first off ill explain my problem.

I keep getting a redirect to best-search.info theres a www. in front of it, but i dont want anyone clicking on it and catching what my computer may have. Now i get this redirect whenever i try to click on a link to download anything, i cant download it unless i use the cnet secure download. how do i get rid of this freaking thing, i ran adaware, spybot search and destry, and norton ant-virus. nothing helped. so i got hijackthis and im lost at what to do. heres the log i saved from it.


Logfile of HijackThis v1.97.7
Scan saved at 1:18:50 AM, on 4/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael\Desktop\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = https://reg.sierra.com/prodreg.php?sku=71867
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 3.6\THGuard.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab


anything you can offer would be of great great help. i need to get rid of this crap, its making me very angry because i usualy have things that i need to download, like updates and such. bah!

Cannot see anything in your log but try this & get back to us. BTW, did you delete anything from the log?

Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs including IE before running CWShredder. Reboot after doing this & post another log please.

nope not a thing, i dont know whats causing this to happen too, i mean i cant download anything, i click on the link and get the redirect. is there such thing as a virus that mimics other viruses so its harder to detect??? bah! trying out ur link now.

well, cwshredder couldnt do anything for me, but i was pretty much expecting that to happen....im not sure what it is anymore.

Found something else out if you don't mind going in to the registry??This is now a known baddy. Please, BACK UP YOUR REGISTRY FIRST.
Close all (browser) windows & have HJT fix these entries=

O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

First, close all IE windows and let HijackThis fix the OsbornTech Popup Blocker BHO . Restart the computer in Safe Mode, navigate to C:\Windows\system32\, and delete the following files:

cidft.dll
cidpoq32.dll
gupd.dll
icnfe.dll
icqrt.dll
icvbr.dll
mshelper.dll
mtwirl.dll
nthst32.dll
sdfup.dll
wecxg32.dll
xcwer32.dll
zxmsn.dll

Now search the Registry and delete all the keys that contain any of the following:


{FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880}

{129C733D-D07C-4E34-A5E6-D675A016CFAE}

{C19EB5B1-FC58-456E-8793-384532ED5970}

{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}

asd3

testmyie

thnx, will do. just curious, what does that osbornTech popupblocker really do?

I have just found out that it is a CWS variant so the updated CWShredder should nuke it now. Fingers crossed.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.