Jump to content


Photo

"deal helper" expert help needed


  • Please log in to reply
5 replies to this topic

#1 shug

shug

    Member

  • New Member
  • Pip
  • 4 posts

Posted 01 June 2004 - 06:34 PM

I was lucky enough to get infected with a browser Hijacker that seems to have been related to "deal helper", "180 solutions" and a couple of other annoying programs...

I found some info on a google groups search and used this method to remove the deal helper google search hijack---

"It was removed by running
the command line "regsvr32 /u msdhmd.dll". The DLL is 119,808 bytes dated
8/22/2001. Info in the DLL indicates it was actually compiled on
4/14/2004. Re-registering it with "regsvr32 msdhmd.dll" started the search
hijacking again." <-- from a google group post.

I then ran updated versions of adaware and spybot S&D both of which found alot of stuff that needed to be removed/fixed. I also used Winpatrol to identify some of the programs.

My Google toolbar no longer works but everything else related to my browser appears to be working normally again.

I'm new to alot of this so if some experts on the forum would be so kind as to view my hijackthis.log I would be very grateful.... also, would it be ok to reinstall my google toolbar?? TIA

--------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 6:25:53 PM, on 6/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\downloads\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.22.0.4:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard..../wowbeta/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7841.7472106482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Edited by shug, 01 June 2004 - 06:36 PM.


#2 shug

shug

    Member

  • New Member
  • Pip
  • 4 posts

Posted 01 June 2004 - 08:16 PM

BUMP

#3 shug

shug

    Member

  • New Member
  • Pip
  • 4 posts

Posted 01 June 2004 - 10:35 PM

bump again...

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 June 2004 - 07:47 AM

Your log looks OK. I don't see any reason why you shouldn't install the Google toolbar.
Posted Image

#5 shug

shug

    Member

  • New Member
  • Pip
  • 4 posts

Posted 02 June 2004 - 08:56 AM

Thats great news :D

Thanks alot for looking my .log file over.


-Shug

#6 Max Rebo

Max Rebo

    Member

  • New Member
  • Pip
  • 1 posts

Posted 02 June 2004 - 02:57 PM

I was lucky enough to get infected with a browser Hijacker that seems to have been related to "deal helper", "180 solutions" and a couple of other annoying programs...

I found some info on a google groups search and used this method to remove the deal helper google search hijack---

"It was removed by running
the command line "regsvr32 /u msdhmd.dll". The DLL is 119,808 bytes dated
8/22/2001. Info in the DLL indicates it was actually compiled on
4/14/2004. Re-registering it with "regsvr32 msdhmd.dll" started the search
hijacking again." <-- from a google group post.

I then ran updated versions of adaware and spybot S&D both of which found alot of stuff that needed to be removed/fixed. I also used Winpatrol to identify some of the programs.

shug --

You saved my day, man! I had found DealHelper and 180solutions references after running SpyBot SD and Ad-Aware. After doing all the "fixes" and deleting temp files from all known locations, the Google search hijack persisted.

Not sure if yours was the same, but when I entered search criteria in Google, I'd get a list of other search links as Page 1 with a small pop-up containing a few other random search links. It was quite annoying. I figured there was some registry change that the spyware programs didn't catch.

I found your post and entered "regsvr32 /u msdhmd.dll" and then tried a random Google search and it worked like it was supposed to! Awesome...

I have one question, though: By un-registering msdhmd.dll, is anything else affected adversely? Or rather, is this DLL file actually necessary for any other program? It seems like it isn't.

Thanks!! :thumbsup: :bounce:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button