Please Help:Hijack Zestyfind/TDb05

Computing.Net > Forums > Windows 95/98 > Please Help:Hijack Zestyfind/TDb05

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Please Help:Hijack Zestyfind/TDb05

Name: Mike
Date: November 16, 2003 at 19:16:37 Pacific
OS: Windows 98
CPU/Ram: Pentium 3, 128 MB

Comment:

Hi:
I cannot for the life of me get rid of ZestyFind as a hijacked startup webpage. I also have an "extra" toolbar when I right- click on the taskbar to choose one (where you choose Quick Launch, Address, Links, etc). There is an extra one there called TDb05 and there is no way to uncheck it. see picture at:
http://www-personal.engin.umich.edu/~mshallal/TDb05%20toolbar.jpg
I have used HIJACKTHIS about 25 times to get rid of zestyfind and every time I reboot, it comes back. I've used SPYBOT and ADAWARE with the most updated versions as of today (11/16/2003) and nothing gets rid of this. I am so frustrated.
Zestyfind is apparently a result of a program called DOWNLOADWARE. i found a site that showed how to get rid of the program -- all things related to zestyfind and TDb05 -- by hand.
Here is a list of all the registry keys that I made sure were cleaned up by the programs mentioned above or deleted personally by me:
HKEY_CLASSES_ROOT\clsid\{eb6afdab-e16d-430b-a5ee-0408a12289dc}
HKEY_CURRENT_USER\software\medialoads
HKEY_CURRENT_USER\software\pagent
HKEY_LOCAL_MACHINE\software\classes\appid\{d6be4255-97c9-4d5c-9801-91dadda92d81}
HKEY_LOCAL_MACHINE\software\classes\btieinscriptconfigproj.btieinscriptconfig
HKEY_LOCAL_MACHINE\software\classes\clsid\{000006b1-19b5-414a-849f-2a3c64ae6939}
HKEY_LOCAL_MACHINE\software\classes\clsid\{00000762-3965-4a1a-98ce-3d4bf457d4c8}
HKEY_LOCAL_MACHINE\software\classes\clsid\{000007ab-7059-463e-bd44-101a1750d732}
HKEY_LOCAL_MACHINE\software\classes\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da}
HKEY_LOCAL_MACHINE\software\classes\clsid\{00041a26-7033-432c-94c7-6371de343822}
HKEY_LOCAL_MACHINE\software\classes\clsid\{0352960f-47be-11d5-ab93-00d0b760b4eb}
HKEY_LOCAL_MACHINE\software\classes\clsid\{14b3d246-6274-40b5-8d50-6c2ade2ab29b}
HKEY_LOCAL_MACHINE\software\classes\clsid\{1717a4a5-d63a-4f70-b373-ae4aa46d1236}
HKEY_LOCAL_MACHINE\software\classes\clsid\{26e8361f-bce7-4f75-a347-98c88b418322}
HKEY_LOCAL_MACHINE\software\classes\clsid\{339bb23f-a864-48c0-a59f-29ea915965ec}
HKEY_LOCAL_MACHINE\software\classes\clsid\{49de8655-4d15-4536-b67c-2aa6c1106740}
HKEY_LOCAL_MACHINE\software\classes\clsid\{5c40012e-44ca-11d7-8411-0002a5f9d08e}
HKEY_LOCAL_MACHINE\software\classes\clsid\{63b78bc1-a711-4d46-ad2f-c581ac420d41}
HKEY_LOCAL_MACHINE\software\classes\clsid\{645fd3bc-c314-4f7a-9d2e-64d62a0fdd78}
HKEY_LOCAL_MACHINE\software\classes\clsid\{65c8c1f5-230e-4dc9-9a0d-f3159a5e7778}
HKEY_LOCAL_MACHINE\software\classes\clsid\{8023a3e7-ab95-4c23-8313-0be9842cc70e}
HKEY_LOCAL_MACHINE\software\classes\clsid\{8952a998-1e7e-4716-b23d-3dbe03910972}
HKEY_LOCAL_MACHINE\software\classes\clsid\{9368d063-44be-49b9-bd14-bb9663fd38fc}
HKEY_LOCAL_MACHINE\software\classes\clsid\{947e6d5a-4b9f-4cf4-91b3-562ca8d03313}
HKEY_LOCAL_MACHINE\software\classes\clsid\{976c4e11-b9c5-4b2b-97ef-f7d06ba4242f}
HKEY_LOCAL_MACHINE\software\classes\clsid\{b3be5046-8197-48fb-b89f-7c767316d03c}
HKEY_LOCAL_MACHINE\software\classes\clsid\{c6958acd-d866-4349-9f7b-fdb73384f697}
HKEY_LOCAL_MACHINE\software\classes\clsid\{cbdb0279-9d76-48ac-abd3-8cb9a4d73d4a}
HKEY_LOCAL_MACHINE\software\classes\clsid\{d5580d6f-0e5f-4bdb-9cdf-f8ee68beb008}
HKEY_LOCAL_MACHINE\software\classes\clsid\{ddffa75a-e81d-4454-89fc-b9fd0631e726}
HKEY_LOCAL_MACHINE\software\classes\clsid\{f1616b86-9288-489d-b71a-0ccf2f1a89da}
HKEY_LOCAL_MACHINE\software\classes\clsid\{ff76a5da-6158-4439-99ff-edc1b3fe100c}
HKEY_LOCAL_MACHINE\software\classes\interface\{0494d0da-f8e0-41ad-92a3-14154ece70ac}
HKEY_LOCAL_MACHINE\software\classes\interface\{0494d0dc-f8e0-41ad-92a3-14154ece70ac}
HKEY_LOCAL_MACHINE\software\classes\interface\{1eb48aa7-d3fe-4e4c-ac8e-b01594496ac0}
HKEY_LOCAL_MACHINE\software\classes\interface\{26e8361f-bce7-4f75-a347-98c88b418321}
HKEY_LOCAL_MACHINE\software\classes\interface\{42bd9965-303d-4cfb-aae0-dcadcb791a55}
HKEY_LOCAL_MACHINE\software\classes\interface\{4534cd6b-59d6-43fd-864b-06a0d843444a}
HKEY_LOCAL_MACHINE\software\classes\interface\{5c40012d-44ca-11d7-8411-0002a5f9d08e}
HKEY_LOCAL_MACHINE\software\classes\interface\{5c40012f-44ca-11d7-8411-0002a5f9d08e}
HKEY_LOCAL_MACHINE\software\classes\interface\{a351d4b1-bf54-41f1-bec0-8a1c4ecd72c7}
HKEY_LOCAL_MACHINE\software\classes\interface\{c809ee32-c648-459b-9a99-5cb20f61dcfc}
HKEY_LOCAL_MACHINE\software\classes\interface\{ce7c3cef-4b15-11d1-abed-709549c10000}
HKEY_LOCAL_MACHINE\software\classes\interface\{dae6416e-491d-11d5-ab93-00d0b760b4eb}
HKEY_LOCAL_MACHINE\software\classes\interface\{eb29cd69-7020-4d1d-a0be-72130dfba9f7}
HKEY_LOCAL_MACHINE\software\classes\interface\{f5f0a448-2bcd-459e-8743-c39154ee1ca8}
HKEY_LOCAL_MACHINE\software\classes\protocols\name-space handler\res\toolbar.resprotocol
HKEY_LOCAL_MACHINE\software\classes\toolbar.resprotocol
HKEY_LOCAL_MACHINE\software\classes\typelib\{26e8361f-bce7-4f75-a347-98c88b418328}
HKEY_LOCAL_MACHINE\software\classes\typelib\{49d25a3f-28ef-4f38-bf7f-bc5fe6d39fa7}
HKEY_LOCAL_MACHINE\software\classes\typelib\{53f066f0-a4c0-4f46-83eb-2dfd03f938cf}
HKEY_LOCAL_MACHINE\software\classes\typelib\{5c400120-44ca-11d7-8411-0002a5f9d08e}
HKEY_LOCAL_MACHINE\software\classes\typelib\{690bccb4-6b83-4203-ae77-038c116594ec}
HKEY_LOCAL_MACHINE\software\classes\typelib\{95b3af07-0e4f-4cdf-acfd-3d4efd9aec0b}
HKEY_LOCAL_MACHINE\software\classes\typelib\{a8f92c35-530b-4907-922c-ce31d4b6b14a}
HKEY_LOCAL_MACHINE\software\classes\typelib\{cde442a3-dc2c-467e-a311-b4bc775d86c5}
HKEY_LOCAL_MACHINE\software\classes\typelib\{ce7c3ce2-4b15-11d1-abed-709549c10000}
HKEY_LOCAL_MACHINE\software\classes\typelib\{d6be4255-97c9-4d5c-9801-91dadda92d81}
HKEY_LOCAL_MACHINE\software\classes\typelib\{dae64161-491d-11d5-ab93-00d0b760b4eb}
HKEY_LOCAL_MACHINE\software\classes\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}
HKEY_LOCAL_MACHINE\software\downloadware
HKEY_LOCAL_MACHINE\software\kfh
HKEY_LOCAL_MACHINE\software\microgaming
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\urlsearchhooks\{9368d063-44be-49b9-bd14-bb9663fd38fc}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{85a702ba-ea8f-4b83-aa07-07a5186acd7e}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{8952a998-1e7e-4716-b23d-3dbe03910972}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\user agent\post platform\{6ea0f469-dfd6-40fa-8ec0-29c8bf23cf76}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\user agent\post platform\{75f9eddb-7068-44f3-929e-5fe57a778e98}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\downloadware
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\pagent
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\downloadware
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved\{00000762-3965-4a1a-98ce-3d4bf457d4c8}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved\{000007ab-7059-463e-bd44-101a1750d732}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved\{ddffa75a-e81d-4454-89fc-b9fd0631e726}
HKEY_LOCAL_MACHINE\software\mlh
HKEY_USERS\.default\software\downloadware
HKEY_USERS\.default\software\webinstall
HKEY_USERS\s-1-5-21-1960408961-1993962763-1343024091-1003\software\downloadware
HKEY_USERS\s-1-5-21-1960408961-1993962763-1343024091-1003\software\webinstall
HKEY_USERS\s-1-5-21-796845957-842925246-1060284298-500\software\downloadware
HKEY_USERS\s-1-5-21-796845957-842925246-1060284298-500\software\webinstall
from here.... i am not sure what to do...
here is my HIJACKTHIS log after i already remove the zestyfind startpage. if i reboot, that startpage comes back and i have no idea what is causing it.
Logfile of HijackThis v1.97.3
Scan saved at 9:57:39 PM, on 11/16/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\STIMON.exe
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.exe
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.exe
C:\PROGRAM FILES\MEM TURBO\MEMTURBO\MEMTURBO.exe
C:\PROGRAM FILES\COMMONNAME\ADDRESSBAR\WINNET.exe
C:\PROGRAM FILES\COMMONNAME\ADDRESSBAR\COMWIZ.exe
C:\MY DOWNLOAD FILES\HIJACKTHIS.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\mshallal\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM\HDBHO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRAM FILES\COMMONNAME\ADDRESSBAR\CNBABE.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Powermarks - {E166B4A2-83E7-11D3-B4FD-004005A47AAA} - C:\PROGRAM FILES\POWERMARKS 3.5\IEC.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NAVAPW32.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: MemTurbo.lnk = C:\Program Files\Mem Turbo\MemTurbo\memturbo.exe
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\AddressBar\createbookmark.htm
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\AddressBar\createnote.htm
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\AddressBar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\AddressBar\navigate.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: HiDownload (HKLM)
O11 - Options group: [CommonName] CommonName
O16 - DPF: Dialpad US Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://sodddm03.extra.daimlerchrysler.com/iNotes.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: Java Mainframe Display (MFDFTX) - http://web3270.extra.daimlerchrysler.com/w2hlegacy/w2h_a/java/wdmfdftx.cab
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://about.chatspace.com/Java/cs4fs084.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: DigiChat Applet - http://fanclubchat.musictoday.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37871.7152314815
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud12.sports.yahoo.com/java/y/nflgcst1008_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
if someone can please help me, i'd appreciate it so much. it's driving me insane.
thanks so much.
mike

Sponsored Link

Ads by Google

Response Number 1

Name: smithdk
Date: November 16, 2003 at 19:39:59 Pacific

Reply:

Fix these lines:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRAM FILES\COMMONNAME\ADDRESSBAR\CNBABE.DLL
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.exe
See if it comes back when you reboot.

Response Number 2

Name: smithdk
Date: November 16, 2003 at 19:50:22 Pacific

Reply:

You have comwiz.exe running as a task:
http://www.securitynewsportal.com/cgi-bin/news.cgi?target=securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.comiz.html

Response Number 3

Name: smithdk
Date: November 16, 2003 at 19:53:33 Pacific

Reply:

A link to help uninstall commonname toolbar:
http://www.commonname.com/english/ug/toolbar/default.asp?idx=10#4

Response Number 4

Name: Mike
Date: November 16, 2003 at 22:00:18 Pacific

Reply:

Thanks for everyone's help.
I am not sure how Comwiz and Winnet showed up since they were never there in the previous scans. I have a feeling that when I erased stuff from the registry, something triggered them to pop up.
i installed pest control and ran it. it didn't have a license to delete but it showed a bunch of things that the other programs didn't, so i deleted the stuff by hand. i ran adaware (full scan) and spybot again. then i ran hijackthis again as well.
when i rebooted, spybot took over before windows reloaded and i configured it to block some stuff.
everything is good now. the toolbar is gone and the zestyfind page is gone as well. the only thing is that i am really confused as to why it works now when i did the same steps before about 20 times (literally) today with no luck.
all's well that ends well.
thanks again.
mike

Sponsored Link

Ads by Google

turbo c dos download turbo debugger td.exe turbo assembler tasm.exe foxpro 2.6 download PROBLEMA HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\8E27C92E-1264 ie6 user agent shell scrap object handler download 35786D3C-B075-49B9-88DD-029876E11C01 microsoft quick c download .pub extension	block yahoo chat uninstall ebay toolbar Office 2003 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru hijacked email CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA symantec 1003,9 uninstall mirar toolbar extension hijack zestyfind issues running gamechannel/stattracker
See More

sharing files/intrnt simu...

Can I install my own PCI ...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Windows 95/98 Forum Home

Sponsored links

Ads by Google

Results for: Please Help:Hijack Zestyfind/TDb05

virus... PLEASE help ASAP

Summary

www.computing.net/answers/windows-95/virus-please-help-asap/152461.html

please help internet cybercafe

Summary

www.computing.net/answers/windows-95/please-help-internet-cybercafe/96359.html

spywareGuard please help, desperate

Summary

www.computing.net/answers/windows-95/spywareguard-please-help-desperate/163221.html

From the Geek Dictionary
script - Scripts or a scripting language are normally single lines or small pieces o...

Ask a Question!

Weekly Poll
Do you think Comcast should have bought NBC?

Poll Finishes In 7 Days.
Discuss in The Lounge
Poll History

Recent Posts
missing space on drive

Model no. & siral no.

Cannot clear taskbar

label printing using Vista and HP printer

Sirial no. & model no.

All Awaiting Reply

Tom's News
Verizon: iPhone is Digitally Clueless Beauty Queen

Analysts Predict Influx of Apps in 2010

2010 World Cup Will Be Screened in 3D

Google Launches Free Public DNS Service

UK Street May Be Named After Lara Croft

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE