Jump to content


Newbian help

  • Please log in to reply
4 replies to this topic

#1 Stonedale



  • Full Member
  • Pip
  • 7 posts

Posted 31 May 2004 - 03:58 PM

We, About a week or so I got all kinds of nasty things on my pc. Don't know how and don't care. It freezes almost every time I turn it on now because all the spyware and stuff trying to run at once. I know I have this trojan something called starthost dc or something like that. But thier is other stuff to and, I'm not 100% sure what to do.

I have used McAfee anti-virus, Ad-aware, Spybot " search and destroy", Anti- Trojan Elite, and now i have tried to use this Hijack this but, I'm not sure what to delete and what not to.

Logfile of HijackThis v1.97.7
Scan saved at 04:52, on 5/31/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matthew\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir1.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir1.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir1.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir1.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com...nder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir1.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir1.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com...nder.cc/search/ (obfuscated)
O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
O1 - Hosts: lender-search.com
O1 - Hosts: hot-searches.com
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Matthew\Application Data\ieew\ieew32.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\Matthew\Application Data\ieew\ntok.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\Matthew\Application Data\ieew\mfcnt32.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int114844.exe -auto
O4 - HKLM\..\Run: [jopa] C:\WINNT\system32\sysstartup.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [System Backup] ms32.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\sdkqh32.dll,Install
O4 - HKLM\..\Run: [WinTime] C:\WINNT\system32\wintime.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINNT\mstasks2.exe /u
O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\sdkqh32.dll,Install
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.bi....chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111111237} -
O16 - DPF: {161A7465-FEEE-4B40-8A85-ED752B93F73E} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.../goodthinxx.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8126.3336805556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo.../netpe32_EN.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

Thanks for any help.

#2 Stonedale



  • Full Member
  • Pip
  • 7 posts

Posted 31 May 2004 - 04:51 PM

I'm sorry I forgot a few things that was asked of me. I have read the FAQ and as far as I can see I am folling all the rules.

AS for main probelms I am having.

On start up plugin thingy loads and ask for country.

Random popups I think one is a dailer. " When i am not looking at any pages."

Computer freezes from these activities or maybe because with all this crap it's overloading.

I have tried like i said above to fix this probelm. I have been trying for a week. I just uploaded all my cds after I had just fomated my harddrive so, I don't really want to do it again. The trjan I was talking about is startpage-dc. none of these programs have been able to remove them completely and really is just a waste of time trying to lol. all of my programs are updated , I look daily for updates.

Thanks for any help.

#3 Stonedale



  • Full Member
  • Pip
  • 7 posts

Posted 31 May 2004 - 07:46 PM

Can you please try to help me, it's only getting worse. I have to restart every 3 minutes because it freezes.

#4 thops



  • Full Member
  • Pip
  • 3 posts

Posted 31 May 2004 - 10:42 PM

You have to fix the entry wintime.exe which is creating the


#5 Daemon


    Security Expert

  • Retired Staff
  • PipPipPipPipPip
  • 3,350 posts

Posted 01 June 2004 - 02:01 AM

Could you try this first and we we deal with what's left manually. Click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done.

Also go here and run online scans (all), allow them to delete whatever they find:

TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan

Reboot when done.

Rescan with HJT and post a new log.
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!