Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SHNLOG.exe ( And some others) [CLOSED]

Started by Prankster1221 , May 24 2005 02:00 AM

  • This topic is locked This topic is locked

#1
Prankster1221
Posted 24 May 2005 - 02:00 AM

Prankster1221

    New Member

  • Member
  • Pip
  • 2 posts
Hello guys, I discovered I had loads of spyware and search bars in IE when I checked the other day ( I use firefox), and being me ( Suspicious, paranoid), I ran adaware, xoftspy,and spybot S&D. Now these programs got rid of the pesky obvious spyware problems, but looking at my task manager, I realised there were more.
I ran through my system ruffly, and deleted Virtual maid, or what I could find of her.
But this still didn't delete Popuper.exe. Finally I came here, and read another thread, following it's general instructions. This ( Seemingly ) deleted popuper.exe, but SHNLOG.exe remains. When attempting to close this program ( It runs permanantly), it simply starts again within seconds, and is impossible to close using task manager.
Any help you can give will help me. Thanks alot guys. Here is my hijack this logfile. Hope it helps......BAsically I think most of the recognized programs are things I want. Such as eraser...And AIM, and MSN. But startsearches.com, that isn't supposed to be there. SHNLOG.exe was bolded by me, not by "Hijack this".


Logfile of HijackThis v1.99.1
Scan saved at 5:51:00 PM, on 24/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
D:\KODAK\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Eraser\eraser.exe
C:\WINNT\system32\intmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\shnlog.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://www.startsear...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

http://www.startsearches.net/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} -

C:\WINNT\system32\hpF19D.tmp
O3 - Toolbar: Virtual Maid - {77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C} -

C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\system32\msmsgs.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM95\aim.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient

Class) -

http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing)

- http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) -

http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient

Class) -

http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://messenger.zon...ro.cab32846.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{F8EFC918-D0A2-46AA-9C98-5C52533A8900}:

NameServer = 203.2.75.132 198.142.0.51
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -

VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak

Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: ptssvc - KODAK - D:\KODAK\Kodak EasyShare

software\bin\ptssvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -

C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements

#2
Guest_usetobe_*
Posted 28 May 2005 - 12:54 PM

Guest_usetobe_*
  • Guest
Hi Prankster,

Please post a fresh HJT log, without all the spacing

Regards,

Usetobe
  • 0

#3
Prankster1221
Posted 28 May 2005 - 11:29 PM

Prankster1221

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Thanks, sorry about the first one. Now, I have defeated the first SHNlog.exe virus, but I have encountered something I can't detect. It changed my background to a black screen" Warning: you are infected". it also changed the display properties, making it impossible to change the background....What do you suggest ?
I have another Hijack this log here, but it appears to have picked up nothing.

Logfile of HijackThis v1.99.1
Scan saved at 3:19:53 PM, on 29/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
D:\KODAK\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM95\aim.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\system32\msmsgs.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8EFC918-D0A2-46AA-9C98-5C52533A8900}: NameServer = 203.2.75.132 198.142.0.51
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: ptssvc - KODAK - D:\KODAK\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

#4
Guest_usetobe_*
Posted 29 May 2005 - 12:58 AM

Guest_usetobe_*
  • Guest
Hi Prankster,


Lts see where we go from here.

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Please download Cleanup from here:
Cleanup. Do not run it yet.


Download a free 14 day trial of ewido from the link below. Install it and start it up. Follow the prompts to upgrade it, then close it down.

ewido

Now reboot into SAFE MODE, by tapping the F8 key whilst your PC starts up, select SAFE MODE.

Rescan with HJT and check the following

F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe

Ensure no windows open except HJT and Click Fix Checked.

Now Run Cleanup to clear out temp files, junk etc.

Next run Ewido, click on the Scanner button, Select drives if you have more than one and then start. grab a cup of coffee, sandwiches, book as this may take some time. Once the first problem is detected ensure you tick the box for all (bottom left) and allow it to continue.

At the end of the scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy that to post in this thread.

Reboot into normal mode.

Rescan with HJT and post the log back, together with the Ewido log.
  • 0

#5
Guest_usetobe_*
Posted 21 June 2005 - 04:25 PM

Guest_usetobe_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP