BLONDE WITH re-occuring HIJACKED browser problems

ShineEyeGal

:banghead:

This is my second time posting my HIJACK Log (thanks you to all who have helped previously). GHoodsum was able to help me clear off the crap from my PC and AGAIN its back. I have updated AD-Aware, Spy-bot, Pest patrol and ran them. Took everything off and the CRAP is still on my PC after 2 weeks of no problems.

Anyways if there is ANY kind soul out there willing to help it will be appreciated.

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\TEMP\ICSUPP95.EXE
C:\WINDOWS\EFAXVIEW.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HARDCOPY PRO\HARDCOPY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\YAHELITE\YAHELITE.EXE
C:\WINDOWS\EFAXVIEW.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://weba.directwebsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://weba.directwebsearch.net/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
http://weba.directwebsearch.net/search.html
F1 - win.ini: run=.
O2 - BHO: (no name) - {00000000-623A-11D4-BCDB-005004131771} -
C:\WINDOWS\SYSTEM\VGIEHELPER1-2-0-47.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_19_0.DLL
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} -
C:\WINDOWS\SYSTEM\WER1306.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_19_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [InterCheckMonitor] "C:\PROGRAM FILES\SOPHOS
SWEEP\ICMON.EXE" -minimised
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Sweep95] C:\Program Files\Sophos
SWEEP\ICLOAD95.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM
FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer
Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
-
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38160.3666898148
O16 - DPF: ConferenceRoom Java Client -
http://webmaster.webmaster.com:8000/java/cr.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control
4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {00000000-623A-11D4-BCDB-005004131771} (CompanionHelper
Class) - http://www.questionpoint.org/web/updates/iecompanion.exe


The problem with the gene pool is that there is no lifeguard

GHoosdum

Yup, you sure are infected again!

Here ya go, reboot into Safe mode, run Hijack This again, and delete these:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://weba.directwebsearch.net/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redi...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
http://weba.directwebsearch.net/search.html

O2 - BHO: (no name) - {00000000-623A-11D4-BCDB-005004131771} -
C:\WINDOWS\SYSTEM\VGIEHELPER1-2-0-47.DLL

O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} -
C:\WINDOWS\SYSTEM\WER1306.DLL

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe

There might be more to remove but I'm not sure of some of the files you've got listed there.

ShineEyeGal

GHoosdum again you are MY HERO!!!!!!!!!!!!!!

IT is gone and hopefully it wont come back. BIG KISSES for you!!

x0x0x0x0x0x0x

From a greatful fan

Dexter

Now this is amusing...I checked out the site weba.directwebsearch.net, and it tried to push an auto-installer on me, a couple of times. No big surprise there. What is funny was that after I bypassed that a few times, and actually got to their serach page, I saw a link at the bottom which said:

if problem: click here

So I clicked it, and got this page:

http://weba.directwebsearch.net/uninstall.htm

If you don't want to continue using this page, follow instruction below:
1. Download uninstaller (right click and choose "Save target as.." from pulldown menu

2. Run it

3. Reboot your PC

Enjoy your clear PC.. and stop looking for free porn - try to buy membership on a good paysite

LOL! At least they are upfront about it.....

I normally don't trust uninstallers, because they often just clean you temporarily but leave a "time-bomb" re-installer. However, if you are feeling experimental, you could do a little test for us, seeing as you are already infected anyway. If you are an adventurous person, you could try the uninstaller first, see if it works, then post a new HJT log so we can compare it against your original and see if it is a legt uninstaller, ir a time-bomb re-installer.

If you don't feel experimental, just go ahead and make the fixes GH recommended.

Dexter...

Dexter

DOH! 1 min too late with that post! Well, looks like I may have to just test this guy myself at some point......

Dexter...

GHoosdum

ShineEyeGal, no problem, I'm glad to help.

Dexter, do you have some kind of quarantine PC you do the testing on, or do you subject yourself to these vile infections?

gibbonsl

? i tryed going their myself

i did not even get an installer pop up at all, and no problem

is this IE only i run firefox

just curious

primesuspect

most spyware is IE only.

mkafel

I had the same problem just this week.
The uninstaller does return your homepage back to normal but it leaves all of those nasty files in your computer.

Primesuspect helped me clear mine!
http://www.short-media.com/forum/showthread.php?t=17097

Hopefully it wont come back like ShineEyeGal's! :o

VileDaRKNiGHT

This is why i love firefox

ShineEyeGal

OK - here goes a stupid blonde thing

It is still here. 'IT lives in my 'PC'. I am TIRED of IT

Logfile of HijackThis v1.97.7
Scan saved at 16:44:53, on 22/07/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\TEMP\ICSUPP95.EXE
C:\WINDOWS\EFAXVIEW.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HARDCOPY PRO\HARDCOPY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\YAHELITE\YAHELITE.EXE
C:\WINDOWS\EFAXVIEW.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://weba.directwebsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://weba.directwebsearch.net/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
http://weba.directwebsearch.net/search.html
F1 - win.ini: run=.
O2 - BHO: (no name) - {00000000-623A-11D4-BCDB-005004131771} -
C:\WINDOWS\SYSTEM\VGIEHELPER1-2-0-47.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_19_0.DLL
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} -
C:\WINDOWS\SYSTEM\WER1306.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_19_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [InterCheckMonitor] "C:\PROGRAM FILES\SOPHOS
SWEEP\ICMON.EXE" -minimised
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Sweep95] C:\Program Files\Sophos
SWEEP\ICLOAD95.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM
FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer
Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
-
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38160.3666898148
O16 - DPF: ConferenceRoom Java Client -
http://webmaster.webmaster.com:8000/java/cr.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control
4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {00000000-623A-11D4-BCDB-005004131771} (CompanionHelper
Class) - http://www.questionpoint.org/web/updates/iecompanion.exe

I appreciate all the people who are willing to HELP OUT. This site is outrageously have the most helpful people on it. Ghoodsum the BEER is coming by FED EX.

Dexter

First of all, put HJT into a folder of it's own, such as c:\HJT, or make a folder for it on your desktop. That gives a safe storage spot for the "backup" files HJT creates.

As always, SAFE MODE. HJT. FIX:



R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://weba.directwebsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://weba.directwebsearch.net/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
http://weba.directwebsearch.net/search.html

O2 - BHO: (no name) - {00000000-623A-11D4-BCDB-005004131771} -
C:\WINDOWS\SYSTEM\VGIEHELPER1-2-0-47.DLL

O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe


Then, manually find:

C:\WINDOWS\SYSTEM\winupd.exe
C:\WINDOWS\SYSTEM\VGIEHELPER1-2-0-47.DLL


and delete them.

Then, open Internet Explorer. Go to Tools -> Internet Options -> Programs. Click on Reset Web Settings, and click YES to the confirmation box that pops up.


Reboot normally. Check it out. If it works, come back and stroke my ego the same way you do for GH

Dexter...