best-search.cc - my unauthorized home page in IE

Unknown

Hello, I am new to this forum. This site is my last resort, I have run out of gas on fixing my own problem. I have read a few posts here - major props go out to the organizers of this site!

Anyway, the best.search.cc home page in IE is getting really old really fast. I have tried manually kicking the registry around, the best-search.cc seems to reappear 5 or 10 minutes later. Maybe some random process is running somewhere that I cannot detect. I've viewed processes from Task Manager, nothing jumps out at me as suspect.

Any help is utmostly appreciated...

Logfile of HijackThis v1.97.7
Scan saved at 6:13:24 AM, on 7/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\PROGRA~1\COMMON~1\DATADY~1\ACTIVE~1\WEBCAC~1.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Dell\TrayTool.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
D:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\SCardSvr.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Microsoft Office\Office\1033\wfxmsrvr.exe
D:\PROGRA~1\MICROS~1\Office\1033\OLFMOD32.EXE
C:\WINNT\system32\ctfmon.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\DEVENV.EXE
D:\Program Files\RssReader\RssReader.exe
C:\Program Files\Microsoft SQL Server\80\Tools\BINN\ISQLW.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
D:\PROGRA~1\TEXTPA~1\TextPad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1.SOL\LOCALS~1\Temp\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://best-search.cc/search.php?v=6&aff=4361405
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://best-search.cc/index.php?v=6&aff=4361405
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://best-search.cc/index.php?v=6&aff=4361405
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {09AF76DD-6988-4664-97D0-362F1011E311} - D:\Program Files\Pluck Corporation\Pluck\PluckExplorerBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ToolExe] C:\Program Files\Dell\TrayTool.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] D:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] D:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [RssReader] D:\Program Files\RssReader\RssReader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PluckTrayApp.lnk = D:\Program Files\Pluck Corporation\Pluck\PluckTray.exe
O9 - Extra button: Pluck (HKLM)
O9 - Extra 'Tools' menuitem: Pluck (HKLM)
O9 - Extra button: Pluck this page (HKLM)
O9 - Extra 'Tools' menuitem: Pluck this page (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {0B105630-3B1F-11D1-B443-00A0244D2920} (WebTreeCtrl Class) - http://www.unicahome.com/common/cab/webtreefx.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38013.5810300926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = solvaris.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solvaris.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = solvaris.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{52558937-B084-4B9C-940C-4E26F32AF485}: Domain = solvaris.com

primesuspect

Hey matt.

This one looks fishy:

C:\PROGRA~1\COMMON~1\DATADY~1\ACTIVE~1\WEBCAC~1.EXE

Do you know what that is? If you don't, blitz it.

Then we'll go from there.

mattorola7

I do know exactly what that process is, it is okay. I installed that program, all it does is serve as a caching object (WebCache) for IIS applications:

C:\PROGRA~1\COMMON~1\DATADY~1\ACTIVE~1\WEBCAC~1.EXE

Maybe something else will turn up, thanks!

primesuspect

What's the pluck stuff? Do you know what that is?

Shorty

Any more info?

mattorola7

Pluck is okay too. That is an RSS reader to read news articles. I installed that. www.pluck.com.

primesuspect

Dude, this is so weird. I know you have something, but there's just nothing in there that looks like it would cause that. urrrgh. I might have to come by one day and look at it...

(Yes, I know this guy )

dax

If you load the xxhttp://best-search.cc/index.php?v=6&aff=4361405xx link up with Sam Spade you see that it is a php script to load pop-ups....could there be a Reg entry loading the 'search.cc" as a persistant home page?

frenguccio

Please help me !! I've the same problemmmm!!!! HELP!! Have you solved it?????
thank you
francesco

Dexter

Since the user has not replied in some time, I am going to close this thread.

Frenguccio, is you wish for assistance, please post a Hijack This log and we will assist you. Make sure to first review the threads linked at the top of this page (in big red letters.)

Dexter...