Jump to content


Photo

cant get rid of website viewer..Help!


  • Please log in to reply
3 replies to this topic

#1 sabjam

sabjam

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 13 June 2004 - 01:49 PM

Hi,
Every time I go online, this folder, Website Viewer, downloads by itself into my program files folder. It also creates shortcuts on my desktop and start menu.
When I view its properties it is called siteviewer/123920.exe
And also when i open my internet explorer this website, prosearching.com comes up along with my homepage.
Please help me to get rid of these problems. Thank you

here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 2:57:11 PM, on 6/13/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\AXIS EQ\ATOMLOAD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM32\CONFIG\SERVICES.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WEBSITEVIEWER\123920.DLR
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLWBSPD.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching....www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\UDPMOD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [SystemTasks] C:\filez.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [extra win] C:\PROGRA~1\axis eq\atomload.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

#2 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 13 June 2004 - 09:25 PM

Hi sabjam,


Go to Task Manager (Ctrl + Alt + Delete) Then click on processes and "End Task" for this file: atomload.exe


Open HijackThis, click Scan, then put a check next to the following entries:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching....www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\UDPMOD.DLL

O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL

O4 - HKLM\..\Run: [SystemTasks] C:\filez.exe
O4 - HKLM\..\Run: [extra win] C:\PROGRA~1\axis eq\atomload.exe

O13 - DefaultPrefix:
O13 - WWW Prefix:

O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe



Then, close all open Windows and browsers (have only HJT open) and click "Fix Checked"

Then Reboot to Safe Mode Safe Mode
And delete these:

C:\PROGRAM FILES\MYSEARCH\ <---Folder
C:\PROGRA~1\axis eq\ <-----Folder

Then Search and find this file: C:\filez.exe

You may have to show hidden files:

Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Click Start, Programs and Accessories and open Windows Explorer.
Select a hard drive from the left hand side of the Windows Explorer window.
Select View the Entire contents of this drive.

Then, reboot, and please post a new HJT log, and let us know if you have any concerns.

#3 sabjam

sabjam

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 07:19 PM

Hi autodad,

I did everything you told me to do and most of the problems have been cleared. However, HJT could not delete these two files:

014 - IERESET.INF: SEARCH_PAGE_URL

014 - IERESET.INF: START_PAGE_URL

Also, I could not find this file, C:\filez.exe even after I showed the hidden files. And I wanted to know if I could retrun the hidden files options back to normal.

Another problem I am having is that whenever I sign on line, this Internet Explorer comes up, acculoader, but I am not able to view what it is. Is there any way to get rid of this problem?
Thanks for your time. I greatly appreciate it.

Here is my new log:

Logfile of HijackThis v1.97.7
Scan saved at 8:21:03 PM, on 6/15/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\CONFIG\SERVICES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab

#4 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 15 June 2004 - 09:10 PM

Hey sabjam,


If it's Acculoader.A it's a trojan dialer.
The O16 you fixed in HJT was a dialer, so was the file C:\filez.exe


Download a Free Trial of Trojan Hunter at http://www.trojanhunter.com/ first.
Next, take a free Online Virus scan at http://housecall.trendmicro.com or http://www3.ca.com/v.../virusscan.aspx.


Then, open HijackThis, click Scan, then put a check next to the following entry:

O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe


Then close all open Windows (have only HJT open ) and click "Fix Checked"


Then, reboot to safe mode, and delete this:

C:\WINDOWS\system32\config\services.exe

As for the " retrun the hidden files options back to normal", let's wait till your system is clean, then you can change it back.

Same thing for the O14's, as long as there's no URL next to them don't worry about them, for now till we get your system back to normal.

After you do the above, please post a new HJT log, and let us know how you made out.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button