HijackThis Log

Discussion in 'adware, spyware & hijack cleaning' started by annie_lynn, May 22, 2004.

Thread Status:
Not open for further replies.
  1. annie_lynn

    annie_lynn Registered Member

    Joined:
    May 22, 2004
    Posts:
    23
    I have been getting lots of pop-ups recently and have noticed something called DealHelper in my program files but it won't let me remove it.
    I have MSN's pop up block and I haven't been having this many pop-ups until just today.
    Please help if you can. Thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:30:37 PM, on 5/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\WINDOWS\helsrqoy.exe
    C:\WINDOWS\dhbrwsr.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\dhsvr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\WinMX\WinMX.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Andrea Harwell\Desktop\Andrea's Music & Stuff\Other\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
    O2 - BHO: (no name) - {F2799AF9-207D-45D1-B7FA-9E3E5E86FE89} - C:\WINDOWS\sheopk.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [lgsqj] C:\WINDOWS\helsrqoy.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
    O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38119.944525463
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi annie_lynn,

    First uninstall webhancer from the add/remove programs list in control panel

    Then, have only HijackThis running and fix :

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

    O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
    O2 - BHO: (no name) - {F2799AF9-207D-45D1-B7FA-9E3E5E86FE89} - C:\WINDOWS\sheopk.dll

    O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll

    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [lgsqj] C:\WINDOWS\helsrqoy.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
    O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    Restart PC after doing so in Safe Mode : Here's How and remove (if still present) :

    C:\Program Files\TV Media\ <- this folder
    C:\WINDOWS\helsrqoy.exe <- this file
    C:\WINDOWS\DHUpdt.exe <- this file
    C:\WINDOWS\dhbrwsr.exe <- this file

    Clean temp internet files

    Restart again in normal mode

    Hope this helps

    Cheers,
     
  3. annie_lynn

    annie_lynn Registered Member

    Joined:
    May 22, 2004
    Posts:
    23
    Thanks for the help. It seems to have stopped the pop-ups.
    I have one more question though. When I go into the Control Panel and Add or Remove Programs I still have something called DealHelper 1.0.0.35. When I try to remove it, it tells me that it can't delete it unless I remove all the dealhelper ad supported software off my computer. Is this something I need to get rid of and if so, how do I go about removing it??

    Thanks
    annie_lynn
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi annie_lynn,

    It is not something that has to be removed. Te removal with HijackThis leaves some orphaned registry entries behind that any decent registry cleaner should be able to get rid off for you. Or you can wait untill this cr@pware is added for detection to your favorite spywarescanner and the removal process will be completed then.

    Regards,

    Pieter
     
  5. annie_lynn

    annie_lynn Registered Member

    Joined:
    May 22, 2004
    Posts:
    23
    ok.
    Thanks again for all your help.

    annie_lynn
     
Thread Status:
Not open for further replies.