Results 1 to 7 of 7

Thread: MSHP.dll (HJT)

  1. #1
    Hettyvail
    Guest

    Default MSHP.dll (HJT)

    I've installed spy bot and run the program but I can not get rid of MSHP.dll Please advise!


    Gerty

  2. #2
    Administrator Help2Go Administrator Canuck's Avatar
    Join Date
    May 2003
    Location
    Edmonton, Alberta, Canada
    Posts
    9,817
    Points
    2034

    Default

    Please read the following article here . Follow all the instructions exactly and then post your HJT log to this thread. Please do not attempt to make any changes until one of our experts tells you to. Also I’d ask for your patience as our experts are scattered in various time zones, but be assured that they will help you.

  3. #3
    Guest

    Default

    I did all of the steps and this is what I came up with:


    Logfile of HijackThis v1.97.7
    Scan saved at 11:29:01 AM, on 6/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\iesm.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\mszi32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\WinAce\WinAce.exe
    C:\Documents and Settings\Damon\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kketn.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kketn.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kketn.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kketn.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kketn.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kketn.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
    O2 - BHO: (no name) - {0AF6C5D1-D961-2A67-5933-1C5E86CAC4DF} - C:\WINDOWS\sdkdc.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [netuo32.exe] C:\WINDOWS\system32\netuo32.exe
    O4 - HKLM\..\Run: [mszi32.exe] C:\WINDOWS\system32\mszi32.exe
    O4 - HKLM\..\Run: [netwg.exe] C:\WINDOWS\system32\netwg.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKLM\..\RunOnce: [ipoz.exe] C:\WINDOWS\ipoz.exe
    O4 - HKLM\..\RunOnce: [addyg.exe] C:\WINDOWS\system32\addyg.exe
    O4 - HKLM\..\RunOnce: [ipbh.exe] C:\WINDOWS\ipbh.exe
    O4 - HKLM\..\RunOnce: [sdkqp.exe] C:\WINDOWS\sdkqp.exe
    O4 - HKLM\..\RunOnce: [ntns.exe] C:\WINDOWS\system32\ntns.exe
    O4 - HKLM\..\RunOnce: [mfcpd32.exe] C:\WINDOWS\system32\mfcpd32.exe
    O4 - HKLM\..\RunOnce: [appgy.exe] C:\WINDOWS\system32\appgy.exe
    O4 - HKLM\..\RunOnce: [crzr.exe] C:\WINDOWS\system32\crzr.exe
    O4 - HKLM\..\RunOnce: [sysuz.exe] C:\WINDOWS\system32\sysuz.exe
    O4 - HKLM\..\RunOnce: [atlif32.exe] C:\WINDOWS\system32\atlif32.exe
    O4 - HKLM\..\RunOnce: [apigh.exe] C:\WINDOWS\system32\apigh.exe
    O4 - HKLM\..\RunOnce: [msiy.exe] C:\WINDOWS\msiy.exe
    O4 - HKLM\..\RunOnce: [appuu32.exe] C:\WINDOWS\appuu32.exe
    O4 - HKLM\..\RunOnce: [d3tc32.exe] C:\WINDOWS\system32\d3tc32.exe
    O4 - HKLM\..\RunOnce: [apioq32.exe] C:\WINDOWS\system32\apioq32.exe
    O4 - HKLM\..\RunOnce: [msmp.exe] C:\WINDOWS\system32\msmp.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

  4. #4
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    For your CWS hijacker...
    Please download and run the Shredder <<<< Click Here (run and click "fix")

    CWS installs via the byte verifier exploit (Mostly) in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    THEN
    Download AdAware 6 <<<<<<click here

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".


    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.


    Then post another hijackthis log

    THEN
    go here :-
    Download Registrar lite and install it:
    http://www.resplendence.com/reglite

    Run it, copy and paste this line to reglite's address bar:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

    And hit the "go" tab

    Find: "Appinit_Dlls" value on the right side panel,
    DoubleClick, copy and post what you find in the following fields here in your next post....

    -Size:
    -Value:

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  5. #5
    Guest

    Default

    Ok, this is the second log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:09:00 PM, on 6/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\iesm.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\mszi32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\WinAce\WinAce.exe
    C:\Documents and Settings\Damon\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zwcmr.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zwcmr.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zwcmr.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zwcmr.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zwcmr.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zwcmr.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {DB10C0DD-EAF1-0FBE-C114-18BDB3485E8B} - C:\WINDOWS\msbd32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mszi32.exe] C:\WINDOWS\system32\mszi32.exe
    O4 - HKLM\..\Run: [netwg.exe] C:\WINDOWS\system32\netwg.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

  6. #6
    Hettyvail
    Guest

    Default Reglite

    I can not find "Appinit_Dlls, this is what is shown

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\USERProcessHandleQuota
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\TransmissionRetryTimeout
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\swapdisk
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\Spooler
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\GDIProcessHandleQuota
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\DeviceNotSelectedTimeout
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\(default)





    Please advise on the next step- Thank you

  7. #7
    Member
    Join Date
    Jan 2003
    Location
    NH
    Posts
    434
    Points
    77

    Default No Antivirus??

    I would advise the installation of antivirus software. From your log, it appears you have NO PROTECTION whatsoever!
    A good horse, strong woman and my .30-.30 rifle. Not much more a man needs. (well, except a computer that is!!)