[Solved] Search Page Website Error, searchpage.cc/1520

[sublimellc]

When I launch my Internet explorer, I get directed to "Search Everything!" page. No matter what I type in my URL, I still am stuck on that page. I can get to this "Tech Support" page because it was saved in my favorites. Does anyone know how to kill this Search Everything? Please advise.

Thanks,

Matt

Here is my Hijack this log

Logfile of HijackThis v1.97.7
Scan saved at 1:39:02 PM, on 4/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Matt Smith\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1520/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1520/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1520/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1520/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1520/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1520/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1520/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1520/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O13 - DefaultPrefix: http://www.nkvd.us/1520/
O13 - WWW Prefix: http://www.nkvd.us/1520/
O13 - Home Prefix: http://www.nkvd.us/1520/
O13 - Mosaic Prefix: http://www.nkvd.us/1520/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37725.6956944444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB854663-0674-4123-91EF-9AD0AB836E21}: NameServer = 4.2.2.1

 

[cybertech]

Open My Computer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
Click "Apply" then "OK"


Click on the link below to download CWshredder
http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Run the program and let it do it's thing. Make sure to click on "Fix" and not scan only.

Look in C:\WINDOWS\System32 folder for these and delete them if they are present.
mtwirl.dll
mtwirl32.dll

Reboot and post another log.

 

[sublimellc]

Cybertech,

Thanks for your post...I just finished reading the thread that you helped solve a few days ago. I'm stuck at the exact suggestion you gave me.

I reboot in safe mode...check and uncheck the neccessary files in my "Folder Options".

I find the mtwirl.dll in my "System 32" folder. When I delete the file an error arises: "Cannot delete. Access denied." Make sure the disk is not full or write-protected and that the file is not currently in use.

So then I get stuck....I know from reading the other post, that this is the most important step. Any suggestions would be very helpful.

**Side note...in the system 32 folder there is a file "mtwcnl32.dll" is this one ok?

Thanks,

Matt

 

[Flrman1]

Download The Killbox from here:

http://download.broadbandmedic.com/VbStuff/KillBox.zip

Unzip the files to the folder of your choice. Don't run it yet.

First run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1520/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1520/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1520/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1520/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1520/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1520/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1520/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1520/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1520/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1520/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1520/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1520/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1520/

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1520/

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1520/

O13 - DefaultPrefix: http://www.nkvd.us/1520/
O13 - WWW Prefix: http://www.nkvd.us/1520/
O13 - Home Prefix: http://www.nkvd.us/1520/
O13 - Mosaic Prefix: http://www.nkvd.us/1520/

Don't restart yet.

Now copy the contents of the 'Quote' box to Notepad, and save as Remove.reg (save as type: 'all files' )
Doubleclick Remove.reg, and answer yes when asked to have its contents added to the Registry.

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA 23B61E40F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3F143C3A-1457-6CCA-03A7-7AA 23B61E40F}"=-

Finally double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

c:\windows\system32\mtwirl.dll

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The c:\windows\system32\mtwirl.dll listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

Once back in Windows use KillBox in the same way as before except the second time copy and paste:

C:\Windows\System32\mtwcnl32.dll

 

[Flrman1]

OOPS! I missed the mtwnl32.dll file. Hang on a sec and let me edit my post

 

[sublimellc]

Dear flrman1,

Thanks for your advice. I've downloaded Killbox and I'm set to attack. I'll wait for your next post on "mtwnl32.dll" before I proceed. Thanks is advance.

 

[Flrman1]

Ok i finally have the post edited like I want it. I had to add a couple of things. Do it as it is written now.

 

[sublimellc]

flrman1,

dude. that worked nicely. I just followed those directions...and bingo...back to normal. Thanks for your help!

Thanks!!!

 

[Flrman1]

My Pleasure!

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".