Member Avatar for Killer_Typo

first off ill explain my problem.

I keep getting a redirect to best-search.info theres a www. in front of it, but i dont want anyone clicking on it and catching what my computer may have. Now i get this redirect whenever i try to click on a link to download anything, i cant download it unless i use the cnet secure download. how do i get rid of this freaking thing, i ran adaware, spybot search and destry, and norton ant-virus. nothing helped. so i got hijackthis and im lost at what to do. heres the log i saved from it.


Logfile of HijackThis v1.97.7
Scan saved at 1:18:50 AM, on 4/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael\Desktop\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = https://reg.sierra.com/prodreg.php?sku=71867
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 3.6\THGuard.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab


anything you can offer would be of great great help. i need to get rid of this crap, its making me very angry because i usualy have things that i need to download, like updates and such. bah!

  • 2 Contributors
  • 6 Replies
  • 361 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 6 Replies

Member Avatar for crunchie

Cannot see anything in your log but try this & get back to us. BTW, did you delete anything from the log?

Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs including IE before running CWShredder. Reboot after doing this & post another log please.

Member Avatar for Killer_Typo

nope not a thing, i dont know whats causing this to happen too, i mean i cant download anything, i click on the link and get the redirect. is there such thing as a virus that mimics other viruses so its harder to detect??? bah! trying out ur link now.

Member Avatar for Killer_Typo

well, cwshredder couldnt do anything for me, but i was pretty much expecting that to happen....im not sure what it is anymore.

Member Avatar for crunchie

Found something else out if you don't mind going in to the registry??This is now a known baddy. Please, BACK UP YOUR REGISTRY FIRST.
Close all (browser) windows & have HJT fix these entries=

O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

First, close all IE windows and let HijackThis fix the OsbornTech Popup Blocker BHO . Restart the computer in Safe Mode, navigate to C:\Windows\system32\, and delete the following files:

cidft.dll
cidpoq32.dll
gupd.dll
icnfe.dll
icqrt.dll
icvbr.dll
mshelper.dll
mtwirl.dll
nthst32.dll
sdfup.dll
wecxg32.dll
xcwer32.dll
zxmsn.dll

Now search the Registry and delete all the keys that contain any of the following:


{FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880}

{129C733D-D07C-4E34-A5E6-D675A016CFAE}

{C19EB5B1-FC58-456E-8793-384532ED5970}

{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}

asd3

testmyie

Member Avatar for Killer_Typo

thnx, will do. just curious, what does that osbornTech popupblocker really do?

Member Avatar for crunchie

I have just found out that it is a CWS variant so the updated CWShredder should nuke it now. Fingers crossed.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.