whatsfind.com + trojan that can't be removed + regedit/cmd/task manager disabled

[liconn]

Hi i am new to here.......after following the pinned posts on top of this board, none of my pc's problems are fixed: :hotbounce

1) I still have whatsfind.com as IE's homepage, and the options for setting homepage is disabled. My webroot spy sweeper does detect the presence of whatsfind.com and removed it - but the problem PERSISTS once i have rebooted my computer. My IE is still hijacked and pop-ups are still popping up once a while.

2) My anti virus program (AVG) detects a trojan virus from my IE's temporary internet files folder. It deleted the virus but it didn't help with resolving the IE's problem.

3) Along with the above i also have my regedit+ cmd+ task manager disabled. Attached is my HJT file, and it's so weird that it DOESN'T SHOW a line of R0/R1/R2/R3, so I can't even tell what's going on with the IE's settings.

I'd be very grateful if anyone can give me some ideas on how to fix these problems.....

 

[howard_hopkinso]

Hello and welcome to Techspot.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

winupdates
TheWeatherNetwork\WeatherEye

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

WeatherEye.exe
Setup.exe

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [rmalt] C:\Program Files\winupdates\Setup.exe

O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\Program Files\winupdates\Setup.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe

Reboot into normal mode and turn system restore back on.

Regards Howard :wave: :wave:

 

[liconn]

thanks for the quick reply.....i have followed the steps above, but two of the probles is not resolved, i.e. the IE is still hijacked and task manager is still disabled, saying that "the task manager has been disabled by your administrator" (but i am actually the administrator)

regedit and cmd are ok now though.....

 

[howard_hopkinso]

Take a look at this thread HERE. See if that helps.

Once you`ve done that, please let me know if your task manager is working or not.

Regards Howard

 

[liconn]

yup after altering the registry the task manager works now......with regedit i have also manually set the IE's start page to about:blank, and seems like it works!

now the only thing that still bothers me is......if i go to tools --> internet options --> general tab in IE, the homepage setting options is still disabled. So i wonder if the hijacking problem is actually still there......i am using spy sweeper to scan for problems now.

 

[howard_hopkinso]

That`s good news.

Please post a fresh HJT log.

Regards Howard

 

[liconn]

here it is....it doesn't show any of the R0/ R1/ R2/ R3 stilll....

thanks

 

[howard_hopkinso]

Your HJT log is clean.

Maybe it doesn`t show any R0/ R1/ R2/ R3 entries, because there`s none there.

I don`t have any of those entries either, because they`ve all been fixed by HJT.

Have you considered using a different browser, such as Firefox?

It`s a lot more secure than IE.

You can get it HERE.

I only use IE for Windows updates and the odd website that doesn`t support
Firefox.

Here`s my HJT log, just as an example.



Regards Howard

 

[liconn]

LOL yup i have actually been using firefox for over a year....it's just that like your case, i use IE to open up sites that doesn't support firefox.....sadly....they are not "odd" websites but rather sites from school and work that i have to access frequently......these sites would only take IE, not even netscape, which sucks

my spy sweeper just spotted two minor spy cookies and i have just deleted them; meanwhile, the anti virus scan that i have just done doesn't show any trojan horse now.....so i wonder why the setting homepage option is still disabled for IE?

 

[howard_hopkinso]

Do you use protection software that Locks the homepage from changes?

The reason I ask, is because of this entry in your HJT log.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

That is the entry responsible for stopping changes to your home page.

Regards Howard

 

[howard_hopkinso]

Go HERE and click on IE6 homepage locking. It will show you how to unlock IE`s homepage.

Regards Howard

 

[liconn]

yay......everything's now fixed.......all the problems including the homepage options are cleared and my antivirus program says that my pc is clean.....thanks so much for your help.....

well bad thing is that i paid $20USD for spy weeper , thinking that spy sweeper alone can fix all these problems

 

[howard_hopkinso]

well bad thing is that i paid $20USD for spy weeper , thinking that spy sweeper alone can fix all these problems

No one antispyware programme can deal with all the different threats that there are.

Personally I use AVG free/Zonealarm free/Ewido/Spybot s&d/Ad-Aware se/Spyware blaster/HJT/Crap Cleaner.

Glad your problem is solved.

Thanks for letting us know.

Regards Howard