Here is my hijackthis file.... Just wondering .. in my regisrty editor... in HKLU... Internet explorer... Search.... EXTENTIONS.... is where that stupid "search assistant" is... I belive its from that alexa tool bar which was suposed to be a nice lil tool bar companion to help me watch my website ranking... help pls Logfile of HijackThis v1.97.7 Scan saved at 10:08:41 AM, on 11/23/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.exe C:\WINDOWS\SYSTEM\HIDSERV.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\SYSTEM\HPSYSDRV.exe C:\PROGRAM FILES\DIRECTCD\DIRECTCD.exe C:\WINDOWS\SYSTEM\USBMMKBD.exe C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.exe C:\WINDOWS\SYSTEM\STIMON.exe C:\WINDOWS\LOADQM.exe C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.exe C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.exe C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\WINDOWS\REGEDIT.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe C:\PROGRAM FILES\WINZIP\WINZIP32.exe C:\PROGRAM FILES\WINZIP\WZQKPICK.exe C:\WINDOWS\TEMP\HIJACKTHIS.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?ydtfs (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.webcounter.cc/---/?ydtfs (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?ydtfs (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?ydtfs about:blank (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated) O1 - Hosts: 1089288654 auto.search.msn.com O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [Soundmx] \soundmx.exe O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.exe O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.exe O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe /RUNSERVICES O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O9 - Extra button: RealGuide (HKLM) O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37932.8916550926 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab O19 - User stylesheet: C:\WINDOWS\Web\tips.ini O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

0

Hi Folks: First time to this site. Running Win 98SE with updates. I just got hit with something very similar in the last 24 hours. In this case, the homepage was hijacked to http://globe-finder.cc/ On reboot, it shows a warning cannot find file "fntldr.exe" followed by a second warning that I need to either replace it, or remove reference to it in the Windows INI files. Have run Adaware and scanned with Mcafee virus scanner, but they picked up nothing. Tried disconnecting the highspeed wireless modem and resetting it, but no luck. Pretty "miffed" to say the least! Thanks in advance for the opportunity to pick your brains to reach a solution. Lee

0

I also got the fntldr.exe error - I just took it out of the startup file using Start/Programs/Accesories/System Tools/System information then hit Tools/ System Configuration Utility and you can look at your INI and Start Up file and switch stuff on and off. However, I have done this, deleted all references to the long string http://%60%....etc. that occur in the registry, run AVG/ Adaware/ Pestpatrol and CWShredder. CWshredder removes the problem files Bootconf and Tapisrv and the problem is cured temporarily - but on reboot it all comes back up again. This really annoying me now - these guys are scumbags.

0

Try all these sites enclosed , 1 of them may have a fix . Also , for the future , if you change to to email client enclosed , you can have a good look at your mail on your ISP server , before downloading . =========================================== eScan Antivirus Toolkit Utility http://www.it-mate.co.uk/main_content/security.asp#dialerspy http://www.mwti.net/index.asp MicroWorld has developed a Free eScan AntiVirus Toolkit Utility, that will help you diagnose if your machine is infected by a virus. This tool also cleans your registry and other system areas of the damage that a virus might have done. The best part of eScan toolkit utility, is its ability to; A. Check running processes in memory. B. Check illegal dialers running in memory and inform the user. C. Inform users of any background (legal) sniffers or tools running in memory. Ed: This program can be slow on older systems with large hard drives ================================ Online Virus check ( free ) http://housecall.antivirus.com/ http://www.coledata.com/virusalert.htm http://www.cybertechhelp.com/html/misc/av.php http://www.pandasoftware.es/activescan/activescan-com.asp http://www.ravantivirus.com/scan/ http://www.bitdefender.com/ http://www.stop-sign.com/?n=google_cure5 ==================================== If you want to try a really good free email client & Spam remover , this is very good . I can look at my mail on the ISP's server , delete ( spam removal ) , reply , click on links & if I want it on my comp , click on Move to > Archive . Use right click for some of the functions . You can still leave any other email client installed . Just a matter of choosing which one you want as default . http://geminisoft.com/geminisoft.eng/ Pimmy - Your personal postman. Geminisoft Pimmy lets you manage your electronic mail easily and everywhere you are. The full program may be put on a floppy! What you can do using Pimmy: * manage an unlimited number of mailboxes; * read and write messages on newsgroups; * check for new messages and be warned about them; * file messages in folders; * automatically download mail and newsgroup messages from the mailboxes you desire to one or more folders; * read on-line only the message in which you are interested in, not downloading all and leaving mail on the server until you decide to delete them; * read a preview of a message on-line not reading it completely or dowloading it; * delete a message on-line not reading it completely or dowloading it; * write your messages off-line and send them when connected to Internet, moving all sent messages in a special folder; * send messages using different providers easily; * manage an address book; * manage different signatures (even with only one mailbox); * attach files and documents; * chat with other Pimmy users, even with more than one at the same time.

0

Hi Folks: I may have been lucky after an email exchange with the anti-virus service technical people at McAfee .... unchecked the 2 run= programs in the startup menu found under msconfig and still things seem ok after about 3 or 4 reboots. No more hijacked homepage. So far (fingers crossed) so good. Best of luck to everyone dealing with this crud! Lee

0

The previous message from Lee was the most helpful advice I've found on this. Let me explain a couple things I did step by step for those of us out there that need more help. First I went into Start/Run/Msconfig. Click Startup and uncheck both run=fntldr.exe and run=hpfsched. The other option to totally erase this is to go into Start/Run/Sysedit. Click the C:\Windows\Win.ini box. It says ***DO NOT EDIT THIS FILE*** but you can. Just be careful. Scroll down until you find a section beginning with [windows] and erase the line run=fntldr.exe hpfsched. For all the computer experts, sorry. I'm describing this for the average person who doesn't do this often. This was the only site with decent info on this. Hopefully this takes care of it though there may be more to it than this. This procedure took away the fntldr error upon bootup on my computer.

0

Say what? I hate to be blunt, but can those experts trying to help please speak in detailed layman's terms? I just came home and pretty much got the same annoying win.ini and fntldr.exe errors. However, my IE homepage seems to be okay besides the fact that IE keeps restarting itself once in awhile (maybe totally unrelated to this subject but this rarely occured before and has happend several times tonight). Please help. On a side note - Thanks, Jasmine, btw. That's what I thought I should've done (uncheck run=fntldr.exe and run=hpfsched) but wasn't that sure. This is what I'll do for now until somebody comes up with a more effective solution.

0

I also found the run=fntldr and killed it off - but I didn't have the other run= in my startup. Unfortunately it has no effect - still reboots with the sodding luckysearch crap on it. I must have a mega virulent one. I've contacted the CWS Shredder guys to see if they know whats going on.

0

I have this 1 as well. I had a similar 1 once before and it had something to do with style sheets, so i deleted the one that i was using "tips..."something.unchecked use style sheets. seems to of worked for the time being.

0

One thing that I've found VERY interesting is that this thing creates a backup of your win.ini file called win.tsh. win.tsh is your original non hijacked ini file. Do NOT delete win.ini and replace it with win.tsh. Perhaps someone can provide this to the CWShredder folks for insight. ~~Douglas http://www.therealms.net

0

Maybe this make you feel good. My group decide to crash this people permanently as our goal.

0

Hrm...interesting. Yesterday,I posted that I did the (Start/Run/Msconfig. Click Startup and unchecked both run=fntldr.exe and run=hpfsched). However, tonight I turned on my computer and both of those unchecked items were checked again and now my homepage is also luckysearch and whatever the other one was. How annoying...

0

OK everyone - it is sorted. Not by me I hasten to add but by the genius at CoolWebSearch Chronicles. I emailed him and he's got a fix for it. Apparently the soundmx.exe file has been modified to cause the relaoding of all this crap on reboot. Just use this link http://www.spywareinfo.com/~merijn/files/cwshredder.zip and use CWShredder version 1.36 and you will be free. I can't commend this guy enough.

0

Had the little beggar back again when I got home after a couple of days away. Ran the CWShedder program and it seems to have stopped it. Thanks for the tip! Hope this "The Final Solution" to this clown's work. Lee

0

One version creates a file called soundmx.exe. Delete it and uncheck the box next to it in msconfig, startup tab. This should prevent any reoccurances if you have taken care of the fntldr.exe file already.

0

I've had the same problem with fntldr.exe. I have removed it from win.ini. Found the soundmx.exe and scrapped it. Altered the msconfig. Now I am left with altering the internet browser settings before going on the net cos some process is altering the settings to proxy server at start up or shutdown. I've run all the virus checks I can with no result.

0

I had this happen, and have removed the fntldr.exe and sound files mentioned, but am finding that it still reboots or closes either IE or my search engine on my ISP consistently when clicking on links, etc. Does anyone have any other thoughts? I've run several virus scans and nothing is coming up. Thanks

0

I am writing in regards to Response Number 19, hi, i dont know anything about computers. i am having trouble with "fntldr.exe". i downloaded the site.......(http://www.spywareinfo.com/~merijn/files/cwshredder.zip) as you recommended. Now my computer is asking me "what program to use to open up files i downloaded" and i dont know which program to use to open up the downloaded site. Please help me. I have the same problem with the "fntldr.exe" pop up. Thanking you in advance, Ricki.

0

With ref to 22 above. I downloaded cwshredder today and ran itIt seemed to do ok. unfortunately my internet browser settings are still being changed at reboot.

0

Spysweeper with the Shield ON at all times will prevent you from having your HOMEPAGE SETTING to be changed...however Spysweeper does not eliminate nor detect as a pest during the scan. Pest Patrol nor Adware can detect it. Spybot can detect and eliminate the pest however it came back to me after 5 reboots or so somehow. I ran HIJACKER THIS and apparently the problem is with this particular FORBIDDEN ACCESS website http:in.webcount.cc I even PING this website with MS-DOS and it says UNKNOWN HOST so I suggest to eliminate every entry with http://in.webcount.cc in your HIJACK THIS scan log. Good Luck MANUAL REMOVAL USING REGISTRY: Also check in your registry using REGEDIT. Start > Run> type REGEDIT > EDIT > FIND this HOMEPAGE and delete it: http://%69%6e%2e%77% (that should be enough....as you do not need the entire number lol) Also look for simply %69%6e%2e So in brief: Use Spysweeper, Spybot, Hijack This and Regedit. Good luck WEB$ITE: http://www.jack-computer-fixer.com

0

Hi Folks, With reference to 22 and 25 above. I decided to look at msconfig start up one more time and really look at the start up programmes. I discovered that removing a programme adsubtract.exe from the start up solved my particular problem. thus to summarise I removed flnldr.exe from win.ini. I removed soundmx.exe from msconfig. I then ran cwshredder. I removed adsubtract.exe from msconfig. (I also found an illegal dialer which I've also removed). This is the 6th reboot. Hopefully the wee beastie is stuffed. Thanks for all your comments which were greatly appreciated and without which I could not have researched out this nonsense.

0

OK, my browser is getting hijacked to both luckysearch and globalsearch at different times. I looked in my startup files and don't even have flnldr.exe or soundmx.exe, so deleting them is not an option. I give up! Someone earlier mentioned reloading Windows(xp) and that there is a way to do it without losing everything else on your pc? How do I do that? Have there been any other viruses as stubborn as this to get rid of?

0

Thank you all for your helpful comments. Using CWshredder seems to have solved the problem. Is there any way to identify the exact origin of the virus? Prove from whence this beast came?

0

To solve the RESTARTING BROWSER PROBLEM: IE: Tools --> Internet Options --> Accessibility UNCHECK "Format documents using my style sheets" b---tards.

0

Jasmine 75 advise fixed the problem. Here is a step by step for fixing the fntldr.exe problem. Run CWShredder, Ad-aware 6.0, and Spybot-Search & Destroy. Then: Click Start Button Click Run Button Type in MSCONFIG and click OK Click STARTUP tab in System Configuration Utility Window Scroll down to run=fntldr.exe and uncheck the box Click Apply Click OK Click Later on the rebooting your computer message Now: Click Start Button again Click Run Tpye in SYSEDIT and click OK Click on the C:\Windows\Win.inibox window Scroll down to the paragraph with the heading [WINDOWS] Then erase the following line norun=fntldr.exe Click the X on the C:\Windows\Win.inibow to exit this window Click YES to the message to keep the change you just made Exit the SYSEDIT window Reboot your computer This should take care of the problem. regards forhowmuch

0

Hi all, I hope the following information will help you. The hijack is in.webcounter.cc. Download and run CWShredder.exe to see if this fixes your problems. You may also want to send an email to abuse@enic.cc regarding in.webcounter.cc. enic is a legitimate subsidiary company of VerSign who happens to be hosting the in.webcounter.cc domain and may be interested in knowing about this hijack. Find out more about in.webcounter.cc by entering that URL on the Whois page at http://www.enicregistrar.com/cgi-bin/whois. You get read further about the FastSearch.cc hijacker and download the CWShredder.exe at http://www.pchell.com/support/fastsearch.shtml. Symantec has additional information that you will find interesting at http://www.symantec.com/avcenter/venc/data/adware.searchcounter.html. Hope this stuff helps someone. Best regards, Mike

0

Thank you to all who have contributed their thoughts and struggles with the (un)luckysearch creature. My pc has been infected for about a month or more and being a computer ignorant of the highest order, I thought I would just have to live with it. I had this nagging thought though that it was wrong of people to invade my privacy and manipulate my property and my choices in the way they obviously have. So I typed 'luckysearch invasion' into google tonight and ended up at this site. Yahooooo! as they say! I downloaded the CWShredder as suggested - ran it and 13 IE entries where noted (don't know if I got the term right there) I went to the MS update site and discovered no critical updates needed fo my pc. Went through the process suggested by Jasmine - so clearly described - thanks. I run 98se - couldn't find the relevant box in msconfig or the line in Win.ini - but not to worry - rebooted the old HP Pav and low - the IE home page was simply blank!!!! I made the homepage back to the one I always use and it remains so. Thanks everyone! Merry Christmas Steve

0

I was having all of the above-mentioned problems on my home computer. With the aid of the advice above, I got rid of the "fntldr.exe" error message (which was only an annoyance). I also got rid of the "soundmx.exe" file. I even found and deleted the hijaking homepage "http://%69%6...". Thanks to all of you for the help. [I'm writing this from my work computer since my home computer is not currently functioning as an internet tool.] BUT, I still have a bigger problem. When I start to get on the internet (with either IE or Netscape), my home computer tries to go to "http://in.webcounter.cc/%2d/?%79%64%74%66%73%20%20about:blank". After about a minute, the result is "The page cannot be displayed". Essentially, I can't get on the internet at all. Therefore, I can't go download any of the virus helps like CWShredder or spyware or hijackthis or anything else. I called the tech support guys at the local ISP (cable company). His first question was, "Do you have any music download programs on your computer, like Kazaa?" I recently acquired this home computer from a college student who had and used this program. (I deleted all of the Kazaa files yesterday, but it didn't help.) The tech support guy said that this hijack program/virus/whatever would be especially bad if you have music download programs. He recommended saving any files that I wanted to keep on a CD, then format the hard drive, and then reload windows. I am currently running Windows 98 and have Office 2000 loaded. I have Windows XP on a new un-used disc. I also have the Office 2000 disc that I used to load this computer with. Are Windows XP and Office 2000 compatible? Would you experts recommend doing this? OR, is there an easier way to get my internet connection back? Out of curiosity, are the "fntldr.exe" and the hijacking homepage "http://%69%6..." problems connected? The discussions in this forum started with one and ended with the other. Eben

0