Jump to content


Photo

mypoiskovik homepage


  • Please log in to reply
4 replies to this topic

#1 mah_damey

mah_damey

    Member

  • New Member
  • Pip
  • 2 posts

Posted 26 May 2004 - 02:12 PM

everytime i open up ie, the homepage is set to mypoiskovik.com and it adds some links to my favorites that i dont want. also, when i shut down my computer, theres this WinMin program that is nt respojnding and its really annoying.
this is my log:
Logfile of HijackThis v1.97.7
Scan saved at 2:06:42 PM, on 5/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\LDCLIENT\LOCALSCH.EXE
C:\WINNT\system32\cba\pds.exe
C:\LDCLIENT\QIPCLNT.EXE
C:\LDClient\tmcsvc.exe
C:\WINNT\System32\mnmsrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\LDClient\wuser32.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\MsgSys.EXE
C:\LDCLIENT\SDISTHK.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\winnt\dllhelp.exe
C:\esc\escsupport.exe
C:\Documents and Settings\isbaych\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.williams.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\LDCLIENT\SDISTHK.EXE
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LDScan] C:\LDClient\LDISCN32.EXE /NTT=ESTUTLD1:5007 /S="ESTUTLD1" /I=\\estutld1\ldlogon\ldappl.ini /noui
O4 - HKLM\..\Run: [IntelAPMClient] C:\LDClient\amclient.exe /apm /s /bw=LAN
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: helpdesk.lnk = C:\esc\escsupport.exe
O4 - Global Startup: lucki.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Task Completion.LNK = C:\LDClient\AMCLIENT.EXE
O4 - Global Startup: w2ktimeset.bat
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://intranet.williams.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://wgpcommon.tra...c.com/wfica.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8074.5374537037
O16 - DPF: {9F7BB5A8-FDFD-4667-86A7-B9C82F5CBAE6} (Project1.UserControl1) - http://www.gaskit.wi.../Gaskitpdel.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WILLIAMS.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WILLIAMS.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WILLIAMS.COM

#2 asabatel

asabatel

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 26 May 2004 - 02:32 PM

The culprit is winnt\dllhelp.exe, I believe. Fix all the R1/R0 lines with the word mypoiskovik and the winnt\dllhelp.exe line. Then reboot in safe mode and delete the dllhelp.exe file. reboot in normal mode.

#3 mah_damey

mah_damey

    Member

  • New Member
  • Pip
  • 2 posts

Posted 26 May 2004 - 02:40 PM

er.. how do i delete the dllhelp.exe file in safe mode?

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 26 May 2004 - 03:30 PM

I will give you a hand with this log. Asabatel - Please refer to my last post regarding helping.

#5 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 26 May 2004 - 03:47 PM

How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.

Run HijackThis and delete the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.williams.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe

We need to remove a program called "Twain-Tec". To do this, first you need to disable System restore as per the instructions at here . Twiantec.dll is a transponder. HijackThis will detect it as a BHO but it must not be removed using HijackThis. This is because of the remaining registry entries and files which can be dangerous. Instead the following method of removal is preferable and complete:
Go to "Add/Remove Programs" => Uninstall "Twain-Tech". Reboot the computer to SAFE mode - How do I boot into "Safe" mode?. Delete twaintech.dll and twaintec.ini If twaintech.dll is in use, then you would need to rename it, reboot the computer, and then delete it.

Run HijackThis and delete the following (Yes, this is the second time to run it - Please do not delete everything together - Follow the order listed):
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\LDCLIENT\SDISTHK.EXE
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - Global Startup: lucki.exe
O4 - Global Startup: w2ktimeset.bat
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O4 - Global Startup: helpdesk.lnk = C:\esc\escsupport.exe <= I do not get any matches on this, do you know what it is?

Please reboot into safe mode - How do I boot into "Safe" mode?

Please cleanup temporary files etc. Browse to and select all contents in the following folders (Windows may be WINNT or WIN98 etc.), and delete (Make sure to delete the sub-folders, but not the Temp folders themselves!):
  • C:\Windows\Temp (all contents)
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents) <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files(all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
  • Empty your "Recycle Bin".
  • c:\winnt\dllhelp.exe
  • C:\LDCLIENT\SDISTHK.EXE
  • C:\Program Files\Orbit <= Delete this directory
  • lucki.exe <= You will have to do a search for this file, probably in c:\windows/
  • w2ktimeset.bat <= You will have to do a search for this file, probably in c:\windows/
Reboot again and log in normally, repost a new HijackThis log into this message for further review.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button