• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
sabjam

cant get rid of website viewer..Help!

4 posts in this topic

Hi,

Every time I go online, this folder, Website Viewer, downloads by itself into my program files folder. It also creates shortcuts on my desktop and start menu.

When I view its properties it is called siteviewer/123920.exe

And also when i open my internet explorer this website, prosearching.com comes up along with my homepage.

Please help me to get rid of these problems. Thank you

 

here is my log:

 

Logfile of HijackThis v1.97.7

Scan saved at 2:57:11 PM, on 6/13/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v5.50 (5.50.4134.0600)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM32\WINTIME.EXE

C:\PROGRAM FILES\MOTIVE\MOTMON.EXE

C:\PROGRAM FILES\AXIS EQ\ATOMLOAD.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM32\CONFIG\SERVICES.EXE

C:\WINDOWS\RunDLL.exe

C:\WINDOWS\SYSTEM\CTFMON.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\WEBSITEVIEWER\123920.DLR

C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE

C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE

C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLWBSPD.EXE

C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE

C:\HIJACK THIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/passthrough/index....www.google.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL

O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\UDPMOD.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)

O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe

O4 - HKLM\..\Run: [systemTasks] C:\filez.exe

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKLM\..\Run: [services Process] C:\WINDOWS\system32\config\services.exe

O4 - HKLM\..\Run: [extra win] C:\PROGRA~1\axis eq\atomload.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\OFFICE10\EXCEL.EXE/3000

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O13 - DefaultPrefix:

O13 - WWW Prefix:

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Share this post


Link to post
Share on other sites

Hi sabjam,

 

 

Go to Task Manager (Ctrl + Alt + Delete) Then click on processes and "End Task" for this file: atomload.exe

 

 

Open HijackThis, click Scan, then put a check next to the following entries:

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/passthrough/index....www.google.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

 

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL

O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\UDPMOD.DLL

 

O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)

O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL

 

O4 - HKLM\..\Run: [systemTasks] C:\filez.exe

O4 - HKLM\..\Run: [extra win] C:\PROGRA~1\axis eq\atomload.exe

 

O13 - DefaultPrefix:

O13 - WWW Prefix:

 

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=

 

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

 

 

 

Then, close all open Windows and browsers (have only HJT open) and click "Fix Checked"

 

Then Reboot to Safe Mode Safe Mode

And delete these:

 

C:\PROGRAM FILES\MYSEARCH\ <---Folder

C:\PROGRA~1\axis eq\ <-----Folder

 

Then Search and find this file: C:\filez.exe

 

You may have to show hidden files:

 

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Click Start, Programs and Accessories and open Windows Explorer.

Select a hard drive from the left hand side of the Windows Explorer window.

Select View the Entire contents of this drive.

 

Then, reboot, and please post a new HJT log, and let us know if you have any concerns.

Share this post


Link to post
Share on other sites

Hi autodad,

 

I did everything you told me to do and most of the problems have been cleared. However, HJT could not delete these two files:

 

014 - IERESET.INF: SEARCH_PAGE_URL

 

014 - IERESET.INF: START_PAGE_URL

 

Also, I could not find this file, C:\filez.exe even after I showed the hidden files. And I wanted to know if I could retrun the hidden files options back to normal.

 

Another problem I am having is that whenever I sign on line, this Internet Explorer comes up, acculoader, but I am not able to view what it is. Is there any way to get rid of this problem?

Thanks for your time. I greatly appreciate it.

 

Here is my new log:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:21:03 PM, on 6/15/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v5.50 (5.50.4134.0600)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM32\CONFIG\SERVICES.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\RunDLL.exe

C:\WINDOWS\SYSTEM32\WINTIME.EXE

C:\WINDOWS\SYSTEM\CTFMON.EXE

C:\PROGRAM FILES\MOTIVE\MOTMON.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\HIJACK THIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKLM\..\Run: [services Process] C:\WINDOWS\system32\config\services.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\OFFICE10\EXCEL.EXE/3000

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

Share this post


Link to post
Share on other sites

Hey sabjam,

 

 

If it's Acculoader.A it's a trojan dialer.

The O16 you fixed in HJT was a dialer, so was the file C:\filez.exe

 

 

Download a Free Trial of Trojan Hunter at http://www.trojanhunter.com/ first.

Next, take a free Online Virus scan at http://housecall.trendmicro.com or http://www3.ca.com/virusinfo/virusscan.aspx.

 

 

Then, open HijackThis, click Scan, then put a check next to the following entry:

 

O4 - HKLM\..\Run: [services Process] C:\WINDOWS\system32\config\services.exe

 

 

Then close all open Windows (have only HJT open ) and click "Fix Checked"

 

 

Then, reboot to safe mode, and delete this:

 

C:\WINDOWS\system32\config\services.exe

 

As for the " retrun the hidden files options back to normal", let's wait till your system is clean, then you can change it back.

 

Same thing for the O14's, as long as there's no URL next to them don't worry about them, for now till we get your system back to normal.

 

After you do the above, please post a new HJT log, and let us know how you made out.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0