Incredifind won't go away?

You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder or choose run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

What is the actually file name? HijackThis defaults to calling the file hijackthis.log. You cannot upload files with a .log extension (the word after the period is called an extension). When we say a .txt file attachment, we mean you need to name the file something that ends in a .txt. Even renaming the original to hijackthis.txt will work. Watch the messages in the manage attachment window for errors. If you upload a file anywhere on Majorgeeks and then try to upload the same file again, you will also have an error. Just use a different filename the next time.

 

Just copy and paste your log as inline text. I'll change it into an attachment for you.

 

First step, you need to uninstall SpyHunter. It is a fake/rogue spyware remover. I'm looking at your log now.

 

Also if you installed SpyDeleter, uninstall it. If not installed, run HJT and have it fix these two lines:
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)

 

Please go to Add/Remove Programs and look for PurityScan. If found, uninstall it. Tell me if you find it and get it uninstalled.

If you do not find PurityScan, the steps below with VVSN.exe are related to it and will be trying to remove it manually. If you already have it uninstalled the lines will no longer be in your HJT log.
Make sure system restore is disabled and you have viewing of hidden files enabled as per the tutorial thread.
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it:
C:\Program Files\VVSN\VVSN.exe
sais.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netblazon.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O1 - Hosts: 66.129.99.73 test.montgomeryzta.com
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll (file missing)
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe <---- If still here.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

You should read this http://mivo.truxoft.com/art0003.htm about Miva Mia being a security risk:
O4 - Global Startup: Miva Mia.lnk = C:\Program Files\Miva\Miva Mia\Mia.exe

Boot in safe mode and use Windows Explorer to delete:
c:\program files\180solutions <--- the whole directory
C:\Program Files\VVSN <--- the whole directory

I don't like the looks of these two lines but I have no info on them. Do you know what they are? Can you get some properties info on the files?
O2 - BHO: (no name) - {96DE1458-64D7-092B-7CC5-97C0F379179A} - C:\WINDOWS\Cuvbsoof.dll
O3 - Toolbar: Search - {93D6A6D6-96C4-039C-D3D3-0999A2E4AD5E} - C:\WINDOWS\Cuvbsoof.dll

 

Go here and read about SpyHunter. Although it has changed, it is still junk.
http://www.spywarewarrior.com/rogue_anti-spyware.htm#sh_note


Could you post the Cuvbsoof.ini file as an attachment (just copy it to a .txt file in another directory and then upload it). There was no Version tab?

Yes, you can add the test.montgomery.zta back to your hosts file. It looked sketchy that's why I flagged it.

Have you looked in Add/Remove programs for any other items you do not recognize?

Post another HJT log too.

But for the problems you are having I thing we need to try the following. Run HJT and have it fix (make sure browsers are closed):
O2 - BHO: (no name) - {96DE1458-64D7-092B-7CC5-97C0F379179A} - C:\WINDOWS\Cuvbsoof.dll
O3 - Toolbar: Search - {93D6A6D6-96C4-039C-D3D3-0999A2E4AD5E} - C:\WINDOWS\Cuvbsoof.dll

Then boot in safe mode and RENAME not delete:
C:\WINDOWS\Cuvbsoof.dll to C:\WINDOWS\Cuvbsoof.baddll
Cuvbsoof.ini to Cuvbsoof.badini

Reboot normal and see how things look.

 

Are you saying the C:\WINDOWS\Cuvbsoof.dll file is gone? If so, delete the ini file and the .txt file version we made of it too.

Now for the SpyDeleter problem, do the below:

Click Start, Run, and enter into the box the following without the quotes "Notepad"
Now copy and paste the contents the next 3 lines (including the blank line) into the notepad window.
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB74C951-ACA1-4e33-A94C-A9261EB2CCB7}]


Now save it as file name: "delspy.reg" (without the quotes).
Use Save as file type: All files (*.*)
Save it on your Desktop where it is easy to locate.

Now on your Desktop double-click on delspy.reg.

At the prompt "Do you wish to merge the information into the registry?"
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Then reboot and post a new HijackThis log attachment.

 

Where did this come from:

O1 - Hosts: 216.134.221.94 dev2.babeland.com


Some info on the IP Address: Is this something you know about?

OrgName: Peak 10 Inc.
OrgID: PEK
Address: 8910 Lenox Pointe Dr. Suite A
City: Charlotte
StateProv: NC
PostalCode: 29273
Country: US
NetRange: 216.134.192.0 - 216.134.223.255
CIDR: 216.134.192.0/19
NetName: PEAK10-NETBLK-1
NetHandle: NET-216-134-192-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.CLT.PEAK-10.COM
NameServer: NS1.JAX.PEAK-10.COM
Comment:
RegDate: 2002-11-26
Updated: 2004-01-15
TechHandle: ZP76-ARIN
TechName: Peak-10
TechPhone: 1-866-732-5836
TechEmail: abuse@peak-10.com

OrgTechHandle: DONLU-ARIN
OrgTechName: Lundquist Don
OrgTechPhone: 1-704-264-1060
OrgTechEmail: don.lundquist@peak-10.com

 

You're welcome! Just make sure you have enabled SpywareBlaster's protections. That's all you need to do. But run it once in awhile and double check for updates.

And another canned speech you may find useful:

Make sure you get your system protected from reoccurrence of issues like this. Here are some simple steps you can take to reduce the chance of infection in the future. I strongly encourage you to do them all.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly
patched OS.
a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
Do this at least once a month.
b. Never add any site to your Trusted Sites Zone.

2) Anti Virus: make sure you have one and keep it updated. Here are some good free ones:
http://majorgeeks.com/download1968.html Avast
http://majorgeeks.com/download886.html AVG
The top two hands down. Better than Norton or McAfee!
Only run ONE AV!

3) Firewall: if you don't have one get one of these below. The last two are free versions:
Don't care if your on dial up or High Speed....you must have a firewall
http://majorgeeks.com/download738.html Kerio Personal Firewall
http://majorgeeks.com/download3356.html Sygate Personal Firewall Free
http://www.majorgeeks.com/download388.html ZoneAlarmFree

4) Get a Temp File/Cookies/index.dat cleaner
http://majorgeeks.com/download4191.html CCleaner (Crap Cleaner)

5) SpyWare Prevention (These prevent, they are not scanners. Scanners are listed later.)
http://majorgeeks.com/download2859.html SpyWare Blaster
http://majorgeeks.com/download3045.html SpyWare Guard

6) SpyWare Scanners/Removers
http://majorgeeks.com/download2471.html SpyBot (Use the Immunize feature. I don't activate the TeaTimer)
http://majorgeeks.com/download506.html Ad-aware SE
http://www.majorgeeks.com/download4283.html VX2 Cleaner Plug-In for Ad-Aware

Also, look into replacing Microsoft Java with Sun Java and also use Mozilla FireFox in place of Internet Explorer.