Major Hijacking here. PLEASE HELP!

**Has2SpoildBrats** · 02-26-2005, 11:23 PM

I just installed a new hard drive on my PC this week and everything was fine and dandy until today. I got online earlier today to look up some cheat codes for my husband like I always do. Well the second the site got done loading my virus protection program, McAfee, went crazy. I closed the cheat code site down right away and spent about 15 minutes non stop closing popups from McAfee. The said a Trojan had been detected and cleaned. So I went through and ran scans with Adaware, spybot s&d as well as 2 full virus scans. One with my virus program and the other at Trend Micro ( the free online scan). I am having a lot of problems getting rid of the trojan. Please help!

I used the HijackThis Analyzer program to get the "new" log.

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 1/7/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:08:21 AM, on 2/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\WINDOWS\SYSTEM\TMPNEA.EXE
C:\PROGRAM FILES\Z8QHQW50\Z8QHQW50.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLHOSTMANAGER.EXE
C:\WINDOWS\SYSTEM\TQQPSUHSOI.EXE
C:\WINDOWS\SYSTEM\SYSMONNT.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLSERVICEHOST.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://as.casalemedia.com/s?s=58542&...a.com&f=2&id=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\PROGRAM FILES\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\SYSTEM\AUNBHO.DLL
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\SYSTEM\RSYNCMON.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\PROGRAM FILES\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109275895\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\TMPNEA.exe
O4 - HKLM\..\Run: [Z8QHQW50] \Progra~1\Z8QHQW50\Z8QHQW50.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\SYSTEM\netsync.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT
O4 - HKCU\..\RunServices: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b
O4 - HKCU\..\RunServices: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

End of HijackThis Analyzer Log.
===========================================================================================================================

**Pancake** · 02-27-2005, 12:30 AM

Hi and Welcome
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed.If you don't understand please ask before proceeding with the fixes.

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes.

Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------

Download and run AboutBuster CWShredder Adaware SpyBot (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below.

------------------------------------------------------------------

How to setup Ad-Aware
Download Ad-Aware SE build 1.05

If you have a previous version of AdAware installed, you will be prompted to uninstall or keep the older version during installation. Be sure to choose Uninstall The Previous Version. Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/
Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory.
Open AdAware from Start | Programs | Lavasoft | AdAware.
Select <Check for updates now>, <Proceed>
After installation, run the program and click the start button.Then click the next button. This lets ad-aware scan your computer.
After ad-aware is done running, hit the next button. Then right click the area with the listed spy ware objects.Choose the "Select all objects" option.
At this point all the boxes next to the items should be checked. Then hit the next button.
It will ask if you want to delete the selected objects. Hit the Okay button.
Now most of the spyware should have been deleted from your hard drive.

----------------------------------------------------------------------

How to setup Spybot Search & Destroy
Download Spybot

Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop.
I recommend c:/program files/spybot/
Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory.
Open Spybot from Start | Programs | Spybot | Spybot S&D
Select <Search for Updates>. Let it install all updates. This is very important!
Select <Immunize>
Select <Check for Problems>
Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it.
Select <Fix Selected Problems>
Close Spybot//

------------------------------------------------------

Files highlighted in BLACK will need to be removed from your hard drive.

Folders that have been highlighted RED will need to be uninstalled.
------------------------------------------------------------------

Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode
------------------------------------------------------------------

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed.

SYSMONNT.EXE
TMPNEA.exe
Z8QHQW50.exe
TQQPSUHSOI.EXE
netsync.exe
------------------------------------------------------------------

Uninstall these programs (if they still exist) from Start | Settings | Control Panel | Add/Remove Programs

IMESHBAR
WINTOOLS
Z8QHQW50
-------------------------------------------------------------------
Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://as.casalemedia.com/s?s=58542...ia.com&f=2&id=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\PROGRAM FILES\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\SYSTEM\AUNBHO.DLL
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\SYSTEM\RSYNCMON.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\PROGRAM FILES\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\TMPNEA.exe
O4 - HKLM\..\Run: [Z8QHQW50] \Progra~1\Z8QHQW50\Z8QHQW50.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\SYSTEM\netsync.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU\..\Run: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT
O4 - HKCU\..\RunServices: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

------------------------------------------------------------------

Open Windows Explorer and delete the following highlighted file/s (or delete the whole (Red) folder if listed).

C:\WINDOWS\SYSTEM\TQQPSUHSOI.EXE
C:\WINDOWS\SYSTEM\SYSMONNT.EXE
C:\PROGRAM FILES\IMESHBAR
C:\WINDOWS\SYSTEM\AUNBHO.DLL
C:\WINDOWS\SYSTEM\RSYNCMON.DLL
C:\PROGRA~1\COMMON~1\WINTOOLS
C:\WINDOWS\SYSTEM\TMPNEA.exe
C:\PROGRAM FILES\Z8QHQW50\Z8QHQW50.EXE
C:\WINDOWS\SYSTEM\netsync.ex
-------------------------------------------------------------------
Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files.

When finished please post a new log......

**Has2SpoildBrats** · 02-27-2005, 11:57 AM

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 1/7/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:47:02 PM, on 2/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\WINDOWS\SYSTEM\XIJAUH.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLHOSTMANAGER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLSERVICEHOST.EXE
C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109275895\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\XIJAUH.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

End of HijackThis Analyzer Log.
===========================================================================================================================

CTSNKY · 02-27-2005, 03:17 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check Disable System Restore. Click OK. Click Yes when you are prompted to restart Windows. When we have confirmed that your log file is clean, you may enable System Restore again by following the same steps as above except you should uncheck Disable System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\SYSTEM\XIJAUH.EXE

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\XIJAUH.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\XIJAUH.EXE
C:\WINDOWS\SYSTEM\winupdt.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

**Has2SpoildBrats** · 02-27-2005, 11:10 PM

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:03:29 AM, on 2/28/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLHOSTMANAGER.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLSERVICEHOST.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109275895\EE\AOLHostManager.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

End of KRC HijackThis Analyzer Log.
====================================================================

**Pancake** · 02-27-2005, 11:58 PM

All done....your clean.

**Has2SpoildBrats** · 02-28-2005, 11:37 AM

Thank You Both for All the Help!

02-26-2005, 11:23 PM	#1 (permalink)
Has2SpoildBrats I helped the forums. Join Date: Jan 2005 Location: Iowa Posts: 20 OS: Win 98	Major Hijacking here. PLEASE HELP! I just installed a new hard drive on my PC this week and everything was fine and dandy until today. I got online earlier today to look up some cheat codes for my husband like I always do. Well the second the site got done loading my virus protection program, McAfee, went crazy. I closed the cheat code site down right away and spent about 15 minutes non stop closing popups from McAfee. The said a Trojan had been detected and cleaned. So I went through and ran scans with Adaware, spybot s&d as well as 2 full virus scans. One with my virus program and the other at Trend Micro ( the free online scan). I am having a lot of problems getting rid of the trojan. Please help! I used the HijackThis Analyzer program to get the "new" log. =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 1/7/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 1:08:21 AM, on 2/27/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE C:\WINDOWS\SYSTEM\TMPNEA.EXE C:\PROGRAM FILES\Z8QHQW50\Z8QHQW50.EXE C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLHOSTMANAGER.EXE C:\WINDOWS\SYSTEM\TQQPSUHSOI.EXE C:\WINDOWS\SYSTEM\SYSMONNT.EXE C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLSERVICEHOST.EXE C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://as.casalemedia.com/s?s=58542&...a.com&f=2&id=1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\PROGRAM FILES\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\SYSTEM\AUNBHO.DLL O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\SYSTEM\RSYNCMON.DLL O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\PROGRAM FILES\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109275895\EE\AOLHostManager.exe O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\TMPNEA.exe O4 - HKLM\..\Run: [Z8QHQW50] \Progra~1\Z8QHQW50\Z8QHQW50.exe O4 - HKLM\..\Run: [RSync] C:\WINDOWS\SYSTEM\netsync.exe O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE" O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b O4 - HKCU\..\Run: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT O4 - HKCU\..\RunServices: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b O4 - HKCU\..\RunServices: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/sh...3/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/sh...20/mcgdmgr.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net End of HijackThis Analyzer Log. ===========================================================================================================================

02-27-2005, 11:57 AM	#3 (permalink)
Has2SpoildBrats I helped the forums. Join Date: Jan 2005 Location: Iowa Posts: 20 OS: Win 98	I used the HijackThis Analyzer program to get the "new" log. =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 1/7/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 1:47:02 PM, on 2/27/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE C:\WINDOWS\SYSTEM\XIJAUH.EXE C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLHOSTMANAGER.EXE C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLSERVICEHOST.EXE C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SPYBOT~1\SDHELPER.DLL O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109275895\EE\AOLHostManager.exe O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\XIJAUH.exe O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE" O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/sh...3/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/sh...20/mcgdmgr.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab End of HijackThis Analyzer Log. ===========================================================================================================================

02-27-2005, 03:17 PM	#4 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check Disable System Restore. Click OK. Click Yes when you are prompted to restart Windows. When we have confirmed that your log file is clean, you may enable System Restore again by following the same steps as above except you should uncheck Disable System Restore. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\SYSTEM\XIJAUH.EXE Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\XIJAUH.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\SYSTEM\XIJAUH.EXE C:\WINDOWS\SYSTEM\winupdt.exe Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ GO BIG BLUE!!

02-28-2005, 11:37 AM	#7 (permalink)
Has2SpoildBrats I helped the forums. Join Date: Jan 2005 Location: Iowa Posts: 20 OS: Win 98	Thank YOU Thank You Both for All the Help!

02-27-2005, 12:30 AM	#2 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Hi and Welcome It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed.If you don't understand please ask before proceeding with the fixes. Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes. Turn off System Restore instructions (WinXP) Rightclick My Computer \| Properties \| System Restore \| check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point. SHOW HIDDEN FILES AND FOLDERS. To show hidden files instructions (WinXP) Doubleclick My Computer \| Tools \| Folder Options \| View tab Select Show Hidden Files and Folders Uncheck Hide extensions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders \| Yes \| Apply \| OK ------------------------------------------------------------------ Download and run AboutBuster CWShredder Adaware SpyBot (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below. ------------------------------------------------------------------ How to setup Ad-Aware Download Ad-Aware SE build 1.05 If you have a previous version of AdAware installed, you will be prompted to uninstall or keep the older version during installation. Be sure to choose Uninstall The Previous Version. Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/ Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory. Open AdAware from Start \| Programs \| Lavasoft \| AdAware. Select <Check for updates now>, <Proceed> After installation, run the program and click the start button.Then click the next button. This lets ad-aware scan your computer. After ad-aware is done running, hit the next button. Then right click the area with the listed spy ware objects.Choose the "Select all objects" option. At this point all the boxes next to the items should be checked. Then hit the next button. It will ask if you want to delete the selected objects. Hit the Okay button. Now most of the spyware should have been deleted from your hard drive. ---------------------------------------------------------------------- How to setup Spybot Search & Destroy Download Spybot Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/spybot/ Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory. Open Spybot from Start \| Programs \| Spybot \| Spybot S&D Select <Search for Updates>. Let it install all updates. This is very important! Select <Immunize> Select <Check for Problems> Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it. Select <Fix Selected Problems> Close Spybot// ------------------------------------------------------ Files highlighted in BLACK will need to be removed from your hard drive. Folders that have been highlighted RED will need to be uninstalled. ------------------------------------------------------------------ Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode ------------------------------------------------------------------ Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed. SYSMONNT.EXE TMPNEA.exe Z8QHQW50.exe TQQPSUHSOI.EXE netsync.exe ------------------------------------------------------------------ Uninstall these programs (if they still exist) from Start \| Settings \| Control Panel \| Add/Remove Programs IMESHBAR WINTOOLS Z8QHQW50 ------------------------------------------------------------------- Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT. R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://as.casalemedia.com/s?s=58542...ia.com&f=2&id=1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\PROGRAM FILES\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\SYSTEM\AUNBHO.DLL O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\SYSTEM\RSYNCMON.DLL O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\PROGRAM FILES\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\TMPNEA.exe O4 - HKLM\..\Run: [Z8QHQW50] \Progra~1\Z8QHQW50\Z8QHQW50.exe O4 - HKLM\..\Run: [RSync] C:\WINDOWS\SYSTEM\netsync.exe O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot O4 - HKCU\..\Run: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT O4 - HKCU\..\RunServices: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) ------------------------------------------------------------------ Open Windows Explorer and delete the following highlighted file/s (or delete the whole (Red) folder if listed). C:\WINDOWS\SYSTEM\TQQPSUHSOI.EXE C:\WINDOWS\SYSTEM\SYSMONNT.EXE C:\PROGRAM FILES\IMESHBAR C:\WINDOWS\SYSTEM\AUNBHO.DLL C:\WINDOWS\SYSTEM\RSYNCMON.DLL C:\PROGRA~1\COMMON~1\WINTOOLS C:\WINDOWS\SYSTEM\TMPNEA.exe C:\PROGRAM FILES\Z8QHQW50\Z8QHQW50.EXE C:\WINDOWS\SYSTEM\netsync.ex ------------------------------------------------------------------- Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files. When finished please post a new log......

02-27-2005, 11:10 PM	#5 (permalink)
Has2SpoildBrats I helped the forums. Join Date: Jan 2005 Location: Iowa Posts: 20 OS: Win 98	==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 1:03:29 AM, on 2/28/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLHOSTMANAGER.EXE C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE C:\PROGRAM FILES\COMMON FILES\AOL\1109275895\EE\AOLSERVICEHOST.EXE C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SPYBOT~1\SDHELPER.DLL O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109275895\EE\AOLHostManager.exe O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE" O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/sh...3/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/sh...20/mcgdmgr.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net End of KRC HijackThis Analyzer Log. ====================================================================

02-27-2005, 11:58 PM	#6 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	All done....your clean.