"Only The Best" Removal Help

Vash1123 · Jun 14, 2004

Recently I have been getting Pop-Up's from "Only The Best." They are relentless, and usually happen when I try a search. I have ran Adaware, Spybot, avast!, and NOD32. None of these have been able to help me. In addition, my home page keeps changing when I restart my computer and when I do a search, a side window opens automatically. If anyone has any information as to how to stop all this from happening, it would be great. Thanks!

-MDK-

hyepride213 · Jun 14, 2004

try using CWShredder, if that doesnt work, then use hijack this, and post a log here and ill try n help you with what to do.

CWShredder... http://www.majorgeeks.com/download4086.html

Hijack this....http://www.majorgeeks.com/download3155.html

Vash1123 · Jun 14, 2004

Here is the hijack this log...

Logfile of HijackThis v1.97.7
Scan saved at 7:20:15 PM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Eset\nod32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\addnx.exe
C:\WINDOWS\d3qq32.exe
C:\Documents and Settings\MDK\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tdwbu.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tdwbu.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tdwbu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tdwbu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tdwbu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tdwbu.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A8EC764-DFC9-33AC-16CE-09308452FB81} - C:\WINDOWS\system32\d3sz32.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE C:\WINDOWS\System32\X470SHLL.DLL,AutoUpdatePnPValue
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
O4 - HKLM\..\Run: [addnx.exe] C:\WINDOWS\system32\addnx.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\Common Files\submit.exe"
O4 - HKCU\..\RunOnce: [Updater] rundll32 C:\DOCUME~1\MDK\APPLIC~1\msld\msld.dll,UpdateDll s
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

chaslang · Jun 14, 2004

Before deleting anything with HijaakThis first do the following,

Get DLLFIX.EXE from: http://tools.zerosrealm.com/dllfix.exe
1) Save the file to your Desktop, double click dllfix.exe and follow the prompts. This will create a folder called dllfix on your desktop.
2) Click on this folder and then double click on start.bat.
3) Select option 1 Run Find-All to scan your PC. This will create a log file.
4) Post this log back here before running any fixes.

Again do not fix anything with HijaakThis yet, that could make things worse.

Vash1123 · Jun 14, 2004

Here is the FIND-ALL log...

--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Mon 06/14/2004
08:30 PM

System Info:
Microsoft Windows XP [Version 5.1.2600]
C: "" (40EBB1E) - FS:NTFS clusters:4k
Total: 19 987 394 560 [19G] - Free: 5 247 442 944 [4.9G]

*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;

Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.

Scanning for main Hijacker:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="30"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0A8EC764-DFC9-33AC-16CE-09308452FB81}]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806}]
@=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

*Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

chaslang · Jun 14, 2004

First you should move HijaakThis.exe to its own directory rather than having it in a Temp directory area. Otherwise your backups could be suceptible to being deleted my cleanup software (or even you). Temp typically means - you don't need it.

Run these online scans first:
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Now let's unregister a couple of dll files

regsvr32 /u C:\WINDOWS\sdkqh32.dll
regsvr32 /u C:\Program Files\Submit\submithook.dll <=== this may not work because file may be missing

Now run shutdown all applications and run HijaakThis and have it fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tdwbu.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tdwbu.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tdwbu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tdwbu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tdwbu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tdwbu.dll/sp.html#37049
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll (file missing)
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\Common Files\submit.exe"
O4 - HKCU\..\RunOnce: [Updater] rundll32 C:\DOCUME~1\MDK\APPLIC~1\msld\msld.dll,UpdateDll s

Restart to safe mode (here how to do: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 )

Now find and delete:

C:\Program Files\Submit <=== folder
The C:\WINDOWS\sdkqh32.dll <=== file
C:\WINDOWS\system32\tdwbu.dll <=== file

The below looks suspicious to me but I cannot find any info on it:
O4 - HKCU\..\RunOnce: [Updater] rundll32 C:\DOCUME~1\MDK\APPLIC~1\msld\msld.dll,UpdateDll s

So leave it for now. But it would be good if you could find this msld.dll file with Windows Explorer and right click on it. Then select Properties and look at all the version information. See if you can find out who it belongs to.

These also look suspicious. Do you have any idea what they are? I'm leaning towards just renaming the two .exe files for now so we can get a feeling for whether you really need them or not:
C:\WINDOWS\d3qq32.exe <===== try renaming to d3qq32exe.old
C:\WINDOWS\system32\addnx.exe <===== try renaming to addnxexe.old
O4 - HKLM\..\Run: [addnx.exe] C:\WINDOWS\system32\addnx.exe

Vash1123 · Jun 15, 2004

First, I'd like to thank you very much for your help. The computer is running much better but I still get those "Only The Best" Pop-ups. If you are still willing to help me with this matter that would be great. If you'd like me to post a new log I will. Thank you again for your time. The directions were great.

chaslang · Jun 15, 2004

Your welcome! Yes, please post another HijaakThis log.

chaslang · Jun 15, 2004

Can you real please do this:

Open control panel, select add/remove programs, and see if there is a program called WinShow.
If so, remove it?

chaslang · Jun 15, 2004

Also look for this in Control Panel/Add or Remove programs and if you find "iefeatsl" remove it.

Vash1123 · Jun 15, 2004

Here it is... all the old problems came back with out me doing anything. Should I be considering format?

Logfile of HijackThis v1.97.7
Scan saved at 12:00:01 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\d3qq32.exe
C:\Program Files\Eset\nod32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\system32\addnx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MDK\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mwjbu.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mwjbu.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mwjbu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mwjbu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mwjbu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mwjbu.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22CDF736-0E22-7D77-C94E-4A5C38746196} - C:\WINDOWS\d3rt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE C:\WINDOWS\System32\X470SHLL.DLL,AutoUpdatePnPValue
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [addnx.exe] C:\WINDOWS\system32\addnx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Vash1123 · Jun 15, 2004

Here is the Find-All log

--==***@@@ FIND-ALL' VERSION MODIFIED -6/14 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Tue 06/15/2004
12:05 PM

System Info:
Microsoft Windows XP [Version 5.1.2600]
C: "" (40EBB1E) - FS:NTFS clusters:4k
Total: 19 987 394 560 [19G] - Free: 5 163 626 496 [4.8G]

*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
! REG.EXE VERSION 2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;

Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
If not file is listed than Dllfix may not Help.
in this case please post the contents of Windows.txt to the appinit
entry can be checked. You will find it in the dllfix folder after findall completes.

Scanning for main Hijacker:

Dllfix must have the Hijackerfiles in system32 to fix properly.
If there are no protocal keys text/html and text/plain
then dllfix may not work. This fix targets this type Hijack Entry.
that keeps reoccuring with different filenames.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
= res://C:\WINDOWS\System32\xxxxxx.dll/sp.html (obfuscated)
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="30"
"USERProcessHandleQuota"=dword:00002710
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22CDF736-0E22-7D77-C94E-4A5C38746196}]
@=""
REGEDIT4
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

! REG.EXE VERSION 2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
*Security settings for 'Windows' key:

If error than registry may need to be restored from option 4.
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

chaslang · Jun 15, 2004

Did you check for the two items I mentioned in Control Panel, Add/Remove Programs?

I'll repeat:

Open control panel, select add/remove programs, and see if either of the following programs are shown:

1) WinShow If so, uninstall it?
2) iefeatsl If so, uninstall it?

Vash1123 · Jun 15, 2004

they weren't there.

wankel77 · Jun 18, 2004

hi everybody. i've just read your problem. i had that problem too and i'm going to tell you the way i used to solve it, perhaps it will be useful to you. First i'll describe what happened to my windows 2000: I had another default page, begininng with "iekpy" and so on. The file iepky.dll was located in the directory winnt\system32 and even if you deleted it, it would appear again when you opened a browser windows. If you looked in the installed applications (sorry for my english) you found some programs as home search, shopping assistant and similar things. well if you tried to remove them, an error appeared telling that was impossible to find an internet address starting with looking-cc. Launching "regedit" you found the keys, but even if deleted, they came back (like an horror movie). Well, tired of these tricks plus annoying popups "only the best", i found a solution (or so i hope). First of all, download a program such as security task manager and download the last release of internet explorer. then disconnect from internet. Launch the program and put in quarantine the files the program says they're probably dangerous. These ones are in my quarantine list (i don't delete them because i have to check if they're all guilty): ieds32- mfcca - netkm32 - netnh - netpr. Once you've done this, you can reboot. Now let's delete that iekpy from the system, then we'll launch regedit and look for using F3 for the word "looking". Now we can delete the keys about the three programs we found installed. Finally let's go to internet settings and tell the program to use the default/factory settings. Ok. Now if you want you can reboot your sistem, but is not necessary. Connect to internet and launch the browser. You'll find the default web page. Set yours. Close the windows and re-open it. It should work... open google and search something. No popups, right?

Well, that was my experience, hope it will useful.
have a nice day!
ciao!

sara

charco · Jun 20, 2004

Adaware with the latest update will shift it.

chaslang · Jun 20, 2004

Vash,

I've got to log out for awhile but here something that would be good to do. Go thru this link: http://www.majorgeeks.com/vb/showthread.php?t=35165

The steps followed there (obviously file name will be different) seem to have cured the problem. Get familiar with the steps in this link especially disabling the Network Security Service. Note the name of the process running here. And locate that file on your PC.

Also, see the steps where I loaded the DLL file being shown in the HijaakThis log into notepad, deleted its contents, and resaved it. Your DLL from the last Hijaak This log was C:\WINDOWS\system32\mwjbu.dll.
You BHO that must be removed was: O2 - BHO: (no name) - {22CDF736-0E22-7D77-C94E-4A5C38746196} - C:\WINDOWS\d3rt.dll
Search your PC for anything occurrence of d3rt.exe. It could even be in the Prefetch folder.
Make sure you use advance search options and have selected the following:
1) search system folders
2) search hidden files and folders
3) seach subfolders

nikkicanlicky · Jun 21, 2004

Hello computer savvy folks..I am running on windows xp and i am having the same problem as the MANY MANY people on these forums...hijacked homepage and "only the best" popups...[i dont know if they are interrelated, and being a FORUM newbie, i dont know if i should start a new thread or what not so if i did something wrong in that manner, forgive me]...anyway, my homepage is res://#####.dll/index.html#37049 and ive been getting the "only the best" popups...under add/remove program, i have the following programs, "search extender" and "shopping wizard" which cant be deleted because of "unable to open http://looking-for.cc/uninstall/program" so i decided to search for solutions...it led me here and many other sites explaining what to do...i did what these other sites have instructed me to do [unless its to delete soemthing i dont think i have...ie winshow, iefeatsl...since i didnt have these files, those directions didnt apply to me,,,or did they?] ive downloaded like 6 spyware programs [adaware, spybot s%d] and none have fixed my problem, but i continued to search through these posts...seeing the LONG hijackthis entries and many OTHER programs to download in addition [about buster, and security task manager], i decided to do that as my last [probably best] resort...i saw "wankel77"'s post on how to fix it and was able to fix it...TEMPORARILY...i was able to get about 6 google homepages to work, THEN i got "only the best" popup again, and then my homepage returned to res://#####.dll/index.html#37049 [with a diff ### name this time]...i dont know if i should delete the "suspicious file" or leave it on quarantine? anyway, i know probably the most important thing for me to give you is my hijackthis logfile [instead of a life story of how i got here] so you can help me so here goes my most recent one...

Logfile of HijackThis v1.97.7
Scan saved at 5:49:44 AM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\d3qs.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\syshr32.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Security Task Manager\taskman.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gyycg.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gyycg.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gyycg.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gyycg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gyycg.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gyycg.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {84904FEE-9286-FF81-94DE-50FF47F33E9F} - C:\WINDOWS\system32\ntjb32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [syshr32.exe] C:\WINDOWS\syshr32.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Locators.com Search Bar (HKLM)
O9 - Extra 'Tools' menuitem: Locators.com Search Bar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38156.7625810185
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF3E5DE7-C2BD-458A-B3D9-EB0210F90DD9}: NameServer = 198.81.17.134

being UNcomputer savvy, i need expert help to analyze this and figure out what [and possibly how] to change some of these to solve this annoying problem...oh yeah maybe my security task manager list of programs that maybe suspicious or the culprit might help as well...[atlmv32.exe and ievg.dll are on quarantine as what i found suspicious when i followed wankle's method]...other programs im unfamiliar with are: d3qs.exe, IDLEPROC.DLL, TWO IEXPLORE.EXE??, kbd.exe,ntjb32.dll, and syshr32.exe [i listed this one even though this seems like a normal windows process like hpsysdrv but i can never be sure so i listed it...] OKAY i HOPE my information is detailed enough where i can get detailed help...THANKS SOOOOO MUCH...not just for me, but for helping all the other people with the same problem as me because i know how frustrating these popups can be!

-nikki

chaslang · Jun 21, 2004

Nikki,

Please take all your info and put it in a new thread of your own. Leave a note here that you did that so people do note try to address your problem in two places.

nikkicanlicky · Jun 22, 2004

okay sorry i didnt get back to this computer until about a day later...but yeah i made my own thread "nikki's many "only the best"+ other problems =T" so much help is appreciated

Log in or Sign up

"Only The Best" Removal Help

Vash1123 Private E-2

hyepride213 Private E-2

Vash1123 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Vash1123 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Vash1123 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Vash1123 Private E-2

Vash1123 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Vash1123 Private E-2

wankel77 Private E-2

charco Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

nikkicanlicky Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

nikkicanlicky Private E-2

Log in or Sign up

"Only The Best" Removal Help

Vash1123 Private E-2

hyepride213 Private E-2

Vash1123 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Vash1123 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Vash1123 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Vash1123 Private E-2

Vash1123 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Vash1123 Private E-2

wankel77 Private E-2

charco Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

nikkicanlicky Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

nikkicanlicky Private E-2

Useful Searches