Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice


1569 Views 9 Replies 2 Participants Last post by  sighlentex
I started a post elsewhere in the TSG forums:

and VirtualMe said i should ask for help here.

This is my latest HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 1:57:14 PM, on 4/5/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =*
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =*
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =*
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSREG32.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSREG32.EXE
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\pmremind.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

These two lines won't go away. I've removed them with HJT but they keep coming back:

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSREG32.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSREG32.EXE

..when i search the PC for msreg32.exe i'm not able to find it.

Housecalls found 5 uncleanable files (BKDR Assasin, BKDR Beast).

i'm just a rookie, and i can only process one thing at a time. please give me any information you can to help me clean this machine, but say it s-l-o-w-l-y and clearly as i was a blonde in my past life and am easily confused. :)

thanks in advance for all your help.
See less See more
Not open for further replies.
1 - 3 of 10 Posts
Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSREG32.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSREG32.EXE
O4 - Startup: PowerReg Scheduler V3.exe

Reboot into safe mode by following instructions here:
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files

Reboot normally &

I would strongly recommend downloading and running a specialised anti trojan

the best antitrojan that I use for dealing with them is

TDS3 from

download & install the 30 day free trial, update it manually as described here as the trial version doesn't have auto update enabled

then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

sit back with a cup of coffee and watch what it finds


Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

post back with the tds log after running please, just copy & paste the entries from the scandump.txt
See less See more
boot into safe mode & delete this folder
c:\program files\mshelp

then do this please

open hijackthis, pres config/misc tools/ tick both little boxes about minor & empty sections and press generate start up list, post that list back here

before doing that let's clear the restore folder to get rid of all the old crap in there and stop those alarms
Turn off system restore by following instructions here
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

and then empty recycle bin, some alarms are coming from there

then also give me these 2 logs

Please download the KillBox from here:

UnZip it to it's own folder not to the Desktop or a Temp folder. Click on The KillBox.exe and it will open. Now click find then find msg.dll, then on the little pop up window, that says killbox file list, press file/create log and a pop up says do you want to create a log in notepad, say yes and then save as usual in notepad and copy & paste the resulting list here

Download this zip:, unzip it to the desktop.
Be sure to have at least 1 Internet Explorer open, then double click on the runme.bat.
Notepad will open with a log in it

Don't worry about the length of them 99% if not all of them will be legitimate, I'm just looking for indications of certain files running
See less See more
The killbox log being empty is OK, don't worry about the other log either

I think deleting the mshelp folder did it as that is where the 0dll was hiding, along with emptying all the other folders

to run pv it must be on the desktop not in it's own folder and IE must be open as well, I don't think there is a neeed for it now, but if you want to try again, I'm happy to look at the log for you

any more problems post back
1 - 3 of 10 Posts
Not open for further replies.