Need help destroying websearchtv popups - HJT log attached

Status
Not open for further replies.
First things first -

I'm running Windows XP SP2 fully updated. I have Spybot S&D installed and fully updated. I have Adaware installed and fully updated. I'm running the newest version of Avast and it automatically updates on a daily basis. Picked up this little bugger over the holiday weekend when my nephew was surfing on my machine. He dl'ed some freeware video conversion tool for his PSP and ran an executable. The problems began there. Now, every ten minutes or so this piece of malware opens IE windows on the desktop with either "Advertisement" or "websearchtv.com" in the titlebar.

Here's what I've done so far:

Ran Spybot S&D - found some typical things from everyday surfing and killed them. Didn't make the problem go away. Ran Adaware and had the same deal - found some things, fixed them, didn't fix the problem. Ran Avast. No problems found.

Booted in safe mode and did all of these things again. Made no difference. Checked installed programs to see if I could just uninstall this websearchtv thing - nothing's showing up there. So it seems it's more involved than my level of security know-how.


So

I've attached a Hijack This log text file that was generated by the latest version of HJT day before yesterday. Any help deciphering what I need to do is MUCH appreciated.

Thanks in advance,

J
 
These bold ones are the baddies:

O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
O4 - HKLM\..\Run: [04ug00pk.dll] RUNDLL32.EXE 04ug00pk.dll,b 45248140
O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00096.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

ibm00001.exe: see this post (scroll down beyond the ads) http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21617437.html

For the rest above:
Read: How to remove Trojans and its ilk!
and
Follow these instructions EXACTLY.
Put HijackThis in e.g. C:\Program Files\HJT and NOT in Temp or on the Desktop!.
Read: How to remove Begin2Search/Coolwebsearch and Other Nasties


These need only 'fixing' within HJT.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: EnDisEU3.lnk = ?
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://firstamres.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
 
So far so good, still something amiss though.

I followed all the directions in the reply post (which I'm VERY grateful for, by the way) and the popups are gone.

However...

There are still occassional clicks in the background as if windows are trying to open, even though I see nothing on the desktop.

AND I get a message on startup complaining about one of the exe's I deleted being missing. The message pops up in an error window titled RUNDLL and says the following:

"Error loading 04ug00pk.dll"
"The specified module could not be found"

I've attached my latest HiJackThis log for your review.

Thanks again for all the help. Just not having to close 40 IE windows every halfhour is a big improvement.
 
Click Start/Run, type in msconfig and click OK.
Check in the Startup options if there is any program which uses that. If found, disable by un-ticking it.
If that solves it, search for the matching entry in your Registry in the Run keys and delete it.
HKEY_CURRENT_USER\Software\Microsoft\wINDOWS\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\wINDOWS\CurrentVersion\Run
 
Status
Not open for further replies.
Back