0

Hi, I am new here and I have read some of the posts, but I never seen anything on what msiesh is. I have the same problem, when i start my internet, a differant start page pops up then my home page. It is some kind of search page. Oh and i just started getting pop-ups. Please help. mark

StartupList report, 6/9/04, 1:06:12 PM
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.50 SP1 (5.50.4522.1800)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\CGXSNKL.EXE
C:\WINDOWS\SYSTEM\A.EXE
C:\WINDOWS\APPLICATION DATA\DOLL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WNSCPSV.EXE
C:\PROGRAM FILES\CLOCKSYNC\SYNC.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Welcome = C:\WINDOWS\Welcome.exe /R
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
mdac_runonce = C:\WINDOWS\SYSTEM\runonce.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
MyWebSearch Email Plugin = C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
Image = rundll32 C:\WINDOWS\JAVAGD.DLL,Install
hxnqjhkzwk = C:\WINDOWS\SYSTEM\cgxsnkl.exe
ALCHEM = C:\WINDOWS\ALCHEM.exe
systray = C:\WINDOWS\SYSTEM\A.EXE
qpotyb = C:\WINDOWS\qpotyb.exe
ijsf = C:\WINDOWS\ijsf.exe
xpsystem = C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MyWebSearch Email Plugin = C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
Anwm = C:\WINDOWS\Application Data\doll.exe
WNSI = C:\WINDOWS\SYSTEM\wnscpsv.exe
ClockSync = C:\PROGRA~1\CLOCKS~1\Sync.exe
xpsystem = C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

Image = rundll32 C:\WINDOWS\JAVAGD.DLL,Install

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 9/6/2004, 13:4:40)

[Rename]
NUL=C:\WINDOWS\TEMP\DRP4173.TMP\THNALL1T.EXE

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 9/6/2004, 11:41:54)

[Rename]
NUL=C:\WINDOWS\TEMP\BDL14025.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

path c:\tablet;c:\summasoft;C:\ANVIL
SET PATH=%PATH%;C:\PROGRA~1\COMMON~1\AUTODE~1

--------------------------------------------------


Enumerating Browser Helper Objects:

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
mwsBar BHO - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing) - {07B18EA1-A523-4961-B6BB-170DE4475CCA}
MyWebSearch Search Assistant BHO - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL (file missing) - {00A6FAF1-072E-44cf-8957-5838F569A31D}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
OsbornTech Popup Blocker - C:\WINDOWS\SYSTEM\MSHELPER.DLL (file missing) - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880}
ShowSearch module - C:\WINDOWS\APPLICATION DATA\IEKI\IPTK32.DLL - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C}
(no name) - (no file) - {5321E378-FFAD-4999-8C62-03CA8155F0B3}
(no name) - C:\WINDOWS\MSOPT.DLL (file missing) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing) - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\MXTARGET.DLL - {0000607D-D204-42C7-8E46-216055BF9918}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38145.2723032407

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ISTACTIVEX.DLL
CODEBASE = http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

[MediaTicketsInstaller Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX
CODEBASE = http://www.mt-download.com/MediaTicketsInstaller.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
DDE Control Module: *Registry key not found*

--------------------------------------------------
End of report, 8,030 bytes
Report generated in 0.201 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

3
Contributors
2
Replies
4
Views
13 Years
Discussion Span
Last Post by crunchie
0

I've moved this to our Security forum, as that's where we concentrate on "spyware" problems.

At the very least, you've obviously been infected with the MySearch malware; some specific info on that can be found here:
http://www.mac-net.com/445088.page

Download and run the (free) spyware detection and removal programs listed in my sig below; they should clear out most of the crap in your system. After you've used the utilities, repost if you're still having problems.

0

Can you please post a normal HJT log afer uninstalling Mywebsearch from add remove.
Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Download & instal Adaware from here
& update it B4 scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'
Select 'activate in-depth scan' before starting scan.
When the scan is finished select 'next.'
Remove what it finds by placing a check in the box to the left of the object. Reboot

Download & instal Spybot S&D from here Update it B4 scanning. Go into settings & have it check for Beta releases also & download if available.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. This program will prevent the install of bad activex controls that it has knowledge of. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot

Reboot after doing this & post another log please.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.