Jump to content


Photo

mshr.exe


  • Please log in to reply
2 replies to this topic

#1 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 21 July 2004 - 01:05 AM

Hey was wondering if anybody knew what the mshr.exe file does. It was recently added to my computer and I can't seem to get rid of it. I've disabled it in startup and I've deleted it and everytime I restart, it pops back up again. I don't have any obvious symptoms of a trojan/virus/hijacik/c2ws or anything. It doesn't use up really any resources, but when I disable it in startup, I get a couple of error msgs about some .dll files, which are the root cause of a lot of these problems. I've also tried looking on the internet but can't find any reference to the file. Well here's my HJT log, hope somebody more knowledgeable than me can answer this. :huh:


Logfile of HijackThis v1.98.0
Scan saved at 10:51:51 PM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Remote Master\Remote Master.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\WINDOWS\System32\owt.exe
C:\Documents and Settings\Renegade Chang\My Documents\Downloads\Antispyware\SpybotSD\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Renegade Chang\Application Data\mshr.exe
C:\Program Files\SMC\SMC2635W Wireless Cardbus Adapter Utility\drivers\WINXP\SMCRMonitor.exe
C:\Documents and Settings\Renegade Chang\My Documents\Downloads\Antispyware\SpywareGuard\sgmain.exe
C:\Documents and Settings\Renegade Chang\My Documents\Downloads\Antispyware\SpywareGuard\sgbhp.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Renegade Chang\My Documents\Downloads\Antispyware\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Renegade Chang\My Documents\Downloads\Antispyware\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\RENEGA~1\MYDOCU~1\DOWNLO~1\ANTISP~1\SpybotSD\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IR501 Remote Control] C:\Program Files\Remote Master\Remote Master.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ssgrate.exe] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gzqf] C:\WINDOWS\System32\owt.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Renegade Chang\My Documents\Downloads\Antispyware\SpybotSD\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Rcmp] C:\Documents and Settings\Renegade Chang\Application Data\mshr.exe
O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Renegade Chang\My Documents\Downloads\Antispyware\SpywareGuard\sgmain.exe
O4 - Global Startup: SMC2635W Wireless Cardbus Adapter Utility.lnk = C:\Program Files\SMC\SMC2635W Wireless Cardbus Adapter Utility\drivers\WINXP\SMCRMonitor.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx

thanks in advane for the help

#2 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 22 July 2004 - 02:23 AM

bump

#3 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 22 July 2004 - 12:47 PM

Hi there,

I need you to do this first;

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';


NOTE THE INFO IN RED, ADVISED FIXES


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe


O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch<<<<Associated to Wild Tangent, if you want it keep it, if not fix it


O4 - HKCU\..\Run: [Gzqf] C:\WINDOWS\System32\owt.exe<<<<Do you know of this? if so keep it, if not fix it

O4 - HKCU\..\Run: [Rcmp] C:\Documents and Settings\Renegade Chang\Application Data\mshr.exe


Restart your computer in
Safe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,

C:\WINDOWS\System32\msrexe.exe<<<<File
C:\WINDOWS\wt\updater\wcmdmgrl.exe<<<<Folder
C:\WINDOWS\System32\owt.exe<<<<File
C:\Documents and Settings\Renegade Chang\Application Data\mshr.exe<<<<File

Reboot, then post a fresh logfile so that I can check to see if it is clean.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button