Can anyone help please... I can't open IE because everytime I do, it gets redirected to incredifind.com and the webpage never opens. I ran Norton AntiVirus 2000 & SpySweeper and deleted all the spys but I guess this one is still around and after the sweep it crippled my IE. Here is a my hijackthis log: thanks Logfile of HijackThis v1.97.6 Scan saved at 7:49:35 AM, on 2/12/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\system32\drivers\dcfssvc.exe C:\Program Files\Canon\MultiPASS\mpservic.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\win32_I\win32_i.exe C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\Program Files\Common files\updater\wupdater.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Armenian NLS\nlsload.exe C:\Program Files\Microsoft Money\System\urlmap.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Canon\MultiPASS\monitr32.exe C:\Program Files\Date Manager\DateManager.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe A:\hjtlog.exe c:\hijackthis\hijackthis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.findwhatevernow.com/searchband/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchenhancement.com/searchbar/iev1.html R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL R3 - URLSearchHook: (no name) - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file) O1 - Hosts: 217.116.231.7 aimtoday.aol.com O1 - Hosts: 217.116.231.7 aimtoday.aol.com O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Recommended Hotfix - 421701D\v14\RH.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\hh.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {E885DDBB-BBF7-45FA-8BEF-A4ABAE5A2A3B} - C:\WINDOWS\system32\rvsjyanj.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Qidion - {3789CBF0-C4CA-4e98-B93B-22ACF0587FBA} - C:\WINDOWS\qi32.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe O4 - HKLM\..\Run: [Real-Tens] "C:\Program Files\Real-Tens\Real-Tens.exe" /H O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [win32_i ml710e] "C:\Program Files\win32_I\win32_i.exe" O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD> O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE> O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML> O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY> O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist. O4 - HKLM\..\Run: [] c:\WINDOWS\System32\ O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from O4 - HKLM\..\Run: [GANDI then par] c:\WINDOWS\System32\GANDI then parked. O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY> O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Babylon Translator] C:\Program Files\Babylon\Babylon.exe O4 - HKCU\..\Run: [Armenian NLS Keyboard] C:\Program Files\Armenian NLS\armnls.exe /load O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<HEAD> O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE> O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\</HTML> O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\<BODY> O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist. O4 - HKCU\..\Run: [] c:\WINDOWS\System32\ O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from O4 - HKCU\..\Run: [GANDI then par] c:\WINDOWS\System32\GANDI then parked. O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\</BODY> O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0 O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm O9 - Extra button: Real.com (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_2_0.cab

CWShredder

Yes, you have Incredifind, Keenvalue, & WUPDATER, they are all related: Find 'KeenValue' in Add/Remove Programs then "Remove" . Repeat for 'PowerSearch toolbar for IE' Do a search in FIND for ..... Hosts ......no other extension, open with WORDPAD, find and delete the following line 12.129.205.209 search.netscape.com close and save changes, Now Open REGEDIT: Click Start then Run. Type regedit and click OK. Navigate to this key by clicking on the + plus sign to open each consecutive tree: 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run' In the right pane, delete the value called 'updater', if it's there, Search in FIND for: wupdater.exe, sui.exe, delupdat.exe and DELETE..... CLOSE REGEDIT & REBOOT, Using search in FIND > Delete the following directory and its content: %ProgramsDir%\Common Files\updater\ --------------- FOR INCREDIFIND> Now Open REGEDIT: Click Start then Run. Type regedit and click OK. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {5D60FF48-95BE-4956-B4C6-6BB168A70310}', if it exists. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {5D60FF48-95BE-4956-B4C6-6BB168A70310}', if it exists. Close REGEDIT, REBOOT, Search for and delete: %ProgramsDir%\IncrediFind\BHO\incfindbho.dll , copy and paste that, Then; Start Internet Explorer. Click Tools / Internet Options. Click on Programs tab / Reset Web Settings. As a backup, go here to download an UNINSTALLER for INCREDIFIND: www.incredifind.com/downloads/incredifinduninstall.exe ---------------- Run HIJACK THIS again, locate all the following and REMOVE: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.findwhatevernow.com/searchband/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchenhancement.com/searchbar/iev1.html R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL R3 - URLSearchHook: (no name) - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file) O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com IF YOU RECOGNIZE THIS, LEAVE O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\hh.dll O2 - BHO: (no name) - {E885DDBB-BBF7-45FA-8BEF-A4ABAE5A2A3B} - C:\WINDOWS\system32\rvsjyanj.dll O3 - Toolbar: Qidion - {3789CBF0-C4CA-4e98-B93B-22ACF0587FBA} - C:\WINDOWS\qi32.dll O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe O4 - HKLM\..\Run: [Real-Tens] "C:\Program Files\Real-Tens\Real-Tens.exe" /H O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [win32_i ml710e] "C:\Program Files\win32_I\win32_i.exe" O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD> O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE> O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML> O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY> O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist. O4 - HKLM\..\Run: [] c:\WINDOWS\System32\ O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from O4 - HKLM\..\Run: [GANDI then par] c:\WINDOWS\System32\GANDI then parked. O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY> O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" O4 - HKCU\..\Run: [Armenian NLS Keyboard] C:\Program Files\Armenian NLS\armnls.exe /load O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<HEAD> O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE> O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\</HTML> O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\<BODY> O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist. O4 - HKCU\..\Run: [] c:\WINDOWS\System32\ O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from O4 - HKCU\..\Run: [GANDI then par] c:\WINDOWS\System32\GANDI then parked. O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\</BODY> O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm O9 - Extra button: Real.com (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Backgammon - :)

Followed the steps below on the home pc. Now the browser "cannot connect" to any web sites. What are the next steps to take to get me back on line. 1.Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.) 2. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {5D60FF48-95BE-4956-B4C6-6BB168A70310}', if it exists. 3. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {5D60FF48-95BE-4956-B4C6-6BB168A70310}', if it exists. 4. Exit the registry editor. 5. Restart your computer. 6. Start Windows Explorer and delete: %ProgramsDir%\IncrediFind\BHO\incfindbho.dll Note: %ProgramsDir% is a variable (?). By default, this is C:\Program Files. 7. Start Microsoft Internet Explorer. 8. In Internet Explorer, click Tools -> Internet Options. 9. Click the Programs tab -> Reset Web Settings. -end- thanks in advance

now, i have no clue what all this Hijack thing is, but my PC keeps coming up with Incredifind whenever I connect to IE6 after connecting to the internet (ADSL). THe page eventually never loads and my internet is screwed... please, somebody help and explain all this Hijack thingy.... ssjcazza

I had the same problem. I solved it by using System restore to a date a few days earlier. When IE opened it worked fine again. I did have to go back a couple of days to get to a stable backup point. Hope this helps.