Jump to content


Photo

Please Help


  • This topic is locked This topic is locked
5 replies to this topic

#1 Smoker02

Smoker02

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 July 2004 - 11:43 AM

The following is my HJT Log and I really need help figuring out what to do. Can someone please help? Thank a bunch.
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\SDKUA32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\SYSTEM\SYSRH32.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\LIVESHOWS\MY DOCUMENTS\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_19_0.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\MSFU\MSFU32.DLL (file missing)
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)
O2 - BHO: (no name) - {35211BE1-8EDF-F9D6-D61F-027B7DB286D4} - C:\WINDOWS\IEWZ.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {353933B6-2ECF-A0F1-F1EB-C0B9FE2EF168} - C:\WINDOWS\MSSA32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {D12625AE-A957-757E-90B7-0FFA44B59314} - C:\WINDOWS\APIRX32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {C653C368-29FD-E41B-894A-375BFD1FB285} - C:\WINDOWS\SYSTEM\APPZT.DLL (file missing)
O2 - BHO: (no name) - {72B04BEB-4CD0-95C2-0E2D-41D31977A963} - C:\WINDOWS\SYSTEM\WINHW32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {67653365-4261-DF9B-4D79-7D96F5D80398} - C:\WINDOWS\SYSTEM\ADDNK32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {01575B9F-13D1-712F-6453-1A4855B87338} - C:\WINDOWS\MFCKD.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {A3DFDA85-1D92-4E28-8C0C-522574ACDC8A} - C:\WINDOWS\SYSTEM\msacrohlp.dll (disabled by BHODemon)
O2 - BHO: (no name) - {0B519E07-7824-4adc-8890-93D5EABBF285} - C:\WINDOWS\SYSTEM\msadocm32.dll (disabled by BHODemon)
O2 - BHO: (no name) - {144A84E3-9090-5AA2-057D-BAADC66F9D82} - C:\WINDOWS\SYSTEM\NETAT.DLL (file missing)
O2 - BHO: (no name) - {087899FB-71F1-C680-3656-92E12F8C1179} - C:\WINDOWS\SYSSI32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {B6F39436-B55A-8D4D-6E92-1B81D55EBAEF} - C:\WINDOWS\MSYX.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {F5CC19B1-9C20-9E15-1B2A-5624A6A45C4E} - C:\WINDOWS\IPFN.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {292E35CC-69D5-FB97-1ED9-C7DA8B132261} - C:\WINDOWS\SYSTEM\D3TY.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {EE095897-CF57-F9F1-0CB8-85D815B6038C} - C:\WINDOWS\ATLWO32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {7DD50571-4633-DF46-FC74-016D61FAA461} - C:\WINDOWS\SYSTEM\WINQK32.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_19_0.DLL (file missing)
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [SYSRH32.EXE] C:\WINDOWS\SYSTEM\SYSRH32.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [SDKUA32.EXE] C:\WINDOWS\SYSTEM\SDKUA32.EXE
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...362/mcfscan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,19/mcgdmgr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/.../RumbleCube.cab
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.micr...C4D/mp43dmo.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 15 July 2004 - 03:21 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\MSFU\MSFU32.DLL (file missing)
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)
O2 - BHO: (no name) - {35211BE1-8EDF-F9D6-D61F-027B7DB286D4} - C:\WINDOWS\IEWZ.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {353933B6-2ECF-A0F1-F1EB-C0B9FE2EF168} - C:\WINDOWS\MSSA32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {D12625AE-A957-757E-90B7-0FFA44B59314} - C:\WINDOWS\APIRX32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {C653C368-29FD-E41B-894A-375BFD1FB285} - C:\WINDOWS\SYSTEM\APPZT.DLL (file missing)
O2 - BHO: (no name) - {72B04BEB-4CD0-95C2-0E2D-41D31977A963} - C:\WINDOWS\SYSTEM\WINHW32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {67653365-4261-DF9B-4D79-7D96F5D80398} - C:\WINDOWS\SYSTEM\ADDNK32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {01575B9F-13D1-712F-6453-1A4855B87338} - C:\WINDOWS\MFCKD.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {A3DFDA85-1D92-4E28-8C0C-522574ACDC8A} - C:\WINDOWS\SYSTEM\msacrohlp.dll (disabled by BHODemon)
O2 - BHO: (no name) - {0B519E07-7824-4adc-8890-93D5EABBF285} - C:\WINDOWS\SYSTEM\msadocm32.dll (disabled by BHODemon)
O2 - BHO: (no name) - {144A84E3-9090-5AA2-057D-BAADC66F9D82} - C:\WINDOWS\SYSTEM\NETAT.DLL (file missing)
O2 - BHO: (no name) - {087899FB-71F1-C680-3656-92E12F8C1179} - C:\WINDOWS\SYSSI32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {B6F39436-B55A-8D4D-6E92-1B81D55EBAEF} - C:\WINDOWS\MSYX.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {F5CC19B1-9C20-9E15-1B2A-5624A6A45C4E} - C:\WINDOWS\IPFN.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {292E35CC-69D5-FB97-1ED9-C7DA8B132261} - C:\WINDOWS\SYSTEM\D3TY.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {EE095897-CF57-F9F1-0CB8-85D815B6038C} - C:\WINDOWS\ATLWO32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {7DD50571-4633-DF46-FC74-016D61FAA461} - C:\WINDOWS\SYSTEM\WINQK32.DLL

O4 - HKLM\..\Run: [SYSRH32.EXE] C:\WINDOWS\SYSTEM\SYSRH32.EXE
O4 - HKLM\..\RunServices: [SDKUA32.EXE] C:\WINDOWS\SYSTEM\SDKUA32.EXE




Reboot and delete

files
C:\WINDOWS\SYSTEM\SYSRH32.EXE
C:\WINDOWS\SYSTEM\SDKUA32.EXE

These may be hidden files. See HERE for how to show hidden files.

Your log shows that MSConfig is running at startup. This indicates that you may be using "diagnostic startup" rather than "normal startup", to stop something running. While this is OK, when looking for malware, it is possible that you have disabled it, and it will not then show up in the Hijack this log. Before posting a fresh log, would you please open MSConfig, and choose the "normal startup" option. Then everything will be running, and if anything needs removal, we can give appropriate advice.


Please post a followup Hijack this log, including the header, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 Smoker02

Smoker02

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 July 2004 - 09:37 PM

Thank you soooo much. I'll give it a try and let you know.

Once again Thank you.

#4 Smoker02

Smoker02

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 16 July 2004 - 08:11 PM

Following up as promised. I did it and it worked. Thank you so much. Here is a copy of my HJT log after the fix. Thanks again....you're an angel.
Logfile of HijackThis v1.97.7
Scan saved at 9:08:03 PM, on 7/16/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\LIVESHOWS\MY DOCUMENTS\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...362/mcfscan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,19/mcgdmgr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/.../RumbleCube.cab
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.micr...C4D/mp43dmo.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab

#5 Smoker02

Smoker02

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 02:35 PM

Thank you Dave38!

#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 17 July 2004 - 03:07 PM

Glad to help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button