Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

msshed32.exe


  • This topic is locked This topic is locked

#1
bkbrimmer

bkbrimmer

    Member

  • Member
  • PipPip
  • 11 posts
Hello ~

This is my first post. I regularly run Spybot, Ad-aware and HijackThis. I've recently started using Morpheus too to download stuff. Well, apparently I downloaded msshed32.exe along the way and inadvertantly allowed it onto my "white list" according to my Spybot Resident. (It says "atiupdate.") I've gotten rid of it via HijackThis, by going directly to the file under WINDOWS, by deleting it using msconfig -- all three ways in normal and safe mode -- but it seems to keep coming back whenever I download certain files in Morpheus, and no other time. Resident blocks eveything else wonderfully, but because msshed32.exe is on my "white list," it is allowed. What can do to permanently purge this nuisance and/or place it on my Resident's "black list?" Any suggestions is greatly appreciated. I've Googled this problem and tried their advice, but it keeps coming back. Thanks.

~~ BKB

P.S. Curously enough, I haven't noticed any deleterious effects yet when msshed32.exe is in my system32 folder (although I get rid of it as soon as Resident says that it allows "atiupdate,") but since the Internet is telling me that this is a bad thing to have on my hard drive, I thought I would seek your advice. :tazz:
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

Please visit this page and scroll down to Step 5. Follow the instructions there to download a tool called Hijackthis and post a log here as a reply to this post.

http://www.geekstogo..._Log-t2852.html
  • 0

#3
bkbrimmer

bkbrimmer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Sam ~~

Well, I've been using HijackThis regularly for awhile now. I could send you a post of it, but nothing would be there because I have put everything on its ignore list. I did this to unclutter each scan I do and I am positive that all items I've put on the list are on the level. The msshed32.exe won't show up either because like I said, it only appears sometimes after I download stuff from Morpheus. It hasn't reappeared since I began this thread. What I can tell you is that HijackThis has not caught msshed32.exe every time it has replicated itself into my system32 folder. The only thing I can do I suppose is wait for it to appear again (presumably after some Morpheus downloads) and then send a Hijackthis post to you. Regards,

~~ bkb
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I see. It's a little unusual to use it like that, but I can see where it would work for you.

We ask for a hijackthis log not only to see what malware you might have, but also such things as the your operating system, including service pack, and any other security programs that you might be running. But if you can give me that information we can work around it.

Please run Panda Online Virus Scan
  • Make sure it is set to clean automatically.
  • There may be files that this scan will not remove.
  • Please include that information in your next post.

  • 0

#5
bkbrimmer

bkbrimmer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Okay. I'm running an unnetworked XP SP1 without the firewall. I have Norton Anti-Virus 7.6, Ad-aware SE, Spybot's latest with Tea-timer and Resident activated, and use HijackThis 1.99 everyday. I can't think of any apps I'm running that would be the cause of this particular problem. And no, msshed32.exe still hasn't shown up in my system32 folder although I downloaded a boatload of stuff via Morpheus yeasterday. Am I missing anything? It figures, went I want it to show up, it doesn't. And when I don't,... :tazz:
  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Go ahead and run the Panda online scan and let me know what turns up, if anything.
  • 0

#7
bkbrimmer

bkbrimmer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Okay Sam. I ran Panda but ran into trouble. It scanned for about 50 minutes and all of a sudden I got one of those NT/AUTHORITY (RPC) popups saying that my system will shutdown after a countdown, which it did. (I dealt with this awful problem on my last laptop and never saw it on this one until now.) It referenced WINDOWS/system32/lsass. Because of this, I was not able to save a scan log. I did notice before shutdown however that Panda said it identified and disinfected 6 viruses and identified 1 piece of spyware, but I don't know what they are. In addition to this mess, Norton caught and quarantined W32.Spybot.Worm in my system32 folder (filename devmks32.exe), a new one on this computer. Now I'm worried. Any suggestions?
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Download and run Stinger. Let me know what it finds.
http://download.nai....ert/stinger.exe
  • 0

#9
bkbrimmer

bkbrimmer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Sam ~~

I ran Panda again just to see if the same thing would happen. It did and it didn't. It ran all the way through this time (about 2.5 hours) and did not get hung up by the NT\AUTHORITY problem. It said it detected the same (6 viruses, 1 spyware) and disinfected the viruses. Here are the scan results:

Incident Status Location

Virus:Trj/Kolweb.E Disinfected C:\Documents and Settings\Brian Keith Brimmer\Local Settings\Temp\19B.tmp
Adware:Adware/SearchExe No disinfected C:\Program Files\Hijack This ver. 1.99\backups\backup-20050808-022539-153.dll
Virus:Trj/Kolweb.E Disinfected C:\WINDOWS\e9i4k.sys
Virus:Trj/Kolweb.E Disinfected C:\WINDOWS\system32\2zrn1m.exe
Virus:Trj/Kolweb.E Disinfected C:\WINDOWS\system32\e9i4k.sys
Virus:Trj/Kolweb.E Disinfected C:\WINDOWS\system32\mirindaspg.exe
Virus:Trj/Kolweb.E Disinfected C:\WINDOWS\system32\tyj0nh.dll




I will run Stinger and send those results on in a little while.

~~bkb
  • 0

#10
bkbrimmer

bkbrimmer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
By the way Sam ~~

I refreshed my ignore list so I could send you a HJT log. Here it is...


Logfile of HijackThis v1.99.1
Scan saved at 11:27:16 PM, on 9/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Brian Keith Brimmer\Local Settings\Temporary Internet Files\Content.IE5\XX46BNL0\stinger[1].exe
C:\Program Files\Hijack This ver. 1.99\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.c...s/ebraryRdr.cab
O16 - DPF: {23912BB0-CC9F-4C69-83D4-19C2B183BA91} - http://ns-radio.nets...cabs/radiox.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

Advertisements


#11
bkbrimmer

bkbrimmer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi again ~~

Well, msshed32.exe finally showed back up in my system32 folder during a downloading session in Morpheus. HJT caught it. Here is the latest log (minus a bunch of stuff I put on the ignore list) with msshed32.exe listed at the bottom (04) along with another one I'm suspicious about (018, just under the msshed32.exe listing). Again, it was allowed because it is on my "white list," and I wish I could put it on my "black list." By the way, the Stinger run I did only said that it did not clean or repair any viruses and that my C drive had 47,715 clean files. That's all.

Logfile of HijackThis v1.99.1
Scan saved at 12:49:09 AM, on 9/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Brian Keith Brimmer\Local Settings\Temporary Internet Files\Content.IE5\XX46BNL0\stinger[1].exe
C:\Program Files\Hijack This ver. 1.99\HijackThis.exe
C:\WINDOWS\System32\mirindaspg.exe

O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\System32\msshed32.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
  • 0

#12
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Here's the problem. Your Windows is unpatched and completely open to infection. Unless you update to at least SP1a you will continuously become infected and we are both just wasting out time here.

You can download the updates from here.
http://windowsupdate.microsoft.com/
  • 0

#13
bkbrimmer

bkbrimmer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK Sam. Thanks for your time. I'll patch up with SP2. ~~ bkb
  • 0

#14
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Once you have at least SP1 installed, post a new hijackthis log and we'll continue from there.
  • 0

#15
bkbrimmer

bkbrimmer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK. Here it is:


Logfile of HijackThis v1.99.1
Scan saved at 10:38:24 PM, on 9/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This ver. 1.99\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;<local>
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{07A552AB-5A27-4FB7-B177-277423C561E3}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{07A552AB-5A27-4FB7-B177-277423C561E3}: NameServer = 64.136.20.121 64.136.28.121
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP