwebsearch.com/winenc32.cab
    O16 - DPF: {FFFF0029-0001-101A-A3C9-08002B2F49FB} - http://www.covercd.org/cb/c.exe
     
  2. Infidel_Kastro

    Infidel_Kastro

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    Don't panic, helpm is on its way. :D
    I believe you have a cool web infection, so lets try a little program called Cool Web shredder, located here: http://www.spywareinfo.com/~merijn/files/cwshredder.zip
    Unzip to a permanent folder, something like C:\CWS. Open it and close all your browsers, and click on update, to make sure you have the latest version. Click on "Fix" and let it do its thing. It will prompt you a couple of times, just click on "OK". When you are done, repost another HJT log here.
     
  3. frankysplace

    frankysplace Thread Starter

    Joined:
    Apr 22, 2004
    Messages:
    9
    Thank you for your prompt reply. I tried the link and I am redirected to http://searchpage.cc/1525/!!! I am not even allowed to download any files or mp3 as I am redirected to that page. help...
     
  4. frankysplace

    frankysplace Thread Starter

    Joined:
    Apr 22, 2004
    Messages:
    9
    Ok I got a friend to download the file and email it to me. It's the one called miniremoval_coolwebsearch_smartkiller right?

    I ran it and it gave me the following message -

    MiniRemoval. Copyright (c) Safer Networking Limited.
    CoolWWWSearch.Smartkiller (v1/v2) has not been found on your system.

    Now what??? someone please help...........
     
  5. Infidel_Kastro

    Infidel_Kastro

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    OK, lets try this. go to www.sherrylynn.us/privacypolicy
    Underneath the "spyware"banner add will be two files. Click on "CWS.exe" Open it up and click on the "update" feature of CWS to make sure you have the latest version. Close all you browsers and click on cws's "fix" it will prompt a couple of times while its running, just click "okay"
    Let us know if you can't get to that page.
     
  6. frankysplace

    frankysplace Thread Starter

    Joined:
    Apr 22, 2004
    Messages:
    9
  7. Infidel_Kastro

    Infidel_Kastro

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    OK, this is what I want you to do. I want you to send me a private message with your e-mail address and I will send you the file via e-mail.
    To send me a PM, click on my name and under "contact info" it says send a Private message. send me your e-mail address
     
  8. frankysplace

    frankysplace Thread Starter

    Joined:
    Apr 22, 2004
    Messages:
    9
    K here it is I also posted a CWS Report below the Hijack this log


    Logfile of HijackThis v1.97.7
    Scan saved at 3:35:20 PM, on 4/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\VetMsgNT.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    C:\Program Files\Messenger\msmsgs.exe
    D:\Program Files\Popup Ad Filter\PopFilter.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    D:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Frank\Desktop\Spyware\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\RecordNow MAX Platinum\StorageGuard\sgtray.exe" /r
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
    O4 - HKCU\..\Run: [MSMSGS] "c:\Program Files\MSN Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe -a
    O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\task_agent.exe
    O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /CompleteCache
    O4 - HKLM\..\RunOnce: [HcTSC] C:\WINDOWS\TSC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
    O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
    O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://www.nkvd.us/1525/
    O13 - WWW Prefix: http://www.nkvd.us/1525/
    O13 - Home Prefix: http://www.nkvd.us/1525/
    O13 - Mosaic Prefix: http://www.nkvd.us/1525/
    O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/webline/x/wzsex21x.exe
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/j3rk0of4.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://D:\index.mht!http://members.lycos.co.uk/moremedia//INDEX.CHM::/load.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1EDCB5B7-3212-11D7-A41E-0020781162FD} - http://www.adbros.com/toolbar/install/setup.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.4everyone.com/searchbar/Install.cab
    O16 - DPF: {4522DBFE-14CD-4A59-AC2A-54BADFDD6D53} - http://download.wangluoyouxi.com/download/inst.cab
    O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.euroklik.nl/plugins_zonder_herhaal_bezoek/jongetienersnl327.exe
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
    O16 - DPF: {66BD3ED9-31E1-11D7-A41E-0020781162FD} - http://www.adbros.com/toolbar/install/setup.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {83637DFE-6EE1-4815-B874-03449C4877B7} - http://icons.com.ne.kr/active-x/shortcut/Comnekr.cab
    O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx
    O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getmirar.com/875455/files/installer.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://212.80.66.25/activex/AxisCamControl.cab
    O16 - DPF: {9699ACAA-934A-4156-A73E-76D004A55B8E} - http://ace-casino.com/ShortCut.cab
    O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} - http://www.********com/includes/Download_UL.cab
    O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast.com/download/SBFullSInst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553555500} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E07201D0-8DA2-4BB4-87B1-C1BAACEBF8BD} - http://smartseek.info/xpy/xpy.cab
    O16 - DPF: {EEF29D20-9A47-4657-ADF7-283EC2504001} - http://toolbar2.globalwebsearch.com/winenc32.cab
    O16 - DPF: {FFFF0029-0001-101A-A3C9-08002B2F49FB} - http://www.covercd.org/cb/c.exe


    -----------------------------------------------------------------------------------

    CWShredder v1.56.3 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfo.com/~merijn/files/hijackthis.zip

    Windows XP (5.01.2600 SP1)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system32
    AppData folder: C:\Documents and Settings\Frank\Application Data
    Username: Frank

    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer,Search
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer,SearchURL
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer,Search
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    Infected data: http://nkvd.us/1525/
    Infected Registry value:
    HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes,www,http://
    Infected data: http://www.nkvd.us/1525/
    Infected Registry value:
    HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes,home,http://
    Infected data: http://www.nkvd.us/1525/
    Infected Registry value:
    HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes,mosaic,http://
    Infected data: http://www.nkvd.us/1525/
    Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (2 bytes, A)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
    Registry value: DefaultPrefix (should be http://) [] http://www.nkvd.us/1525/
    Registry value: WWW Prefix (should be http://) [www] http://www.nkvd.us/1525/
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://www.nkvd.us/1525/
    Registry value: Home Prefix (should be http://) [home] http://www.nkvd.us/1525/
    Found Win.ini file: C:\WINDOWS\win.ini (2032 bytes, -)
    Found System.ini file: C:\WINDOWS\system.ini (633 bytes, -)

    - END OF REPORT -
     
  9. Infidel_Kastro

    Infidel_Kastro

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    Did you hit "scan" or "fix"? I want you to hit "fix".
     
  10. frankysplace

    frankysplace Thread Starter

    Joined:
    Apr 22, 2004
    Messages:
    9
    sorry for not being more clear. I did hit fix with the browsers closed as you instructed. Afterwards I hit scan to get a report and the ran hijack for a report so that I could post both on here. Did I do something wrong?
     
  11. Infidel_Kastro

    Infidel_Kastro

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    I guess you didn't if you hit fix. Did you update cool web shredder? Try updating it first, then rerun it and only post a hjt log, not the cws log.
     
  12. frankysplace

    frankysplace Thread Starter

    Joined:
    Apr 22, 2004
    Messages:
    9
    K followed directions to a tee..



    Logfile of HijackThis v1.97.7
    Scan saved at 3:59:03 PM, on 4/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\VetMsgNT.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    C:\Program Files\HistoryKill\histkill.exe
    C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe
    C:\Program Files\iolo\Common\Task Agent\task_agent.exe
    C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    D:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Frank\Desktop\Spyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webmasterquest.com/start.php?user=frodriguez
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\RecordNow MAX Platinum\StorageGuard\sgtray.exe" /r
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
    O4 - HKCU\..\Run: [MSMSGS] "c:\Program Files\MSN Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe -a
    O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\task_agent.exe
    O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /CompleteCache
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
    O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
    O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/webline/x/wzsex21x.exe
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/j3rk0of4.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://D:\index.mht!http://members.lycos.co.uk/moremedia//INDEX.CHM::/load.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1EDCB5B7-3212-11D7-A41E-0020781162FD} - http://www.adbros.com/toolbar/install/setup.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.4everyone.com/searchbar/Install.cab
    O16 - DPF: {4522DBFE-14CD-4A59-AC2A-54BADFDD6D53} - http://download.wangluoyouxi.com/download/inst.cab
    O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.euroklik.nl/plugins_zonder_herhaal_bezoek/jongetienersnl327.exe
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
    O16 - DPF: {66BD3ED9-31E1-11D7-A41E-0020781162FD} - http://www.adbros.com/toolbar/install/setup.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {83637DFE-6EE1-4815-B874-03449C4877B7} - http://icons.com.ne.kr/active-x/shortcut/Comnekr.cab
    O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx
    O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getmirar.com/875455/files/installer.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://212.80.66.25/activex/AxisCamControl.cab
    O16 - DPF: {9699ACAA-934A-4156-A73E-76D004A55B8E} - http://ace-casino.com/ShortCut.cab
    O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} - http://www.********com/includes/Download_UL.cab
    O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast.com/download/SBFullSInst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553555500} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E07201D0-8DA2-4BB4-87B1-C1BAACEBF8BD} - http://smartseek.info/xpy/xpy.cab
    O16 - DPF: {EEF29D20-9A47-4657-ADF7-283EC2504001} - http://toolbar2.globalwebsearch.com/winenc32.cab
    O16 - DPF: {FFFF0029-0001-101A-A3C9-08002B2F49FB} - http://www.covercd.org/cb/c.exe
     
  13. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    There is more to do to remove this parasite........there are files which you need to find that are hidden from windows........they wont show in a HijackThis log.
    Frank.........we need to start from scratch........make sure nothing is disabled with MSConfig and post a new log.
    ;)
     
  14. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    I see you beat me to it.


    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windowsincluding this one and "fix checked"

    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/webline/x/wzsex21x.exe
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.ne...ab/j3rk0of4.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://D:\index.mht!
    O16 - DPF: {1EDCB5B7-3212-11D7-A41E-0020781162FD} - http://www.adbros.com/toolbar/install/setup.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.4everyone.com/searchbar/Install.cab
    O16 - DPF: {4522DBFE-14CD-4A59-AC2A-54BADFDD6D53} - http://download.wangluoyouxi.com/download/inst.cab
    O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.euroklik.nl/plugins_zond...ienersnl327.exe
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/...ion=4,3,2,20802
    O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
    O16 - DPF: {66BD3ED9-31E1-11D7-A41E-0020781162FD} - http://www.adbros.com/toolbar/install/setup.cab
    O16 - DPF: {83637DFE-6EE1-4815-B874-03449C4877B7} - http://icons.com.ne.kr/active-x/shortcut/Comnekr.cab
    O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx
    O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getmirar.com/875455/files/installer.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://212.80.66.25/activex/AxisCamControl.cab
    O16 - DPF: {9699ACAA-934A-4156-A73E-76D004A55B8E} - http://ace-casino.com/ShortCut.cab
    O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
    O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} - http://www.********com/includes/Download_UL.cab
    O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast.com/download/SBFullSInst.cab
    O16 - DPF: {E07201D0-8DA2-4BB4-87B1-C1BAACEBF8BD} - http://smartseek.info/xpy/xpy.cab
    O16 - DPF: {EEF29D20-9A47-4657-ADF7-283EC2504001} - http://toolbar2.globalwebsearch.com/winenc32.cab
    O16 - DPF: {FFFF0029-0001-101A-A3C9-08002B2F49FB} - http://www.covercd.org/cb/c.exe


    Reboot into safe mode by following instructions here: http://helpdesk.its.bethel.edu/resnet/Documents/Antivirus/Safemode.html
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Locate and delete:
    C:\PROGRAM FILES\INCREDIFIND [FOLDER]
    C:\Program Files\WebSavingsfromEbates
    D:\index.mht!


    These next 2 are really important you find and remove them
    or the hijack will return.

    C:\Windows\System32\mtwirl.dll file
    C:\Windows\System32\mtwcnl32.dll file


    ;)
     
  15. Infidel_Kastro

    Infidel_Kastro

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    Thanks Steve, you did the hard part. Good luck Franky, you're in good hands.
    Gotta go.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/222962

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice