Please Help....

372717 · Dec 23, 2003

Logfile of HijackThis v1.97.7
Scan saved at 5:58:01 AM, on 12/17/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\WINNT\system32\viewport.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Iomega\Iomega Automatic Backup\iBackup.exe
c:\msdos.exe
D:\MIRC\Invision22\mIRC32.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\ezSP_Px.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\System32\mspaint.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Software\Popup_killer_software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

http://my.search/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://my.search/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://my.search/sp.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://my.search/sp.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://searchmyrequest.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =

http://searchmyrequest.com/hp.php

O1 - Hosts: 205.177.124.66 auto.search.msn.com
O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - C:\WINNT\System32\COMET.DLL
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\PROGRA~1\Comet\Install\Temp\brbho12a.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydarVisionViewport] viewport.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DMASwitch] C:\Program Files\CyberLink\PowerDVD\CLDMA.EXE 1 3
O4 - HKLM\..\Run: [WinAuth] C:\WINNT\winlogon.exe
O4 - HKLM\..\Run: [MsSystem] c:\msdos.exe
O4 - HKLM\..\Run: [PopUpInspector.exe] "C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\iBackup.exe
O4 - HKCU\..\Run: [ServUTrayIcon] C:\Program Files\Serv-U\ServUTray.exe
O4 - HKCU\..\Run: [quicken] c:\WINNT\quicken.exe
O4 - HKCU\..\Run: [editpad] C:\WINNT\editpad.exe
O4 - HKLM\..\RunOnce: [Launch MyDVD] C:\Program Files\Sonic\MyDVD\MyDVDReg.exe /regserver
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{5E835~1\Setup.exe -rebootC:\PROGRA~1\INSTAL~1\{5E835~1\reboot.ini -l0x9
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: PopUp Inspector (HKCU)
O9 - Extra 'Tools' menuitem: PopUp Inspector (HKCU)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37972.4566087963

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O19 - User stylesheet: C:\WINNT\hh.htt (HKLM)

Thanks,

kippy13 · Dec 23, 2003

Not too sure if theres too much wrong here.
but as a precaution:

Download and run in this order:

cwshredder *
SpyBot 1.2 *
AdAware *

* = Update the definition files within the program as the first step.

http://www.spywareinfo.com/downloads.php?cat=sp#det

"Sometimes I do not know but I try hard"- R.F. Haughty 1923

372717 · Dec 23, 2003

Ok done.
What is next step I need to do ?

Thanks,

bcastner · Dec 23, 2003

I would use Hijack This! to sort out your failed program installation here:

O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{5E835~1\Setup.exe -rebootC:\PROGRA~1\INSTAL~1\{5E835~1\reboot.ini -l0x9

bcastner · Dec 23, 2003

Some other things bother me.

c:\msdos.exe

O19 - User stylesheet: C:\WINNT\hh.htt (HKLM)

The latter is the Alexa trojan, for removal see:

http://www.symantec.com/avcenter/venc/data/adware.searchcounter.html

The first, c:\msdos.exe is worrisome. There is no Windows file such as this. It looks like a variant of this:

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.ssdx.html

Do two online antivirus scans from smah's FAQ, (I recommend Trend Micro and Panda): faq760-3862

372717 · Dec 23, 2003

I deleted that 2 files you told me.
Here is new HJ scan:
Logfile of HijackThis v1.97.7
Scan saved at 3:49:24 PM, on 12/17/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\WINNT\system32\viewport.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\ezSP_Px.exe
D:\Software\Popup_killer_software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://webcoolsearch.com/

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydarVisionViewport] viewport.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [PopUpInspector.exe] "C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [ServUTrayIcon] C:\Program Files\Serv-U\ServUTray.exe
O4 - HKCU\..\Run: [quicken] c:\WINNT\quicken.exe
O4 - HKCU\..\Run: [editpad] C:\WINNT\editpad.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37972.4566087963

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks,

bcastner · Dec 23, 2003

Have Hijack This! remove:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://webcoolsearch.com/

O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE

Make sure you follow the removal instructions here:

http://www.symantec.com/avcenter/venc/data/adware.searchcounter.html

Finally, run cwshredder again.

372717 · Dec 23, 2003

Everything is working now.

Thank you very much.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Please Help....

372717

Technical User

kippy13

IS-IT--Management

372717

Technical User

bcastner

IS-IT--Management

bcastner

IS-IT--Management

372717

Technical User

bcastner

IS-IT--Management

372717

Technical User

Similar threads

Part and Inventory Search

Sponsor