Hello all and thanks for any help you might be able to give me. I have looked at the post made about Backdoor.Madfind, I believe I have taken this off of my computer. I did have it, read through that post and went to the symantec post about it and believe I got it. However I am having an issue with a different start page popping up evertime I start the computer. www.alfa-search.com pops up. And I also have 4 new and not so favorite things under that catagory. I change it, delete these "favorites" and restart, and they are back there. I have done Spybot, Ad-Aware, and Norton. Not sure what to do. Here is my HijackThis file...

Logfile of HijackThis v1.97.3
Scan saved at 2:05:18 AM, on 11/9/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 9 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Home Publishing Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MSupdate.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Gah, seems now I have turned my ability to autoengage Norton off also by mistake. Bad day.

Hey MoneyBaby,

Here is what I would do. Download, install, and launch Ad-Aware.

Before running the scan look at the top of the main window and you will see a Gear Icon; this is where you configure the settings.Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there. Next click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning". Under "Cleaning engine" put a check by "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot" then click "Proceed".

Before you scan, look in the bottom right corner of the main window and click on "Check for updates now". Now you are ready to click 'start' and in the next window, make sure "Active in depth scanning" is checked then click "Next". When the scan is finished, let it fix everything it finds.
Reboot your computer.

Now download Spybot Search & Destory Install and launch the program. Before scanning, click "Online" and "Search for Updates". Put a check mark by all updates and install them. You are ready to click "Check for Problems" and when the scan is finished, let Spybot fix all it finds marked in red. Reboot again. It is prudent to take advantage of the "Immunize" option.

Then run HJT again and if these are there, check them, close all browser windows, and hit 'Fix'.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html

Next d/l and install Spyware Blaster a free utility from a cool dude named Javacool that will help protect your machine against spyware/adware.

Next open your Norton Antivirus GUI, click on 'Options', then 'Auotstart' and make certain all three boxes under "How to stay protected" are checked.

You should be fixed unless I missed something....which of course I do from time to time.

Thanks BillC for the help. Its still doing it though. I did the list you told me. When I start my computer it still goes to that website and there are still the favorites. Also everytime it starts a little box pops up with "Runtime error 5 at 0040437F " in it. Not sure if this has anything to do with it or not. I did the Nortans thing but it won't let me engage and everytime I change the settings under options it goes back to the bad setting. I can run live update, or scan the computer but it won't let me engage it.

Thanks again for any help!

Reran a Hackthis on it *I've clicked off the Alfa search before, and have since this log*...

Logfile of HijackThis v1.97.3
Scan saved at 12:26:52 PM, on 11/9/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 11 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Home Publishing Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MSupdate.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Like I said, sometimes I miss things. I'm going to go over the HJT log again, but in the meantime, do this. Go here and get Coolwebshredder d/l and run it. There is something causing those unwanted pages to come back.

Next, run HJT again, check the below again, close all browsers, and hit 'Fix'.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html

I should have asked you to run Coolwebshredder in the first place. Have it kill all it finds.

I think I've found what I missed the first time. It seems O4 - Global Startup: MSupdate.exe is the nasty and all along I thought it needed to read O4 - Global Startup: MSupdater.exe to be the nasty. Did you catch the difference? one ii MSupdate the other MSupdater....sneaky huh?

Anyway, this is Coolwebsearch and if Coolwebshredder did not get it for some reason, run HJT again, put a check by O4 - Global Startup: MSupdate.exe, close all browser windows, and hit 'Fix' then reboot.

That should get it this time.

If possible, before fixing that item, please send a copy of that C:\Documents and Settings\All Users\Start Menu\Programs\Startup/MSupdate.exe file to submit-stuffATxs4all.nl for analysis, please? (please replace "AT" in that e-mail addy by the familiar @ )

It IS a new version of this baddie, and we'd like to have a closer look at it!

Also, Merijn will want to update CWShredder to include it!

We'd appreciate it!

_________________
Tony CLSID List

Thanks! I got it, weeee! The Coolwebshredder helped, but the HijackThis and right clicking off the O4 - Global Startup: MSupdate.exe and restarting it worked. Thanks!

Gah, Tony I followed Bill's advice before saving it. Sorry about that.

Well, all should not be lost.

If you're game, please do the following:

Launch Hijack This, press "Config", and then "Backups".
Select that "O4 - Global Startup: MSupdate.exe" line, and press "Restore".

Send me the file, and then have Hijack This fix it again.

Thanks heaps in advance!

_________________
Tony CLSID List

Hi,
I have this same thing. Before I get rid of it I am willing to do what you need to examine it. What should I do?

Thank you for your offer. Here is what Tony asked to be done:

I recieved this reply from submit stuff regarding the file I sent.

Thank you for the file. It's a CoolWebSearch parasite related baddie, now targeted by CWShredder!

Indeed it is!

_________________
Tony CLSID List

This is all you need: http://www.spywareinfo.com/~merijn/cwschronicles.html