first off ill explain my problem.

I keep getting a redirect to theres a www. in front of it, but i dont want anyone clicking on it and catching what my computer may have. Now i get this redirect whenever i try to click on a link to download anything, i cant download it unless i use the cnet secure download. how do i get rid of this freaking thing, i ran adaware, spybot search and destry, and norton ant-virus. nothing helped. so i got hijackthis and im lost at what to do. heres the log i saved from it.

Logfile of HijackThis v1.97.7
Scan saved at 1:18:50 AM, on 4/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael\Desktop\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 3.6\THGuard.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -

anything you can offer would be of great great help. i need to get rid of this crap, its making me very angry because i usualy have things that i need to download, like updates and such. bah!

Recommended Answers

All 6 Replies

Cannot see anything in your log but try this & get back to us. BTW, did you delete anything from the log?

Download CWShredder from & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs including IE before running CWShredder. Reboot after doing this & post another log please.

nope not a thing, i dont know whats causing this to happen too, i mean i cant download anything, i click on the link and get the redirect. is there such thing as a virus that mimics other viruses so its harder to detect??? bah! trying out ur link now.

well, cwshredder couldnt do anything for me, but i was pretty much expecting that to not sure what it is anymore.

Found something else out if you don't mind going in to the registry??This is now a known baddy. Please, BACK UP YOUR REGISTRY FIRST.
Close all (browser) windows & have HJT fix these entries=

O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

First, close all IE windows and let HijackThis fix the OsbornTech Popup Blocker BHO . Restart the computer in Safe Mode, navigate to C:\Windows\system32\, and delete the following files:


Now search the Registry and delete all the keys that contain any of the following:







thnx, will do. just curious, what does that osbornTech popupblocker really do?

I have just found out that it is a CWS variant so the updated CWShredder should nuke it now. Fingers crossed.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.