Tech Support Forum - View Single Post

**Has2SpoildBrats** · 02-27-2005, 12:23 AM

I just installed a new hard drive on my PC this week and everything was fine and dandy until today. I got online earlier today to look up some cheat codes for my husband like I always do. Well the second the site got done loading my virus protection program, McAfee, went crazy. I closed the cheat code site down right away and spent about 15 minutes non stop closing popups from McAfee. The said a Trojan had been detected and cleaned. So I went through and ran scans with Adaware, spybot s&d as well as 2 full virus scans. One with my virus program and the other at Trend Micro ( the free online scan). I am having a lot of problems getting rid of the trojan. Please help!

I used the HijackThis Analyzer program to get the "new" log.

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 1/7/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:08:21 AM, on 2/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\WINDOWS\SYSTEM\TMPNEA.EXE
C:\PROGRAM FILES\Z8QHQW50\Z8QHQW50.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLHOSTMANAGER.EXE
C:\WINDOWS\SYSTEM\TQQPSUHSOI.EXE
C:\WINDOWS\SYSTEM\SYSMONNT.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLSERVICEHOST.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://as.casalemedia.com/s?s=58542&...a.com&f=2&id=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\PROGRAM FILES\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\SYSTEM\AUNBHO.DLL
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\SYSTEM\RSYNCMON.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\PROGRAM FILES\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109275895\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\TMPNEA.exe
O4 - HKLM\..\Run: [Z8QHQW50] \Progra~1\Z8QHQW50\Z8QHQW50.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\SYSTEM\netsync.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT
O4 - HKCU\..\RunServices: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b
O4 - HKCU\..\RunServices: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

End of HijackThis Analyzer Log.
===========================================================================================================================

02-27-2005, 12:23 AM	#1 (permalink)
Has2SpoildBrats I helped the forums. Join Date: Jan 2005 Location: Iowa Posts: 20 OS: Win 98	Major Hijacking here. PLEASE HELP! I just installed a new hard drive on my PC this week and everything was fine and dandy until today. I got online earlier today to look up some cheat codes for my husband like I always do. Well the second the site got done loading my virus protection program, McAfee, went crazy. I closed the cheat code site down right away and spent about 15 minutes non stop closing popups from McAfee. The said a Trojan had been detected and cleaned. So I went through and ran scans with Adaware, spybot s&d as well as 2 full virus scans. One with my virus program and the other at Trend Micro ( the free online scan). I am having a lot of problems getting rid of the trojan. Please help! I used the HijackThis Analyzer program to get the "new" log. =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 1/7/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 1:08:21 AM, on 2/27/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE C:\WINDOWS\SYSTEM\TMPNEA.EXE C:\PROGRAM FILES\Z8QHQW50\Z8QHQW50.EXE C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLHOSTMANAGER.EXE C:\WINDOWS\SYSTEM\TQQPSUHSOI.EXE C:\WINDOWS\SYSTEM\SYSMONNT.EXE C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLSERVICEHOST.EXE C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://as.casalemedia.com/s?s=58542&...a.com&f=2&id=1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\PROGRAM FILES\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\SYSTEM\AUNBHO.DLL O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\SYSTEM\RSYNCMON.DLL O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\PROGRAM FILES\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109275895\EE\AOLHostManager.exe O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\TMPNEA.exe O4 - HKLM\..\Run: [Z8QHQW50] \Progra~1\Z8QHQW50\Z8QHQW50.exe O4 - HKLM\..\Run: [RSync] C:\WINDOWS\SYSTEM\netsync.exe O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE" O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b O4 - HKCU\..\Run: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT O4 - HKCU\..\RunServices: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b O4 - HKCU\..\RunServices: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/sh...3/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/sh...20/mcgdmgr.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net End of HijackThis Analyzer Log. ===========================================================================================================================