Jump to content

e-centives and Google Redirect - ?

Recommended Posts

First off, let me thank all the experts here who help the regular folks get their PCs back. If this isn't posted in the right place, please accept my apologies and relocate.

I just helped someone remove a Fake Anti-Virus infection using a combination of Malwarebytes, CCleaner, HiJackThis, judicious deletion of avt.exe, uwuw.exe and a related .dll from the registry, removing the /AnVi directory, and a lot of searching in this forum. I've been doing this for years and so I have a good working knowledge of the MS registry, of what programs are normal/OK in startup and what programs/entries are normal in a task list -> processes. I thought I had completely removed this infection but a few hours later, the user opened up IE and we found out that there was still some malware: the dreaded Google redirect. It seems that this was part of the payload of the original infection as the user claims that this was the first time that they had opened IE since I (prematurely, it seems) pronounced the box cured. Malwarebytes was turning up nothing so after a few minutes of searching here, I ran HiJackThis and the only thing out of the ordinary was this entry:

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab

I used HJT to remove this entry, disabled System Restore, enabled System Restore and rebooted. Since then, all systems have been normal and I have a very happy user. Now I'm sitting here wondering why I violated my standard procedures and changed two things at once. Can any of the experts here tell me whether it was the O16 entry AND/OR the System Restore disable/enable that cured this?

If it was the O16 entry, why does a seemingly legitimate website have a hijacker on their site?

Link to post
Share on other sites


By disabling system restore you delete all system restore points. Malware in system restore points is inactive, so this action wasn't the solution.

The O16 entry and the website look legitimate to me. However, SystemLookup flags the entry as malicious.

If one of these two steps was the solution, then it had to be deleting the O16 entry. :)

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.