http://searchpage.cc/1520/

http://searchpage.cc/1520/ has hijacked my IE default homepage

Worse still, when trying to download CW shredder or Hijack This programmes I get redirected to searchpage

I would be grateful for any suggestions

 

run a virus scan... there are some viruses that "block out" certain web pages (like these ones) so you cannot get help, the good thing is that this is not one of those sites yet.

Good luck,

Jason

 

Thanks for the prompt reply.

I have tried to run virus scan but Norton shuts down after about 10 secs, the same thing happens when I try to access regedit

 

try this virus scanner

AVG Anti Virus
(that is if you can even get to the page)

good luck,
jason

 

See if this direct download of HijackThis works for you. If not, PM me with your email address and I will send you the file.

 

Tried both suggestions, but it seems that whenever I try to download software to fix the problem I get redirected to the searchpage

 

Email sent.

 

I've now found that I can't access the blueyonder site to read my e-mails - any site typed in to IE is redirected to searchpage even using a search engine to link to site doesn't work

All the links in my favourites work and many links from a search engine work but not blueyonder

help!

 

my apologies,

I can access blueyonder through search engine - it just took about 2 mins to open

 

noahfear

tried to download link you e-mailed but again just got redirected to searchpage

 

Right click the attachment and 'Save Target'

 

here is the log from hijackthis - glad someone can understand it

Logfile of HijackThis v1.97.7
Scan saved at 21:45:22, on 25/04/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\video_lnk32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\winh.exe
C:\WINDOWS\Hot_Kiss.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE
C:\WINDOWS\runwin32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\ron\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1520/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1520/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1520/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1520/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1520/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1520/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.blueyonder.co.uk:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1520/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1520/
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
F1 - win.ini: run=C:\WINDOWS\system32\services\services.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {DC619248-CFE5-09B4-2FBA-D25599D2CCDC} - (no file)
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [Windos Video Link] video_lnk32.exe
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\RunServices: [Windos Video Link] video_lnk32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE "
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O13 - DefaultPrefix: http://www.nkvd.us/1520/
O13 - WWW Prefix: http://www.nkvd.us/1520/
O13 - Home Prefix: http://www.nkvd.us/1520/
O13 - Mosaic Prefix: http://www.nkvd.us/1520/
O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://serha.ud-dial.biz/1/dexGB617.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-gb/gb/games4.cab
O16 - DPF: {AD684060-16D6-40C3-AF27-53956783430D} - http://www.xpehbam.biz/exploit.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_GB.cab

 

You've got a seriously compromised computer there. Scan with HJT again. Place a check next to all of these entries and fix.


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1520/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1520/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1520/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1520/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redi...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1520/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1520/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1520/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1520/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1520/
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
F1 - win.ini: run=C:\WINDOWS\system32\services\services.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {DC619248-CFE5-09B4-2FBA-D25599D2CCDC} - (no file)
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O13 - DefaultPrefix: http://www.nkvd.us/1520/
O13 - WWW Prefix: http://www.nkvd.us/1520/
O13 - Home Prefix: http://www.nkvd.us/1520/
O13 - Mosaic Prefix: http://www.nkvd.us/1520/
O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://serha.ud-dial.biz/1/dexGB617.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-gb/gb/games4.cab
O16 - DPF: {AD684060-16D6-40C3-AF27-53956783430D} - http://www.xpehbam.biz/exploit.exe
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_GB.cab


Reboot. Download CWShredder from the link in my signature. Open it, close all other windows and fix.

Download, install and update eTrust EZ Armor and run.

Download both Spybot and Ad-aware, install and immediately update. Run and delete all they find.

Post another HJT log.

 

Fix these two also.

O4 - HKLM\..\Run: [Windos Video Link] video_lnk32.exe
O4 - HKLM\..\RunServices: [Windos Video Link] video_lnk32.exe

 

Did noahdfear send you an email with cwsredder ? and did you run it ? or where you able to download it ?

Did you go get a online anti virus check ?

we need to see another fresh hijackthis log

 

Lonny, Noah,
Following this thread. Would the system restore feature of XP home do any good for this problem?(someone I know has almost the exact problem)

 

Merijns tool cwsredder will fix it if its only the
nkvd.us/1520/ BIT ,, Have them post a log in a new topic here if possible,
If it keeps returning, if they have ran cwserdder or about blank is showing or Mk-AT-msitstore
/and a chm in the R1's /R0's then it might be best to post the log at spywareinfo, But do link to it if it is please

To answer your question yes system restore is a valid option, Not in the log above I think, (more involved than just coolweb)

Regards

 

aleekat,

Most likely, system restore would not help, but can always be tried. In this case, there are multiple virus infections and SR definitely will not help. I have also been following some of the MSITStore infection threads and it looks like there is a fix coming very soon, and already have temp. workaround. Do post a log.

 

thanks for all the help so far - much appreciated

I ran CW shredder and that seemed to do its job, some of the items I deleted in Hijackthis kept returning but deleting them again seemed to work anyway here is the latest log

Logfile of HijackThis v1.97.7
Scan saved at 20:28:27, on 27/04/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE
C:\WINDOWS\System32\video_lnk32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\ron\Desktop\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder-broadband.co.uk/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE "
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Good, you can download again. Please download and install the eTrust AV and firewall. You have several viruses that have disabled your Norton and this will be the quicker and easier way to deal with them. The firewall will protect you from them accessing the net while you get updates. We can deal with which AV you want to keep after cleaning up. Ignore prompts when installing about having another AV already installed. If prompted, don't allow access to any of these executables.

O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKLM\..\Run: [Windos Video Link] video_lnk32.exe
O4 - HKLM\..\RunServices: [Windos Video Link] video_lnk32.exe

Update eTrust, disconnect from the net and do a full system scan. If any files cannot be cleaned or deleted, boot to safe mode and delete them manually then empty recycle bin. You will most likely need to disable system restore to clear infected files from there too. Clean up with Spybot and Ad-aware and post another log.