TechSpot

whatsfind.com + trojan that can't be removed + regedit/cmd/task manager disabled

By liconn
May 1, 2006
  1. Hi i am new to here.......after following the pinned posts on top of this board, none of my pc's problems are fixed: :hotbounce

    1) I still have whatsfind.com as IE's homepage, and the options for setting homepage is disabled. My webroot spy sweeper does detect the presence of whatsfind.com and removed it - but the problem PERSISTS once i have rebooted my computer. My IE is still hijacked and pop-ups are still popping up once a while.

    2) My anti virus program (AVG) detects a trojan virus from my IE's temporary internet files folder. It deleted the virus but it didn't help with resolving the IE's problem.

    3) Along with the above i also have my regedit+ cmd+ task manager disabled. Attached is my HJT file, and it's so weird that it DOESN'T SHOW a line of R0/R1/R2/R3, so I can't even tell what's going on with the IE's settings.

    I'd be very grateful if anyone can give me some ideas on how to fix these problems..... :(
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    winupdates
    TheWeatherNetwork\WeatherEye

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    WeatherEye.exe
    Setup.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [rmalt] C:\Program Files\winupdates\Setup.exe

    O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\Program Files\winupdates\Setup.exe
    C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe

    Reboot into normal mode and turn system restore back on.

    Regards Howard :wave: :wave:
     
  3. liconn

    liconn TS Rookie Topic Starter

    thanks for the quick reply.....i have followed the steps above, but two of the probles is not resolved, i.e. the IE is still hijacked and task manager is still disabled, saying that "the task manager has been disabled by your administrator" (but i am actually the administrator)

    regedit and cmd are ok now though.....
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Take a look at this thread HERE. See if that helps.

    Once you`ve done that, please let me know if your task manager is working or not.

    Regards Howard :)
     
  5. liconn

    liconn TS Rookie Topic Starter

    yup after altering the registry the task manager works now......with regedit i have also manually set the IE's start page to about:blank, and seems like it works!

    now the only thing that still bothers me is......if i go to tools --> internet options --> general tab in IE, the homepage setting options is still disabled. So i wonder if the hijacking problem is actually still there......i am using spy sweeper to scan for problems now.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s good news.

    Please post a fresh HJT log.

    Regards Howard :)
     
  7. liconn

    liconn TS Rookie Topic Starter

    here it is....it doesn't show any of the R0/ R1/ R2/ R3 stilll....

    thanks :)
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Maybe it doesn`t show any R0/ R1/ R2/ R3 entries, because there`s none there.

    I don`t have any of those entries either, because they`ve all been fixed by HJT.

    Have you considered using a different browser, such as Firefox?

    It`s a lot more secure than IE.

    You can get it HERE.

    I only use IE for Windows updates and the odd website that doesn`t support
    Firefox.

    Here`s my HJT log, just as an example.



    Regards Howard :)
     
  9. liconn

    liconn TS Rookie Topic Starter

    LOL yup i have actually been using firefox for over a year....it's just that like your case, i use IE to open up sites that doesn't support firefox.....sadly....they are not "odd" websites but rather sites from school and work that i have to access frequently......these sites would only take IE, not even netscape, which sucks :(

    my spy sweeper just spotted two minor spy cookies and i have just deleted them; meanwhile, the anti virus scan that i have just done doesn't show any trojan horse now.....so i wonder why the setting homepage option is still disabled for IE?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Do you use protection software that Locks the homepage from changes?

    The reason I ask, is because of this entry in your HJT log.

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    That is the entry responsible for stopping changes to your home page.

    Regards Howard :)
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go HERE and click on IE6 homepage locking. It will show you how to unlock IE`s homepage.

    Regards Howard :)
     
  12. liconn

    liconn TS Rookie Topic Starter

    yay......everything's now fixed.......all the problems including the homepage options are cleared and my antivirus program says that my pc is clean.....thanks so much for your help.....

    well bad thing is that i paid $20USD for spy weeper :(, thinking that spy sweeper alone can fix all these problems
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No one antispyware programme can deal with all the different threats that there are.

    Personally I use AVG free/Zonealarm free/Ewido/Spybot s&d/Ad-Aware se/Spyware blaster/HJT/Crap Cleaner.

    Glad your problem is solved.

    Thanks for letting us know.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...