SunQuest
           Antivirus Protection
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me
Go Back   Dev Shed ForumsSystem AdministrationAntivirus Protection
Reload this Page

mshp.dll - I can't get rid of it!

Discuss mshp.dll - I can't get rid of it! in the Antivirus Protection forum on Dev Shed.
mshp.dll - I can't get rid of it! Antivirus Protection forum discussing issues relating to antivirus programs, spyware, hijack protection, and personal firewalls for all operating systems. Keep your systems protected from hackers and other hazards.

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
« Previous Thread | Next Thread »  
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread Dev Shed Forums Sponsor:
Get inside! Sample the range of functionality easily built with JMSL Library for Time Series Data Analysis, Heat Maps, Portfolio Optimization, Monte Carlo Simulation, Stock Price Charting and more. Download Now!
  #1  
Old June 4th, 2004, 08:28 PM
Over my head Over my head is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Jun 2004
Posts: 7 Over my head User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
mshp.dll - I can't get rid of it!
Last week my computer was infected so that my internet home page is reset to res://mshp.dll/index.html#37049. I have followed the instructions to delete it on pchell.com, run Spybot, run CWshredder, deleted anything that refers to mshp in my registry, and updated my Norton Antivirus 2004. When I reboot, my computer is clean until I open Internet Explorer, at which time mshp.dll magically reappears in C:\Windows. I'm lost and could really use some help.

Here is my log file from hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 10:02:56 PM, on 04/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\CTMIX32.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\EREG\REMIND32.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\JEFF\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.search.msn.com/spbasic.htm?cp=1252&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\MSLQ\MSLQ.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\PROGRAM FILES\SUBMIT\SUBMITHOOK.DLL
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\MSLQ\MFCDI.DLL
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\MSLQ\NTDT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\PROGRAM FILES\ACCELERATION SOFTWARE\SYSTEMPATCHER\SYS_ALERT.EXE" /Startup
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\SGINST.EXE /upd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\SDKQH32.DLL,Install
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\SDKQH32.DLL,Install
O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\submit.exe"
O4 - HKCU\..\RunOnce: [Updater] rundll32 C:\WINDOWS\APPLIC~1\MSLQ\MSLQ.dll,UpdateDll s
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tec.../ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...ta/SymAData.cab

Can anyone help?
Reply With Quote
  #2  
Old June 5th, 2004, 01:03 AM
jmatt jmatt is offline
Contributing User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Nov 2003
Location: Western Australia
Posts: 134 jmatt User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 29 m 44 sec
Reputation Power: 5
Reply With Quote
  #3  
Old June 5th, 2004, 01:25 AM
jmatt jmatt is offline
Contributing User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Nov 2003
Location: Western Australia
Posts: 134 jmatt User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 29 m 44 sec
Reputation Power: 5
Reply With Quote
  #4  
Old June 10th, 2004, 06:35 PM
Over my head Over my head is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Jun 2004
Posts: 7 Over my head User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
mshp.dll - finally gone
After several attempts, I seem to have removed this from my machine. The entire MSLQ folder seems to have been related to the virus. At one point I only deleted mslq.dll from HJT and when I rebooted there was a new folder called sysom in my application data (in addition to mslq). When I deleted both folders, sysom and mslq, and tried to remove them from my recycling bin, it wouldn't let me because a file "advdn.dll'' was still in use. So, I closed the Recycling Bin, went back and ran CWShredder, opened the Recycling Bin and successfully deleted the file. I have rebooted the computer and opened Internet Explorer a few times now and there is no sign of the virus.

For anyone having problems with this virus, it may help to run a search on folders that were created recently on your machine. When BHO lines relating to the sysom folder popped up in HJT, I went to the folder and saw that it had been created a few minutes ago. I took the chance and deleted it. It worked.
Reply With Quote
  #5  
Old June 10th, 2004, 07:32 PM
Tom Myboy Tom Myboy is offline
Contributing User
Dev Shed Regular (2000 - 2499 posts)
  
Join Date: Aug 2003
Posts: 2,491 Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level) 
Time spent in forums: 3 Days 20 h 13 m 41 sec
Reputation Power: 13
Hi Over my head,

res://mshp.dll/sp.html#37049 is a coolwebsearch domain. CWShredder would have cleaned the infection for you. I would have jumped in to help, but is seemed jmatt was helping you.

If you'd like to post a fresh HJT log, just to see if you have any more problems, I will be happy to look at it for you tomorrow.

Tom
__________________
HijackThis
Ad-aware
Spybot Search & Destroy
SpywareBlaster
SpywareGuard
Housecall Online A/V Scan
Please read the stickys at the top of the forum before posting!
Reply With Quote
  #6  
Old June 10th, 2004, 08:28 PM
Over my head Over my head is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Jun 2004
Posts: 7 Over my head User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Hi Tom,

I would greatly appreciate having you to take a look at my new HJT. I’ve pasted it below.

I ran CWShredder many times before tonight. It would remove the files temporarily, but they would come back after I rebooted or after I reopened Internet Explorer. There must have been something else in the mslq folder that would recreate the files that CWShredder doesn't pick up. Fortunately the combination of deleting the folder and running CWShredder worked. I saved the folders (mslq and sysom) to a disk just in case I was deleting something I needed. I think I’ll just throw out the disk…

I was reading one of the other threads where you mentioned to altoviola that an update of Windows was in order. Well, I went to the site and discovered that I was 19 critical updates behind. I’m now up to date, but I now receive “stack overflow” warnings. It tells me a recently installed VxD consumed too much stack and I need to increase my setting of “MinSPs’’ in system.ini or remove installed VxDs. There are currently 6 SPs allocated. Surprise! I’m in over my head again. Do you have any suggestions?

Thanks for your help.

Logfile of HijackThis v1.97.7
Scan saved at 10:18:29 PM, on 10/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\CTMIX32.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\EREG\REMIND32.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\MSWORKS.EXE
C:\MY DOCUMENTS\JEFF\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.search.msn.com/spbasic.htm?cp=1252&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tsn.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\PROGRAM FILES\ACCELERATION SOFTWARE\SYSTEMPATCHER\SYS_ALERT.EXE" /Startup
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\SGINST.EXE /upd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [WUAUBOOT] C:\WINDOWS\wuauboot.exe -ResetForSelfUpdate
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tec.../ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...ta/SymAData.cab
Reply With Quote
  #7  
Old June 11th, 2004, 01:57 AM
jmatt jmatt is offline
Contributing User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Nov 2003
Location: Western Australia
Posts: 134 jmatt User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 29 m 44 sec
Reputation Power: 5
I can help , re Stacks .

You can do this by selecting Start > Run, and type msconfig in the Open: box. Press OK. Select the System.ini tab, scroll down to, and select the [386Enh] section. Press New and type the command MinSPs=8, press Apply, and follow the prompts.

If the problem persists, increase the number of spare stack pages in increments of 4 (for example 12, 16).

Note: Each spare stack page requires 4KB of memory .

http://support.microsoft.com/suppor...s/q149/0/83.asp
http://www.windows-help.net/windows98/troub-461.shtml
Reply With Quote
  #8  
Old June 11th, 2004, 04:04 PM
Over my head Over my head is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Jun 2004
Posts: 7 Over my head User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Hi jmatt,

You fixed it. 8 seems to be the magic number. Thanks for your help.
Reply With Quote
  #9  
Old June 11th, 2004, 06:52 PM
jmatt jmatt is offline
Contributing User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Nov 2003
Location: Western Australia
Posts: 134 jmatt User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 29 m 44 sec
Reputation Power: 5
That's OK , Over my head .
Reply With Quote
  #10  
Old June 11th, 2004, 06:53 PM
Tom Myboy Tom Myboy is offline
Contributing User
Dev Shed Regular (2000 - 2499 posts)
  
Join Date: Aug 2003
Posts: 2,491 Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level) 
Time spent in forums: 3 Days 20 h 13 m 41 sec
Reputation Power: 13
It seems Stop-Sign from eAcceleration is installed. It purports to detect spyware, malware, viruses and keyloggers, but is in fact spyware itself - read their privacy statement:
http://www.eacceleration.com/privacy/

I suggest uninstalling the software and going with Spywareblaster and Spywareguard.

Run HijackThis, place a checkmark next to the following items. Close ALL other windows and browsers except HijackThis. Click "fix checked".

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Does this look familiar to you? If not, can you right click the file and post the properties and file version info?
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\SGINST.EXE /upd

Tom
Reply With Quote
  #11  
Old June 13th, 2004, 07:04 PM
Over my head Over my head is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Jun 2004
Posts: 7 Over my head User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Hi Tom,

The SGINST.EXE file doesn't exist when I do a search on my C:. I assume that means it is good to delete? For that matter, the following 2 items do not exist either. Should I delete them too?

O4 - HKLM\..\Run: [eanth_system_patcher] "C:\PROGRAM FILES\ACCELERATION SOFTWARE\SYSTEMPATCHER\SYS_ALERT.EXE" /Startup

O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k

Would these types of things slow down my computer? This machine has always run slow. My next project is to find ways to speed it up.

Stop sign has been removed. I think it had been deleted previously, as the folders only contained shortcuts to files that did not exist anymore.

Thanks again for your help.
Reply With Quote
  #12  
Old June 14th, 2004, 02:28 AM
jmatt jmatt is offline
Contributing User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Nov 2003
Location: Western Australia
Posts: 134 jmatt User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 29 m 44 sec
Reputation Power: 5
Spy files etc , do slow your comp down Over my head .

While waiting for Tom , try this , as it finds stuff others don't .

Bazooka
http://www.webgrid.co.uk/security_2.html
http://www.winsite.com/bin/Info?17000000037943
http://www.kephyr.com/
Here is the current list of Bazooka fixes .
http://www.kephyr.com/spywarescanne...source=appvisit
Bazooka is freeware and Windows 95/98/ME/NT/2000/XP compatible
Click on the files found & you will be taken to a site that will show you how to remove , either with a program or manually .
It reports on all drives & partitions , so remember to check all these , when doing manual remove .
After the Download - It is important to remember that once the installation of Bazooka is completed , that you should update the File Signatures by clicking on the Update tab and check for an update .
Make sure you Update after installing & then regularly .
Reply With Quote
  #13  
Old June 14th, 2004, 03:28 PM
Tom Myboy Tom Myboy is offline
Contributing User
Dev Shed Regular (2000 - 2499 posts)
  
Join Date: Aug 2003
Posts: 2,491 Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level) 
Time spent in forums: 3 Days 20 h 13 m 41 sec
Reputation Power: 13
Yes, jmatt is right. Spyware, adware, trojans, etc do slow down your computer,

The 2nd and 3rd lines I suggested you fix with with HijackThis will indeed speed up your computer:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Yes,delete these ones too:
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\SGINST.EXE /upd
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\PROGRAM FILES\ACCELERATION SOFTWARE\SYSTEMPATCHER\SYS_ALERT.EXE" /Startup
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k

Reboot and post a new log

Tom
Reply With Quote