Skip to main content

zbestwun2001

3 Apprentice

 • 

8.8K Posts

February 4th, 2005 16:00

C:\WINDOWS\MFCBR.EXE
Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following

C:\WINDOWS\SYSTEM\SDKFH.EXE
C:\WINDOWS\MFCBR.EXE

Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.

Run HiJackThis and click " Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ArcZip Internet Explorer
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SDKFH.EXE] C:\WINDOWS\SYSTEM\SDKFH.EXE
O4 - HKLM\..\RunServices: [MFCBR.EXE] C:\WINDOWS\MFCBR.EXE
C:\WINDOWS\SYSTEM\SDKFH.EXE


Reboot, rescan and repost a new log.
Steve

Message Edited by zbestwun2001 on 02-04-2005 10:31 AM

zbestwun2001

3 Apprentice

 • 

8.8K Posts

February 4th, 2005 19:00

Mike
How dare you! I will hunt you down like a dog!!
Of course I don't mind!!!!!!

Steve

Midnight Star

4.8K Posts

February 4th, 2005 19:00

Steve,

I hope you don't mind me jumping in on this one, but this particular infection, i've found, can be quite tenacious:


Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.0. Now, let's do the following:

1. Click " Scan"
2. Click " Save log"

Notepad will pop-up with a copy of your system long, then:

1. " Edit | Select all"
2. " Edit | Copy"

Next, let's " Reply" back to this post, then:

1. Right-click on the message body.
2. Select " Paste"

Then just " Post" the message, and we'll analyze your log shortly, then post back any recommendation(s).



First, we'll need to download three programs to help us deal with the "About:Blank" infection:

1. Download and unzip to your desktop CWShredder.
2. Download and unzip to your desktop About:Buster.
3. Download and unzip to your desktop Service Filter.

Next, reboot your computer into " Safe Mode", then:

4. Run CWShredder, and click " Fix ->"
5. Run AboutBuster, and click "Start". Be sure when 'prompted', to make the second pass.

Reboot your computer normally.

6. Run ServiceFilter.vbs.

7. Run HiJackThis, click " Scan", then " Save log".
8. Post back the contents of the HiJackThis log, AboutBuster log and Service Filter log.


Mike.

Midnight Star

4.8K Posts

February 4th, 2005 20:00

WAIT! What was that!!!!! Steve, is that .... AAAAAAAAAAAAAAAAAAAHHHHH!!!!
 
...
...
...
...
 
 

Jo d

11 Posts

February 5th, 2005 01:00

Midnight Star,

Here is the new Log. I will continue with your other recomendations while you analyze.

Thanks

Logfile of HijackThis v1.99.0

Scan saved at 8:02:34 PM, on 2/4/05

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE

C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

C:\WINDOWS\MFCBR.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE

C:\MOUSE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\SYSTEM\USBMONIT.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE

C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE

C:\WINDOWS\SYSTEM\SDKFH.EXE

C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\SWTRAY.EXE

C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE

C:\WINDOWS\SYSTEM\HIDSERV.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ArcZip Internet Explorer

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {E2EE63AA-6042-4A78-50B3-4072F042785E} - C:\WINDOWS\MSMU32.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup

O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [Microsoft IntelliType Pro] C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SpeedKey.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe

O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [SDKFH.EXE] C:\WINDOWS\SYSTEM\SDKFH.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE

O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

O4 - HKLM\..\RunServices: [MFCBR.EXE] C:\WINDOWS\MFCBR.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: SwTray.lnk = C:\Program Files\Microsoft Hardware\Game Controllers\SWTRAY.EXE

O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Dell Home - {B8F8C120-A1E1-11D3-AABD-909646C10000} - http://www.dell.com/ (file missing) (HKCU)

O16 - DPF: {6DF12A36-50A0-11D5-ADF8-0050DA74F67C} (UniPrintWebCab Control) - http://63.127.69.74/UniPrintWeb.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/dell/site/PCPitStop.CAB

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.swett-net.com/ICAWEB/en/ica32/ica32t.exe

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL

 

Midnight Star

4.8K Posts

February 5th, 2005 02:00

Jo d,

Your welcome! When you get the chance let's look at these two files, if there still left; my first impression is that, they will be 'bad'.


Go to www.kaspersky.com, then:

1.  Click " Online virus scanner"
2.  Click " Browse", then browse to, then doubleclick on the following file(s), one at a time:
 
C:\WINDOWS\MFCBR.EXE
C:\WINDOWS\SYSTEM\SDKFH.EXE
 
3.  Click " Submit"
4.  Post back the results.

 
Mike.
 
 

Jo d

11 Posts

February 5th, 2005 02:00

Scanned file:   mfcbr.exe

mfcbr.exe - infected by Backdoor.Win32.Small.dc

Scanned file:   sdkfh.exe

sdkfh.exe - OK

Jo d

11 Posts

February 5th, 2005 03:00

Midnight Star,

Here is the log for  Hijack this and About Buster. The Service Filter would not work as I am still using WIN98. What should I do next?

Logfile of HijackThis v1.99.0

Scan saved at 9:02:53 PM, on 2/4/05

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE

C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

C:\WINDOWS\MFCBR.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE

C:\MOUSE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\SYSTEM\USBMONIT.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE

C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE

C:\WINDOWS\SYSTEM\SDKFH.EXE

C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\SWTRAY.EXE

C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE

C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE

C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE

C:\WINDOWS\SYSTEM\HIDSERV.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\HPZIPM12.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ozfcd.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ArcZip Internet Explorer

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {E2EE63AA-6042-4A78-50B3-4072F042785E} - C:\WINDOWS\MSMU32.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup

O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [Microsoft IntelliType Pro] C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SpeedKey.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe

O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [SDKFH.EXE] C:\WINDOWS\SYSTEM\SDKFH.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE

O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

O4 - HKLM\..\RunServices: [MFCBR.EXE] C:\WINDOWS\MFCBR.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: SwTray.lnk = C:\Program Files\Microsoft Hardware\Game Controllers\SWTRAY.EXE

O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Dell Home - {B8F8C120-A1E1-11D3-AABD-909646C10000} - http://www.dell.com/ (file missing) (HKCU)

O16 - DPF: {6DF12A36-50A0-11D5-ADF8-0050DA74F67C} (UniPrintWebCab Control) - http://63.127.69.74/UniPrintWeb.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/dell/site/PCPitStop.CAB

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.swett-net.com/ICAWEB/en/ica32/ica32t.exe

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL

SCAN 1

About Buster Version 4.0
Reference List: 19

ADS not scanned System(FAT)
Attempted Clean of Temp folder
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Scan 2
About Buster Version 4.0
Reference List: 19

ADS not scanned System(FAT)
Attempted Clean of Temp folder.
Pages Reset... Done!

Midnight Star

4.8K Posts

February 5th, 2005 15:00

Jo d,
 
I'm not really comfortable with the SDKFH.exe since it seems to be new to GOOGLE. We can keep it from starting up, but not delete the file from your harddrive. Then if everything still runs ok, we can easily restore the entry back. It might be something completely new, not sure just yet. If it is 'bad' and we leave it running, it might cause more damage as time goes on.
 

Go to Add/Remove programs and remove(uninstall) the following, if present:
 
    Web Related
 
The above could appear anywhere within the entry. Be careful not to remove any personal or system software.
 

Next, Open a command prompt by:
 
1.  Clicking " Start", then " Run...".
2.  Enter " cmd" ( without the quotes).
3.  Enter " services.msc" ( without the quotes).
 
-
 
Now, locate and ' stop' the following services, if present:
 
MFCBR.EXE ...
 
Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.
 

Run HiJackThis then:
 
1.  Click " Config..."
2.  Click " Misc Tools"
3.  Click " Open Process manager"
 
-
 
Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:
 
    C:\WINDOWS\MFCBR.EXE
    C:\WINDOWS\SYSTEM\SDKFH.EXE
 
Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.
 

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
 
regsvr32  /u  MSMU32.DLL
 
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.


Run HiJackThis and click " Scan", then check(tick) the following, if present:
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ozfcd.dll/sp.html#28129
 
R3 - Default URLSearchHook is missing
 
O2 - BHO: Class - {E2EE63AA-6042-4A78-50B3-4072F042785E} - C:\WINDOWS\MSMU32.DLL
 
O4 - HKLM\..\Run: [SDKFH.EXE] C:\WINDOWS\SYSTEM\SDKFH.EXE
O4 - HKLM\..\RunServices: [MFCBR.EXE] C:\WINDOWS\MFCBR.EXE
 
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
 

Now, with all windows closed except HiJackThis, click " Fix checked".
 

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
 
files...
 
    C:\WINDOWS\MFCBR.EXE
     C:\WINDOWS\ozfcd.dll
    C:\WINDOWS\MSMU32.DLL
 
-
 
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".
 

Post back a new log.
 
-
 
Mike.
 

Jo d

11 Posts

February 5th, 2005 22:00

Midnight Star,
Thanks for all your help. I think this thing is beat. I spent all last night downlaoding and scanning disk for Virus. It is all clean now hopefully that is the last of it. Here is my Hijack this log.

Logfile of HijackThis v1.99.0
Scan saved at 4:20:15 PM, on 2/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE
C:\WINDOWS\SYSTEM\SDKFH.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\SWTRAY.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\NETWF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\NETWF.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {DFE091D2-CAB9-B062-4548-24A5F62AEB7A} - C:\WINDOWS\ATLLB32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SpeedKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SDKFH.EXE] C:\WINDOWS\SYSTEM\SDKFH.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [kavsvc] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O4 - HKLM\..\RunServices: [NETWF.EXE] C:\WINDOWS\SYSTEM\NETWF.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SwTray.lnk = C:\Program Files\Microsoft Hardware\Game Controllers\SWTRAY.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {B8F8C120-A1E1-11D3-AABD-909646C10000} - http://www.dell.com/ (file missing) (HKCU)
O16 - DPF: {6DF12A36-50A0-11D5-ADF8-0050DA74F67C} (UniPrintWebCab Control) - http://63.127.69.74/UniPrintWeb.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/dell/site/PCPitStop.CAB
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL

Midnight Star

4.8K Posts

February 5th, 2005 22:00

Jo d,

Do you have any idea what this might be?

Class - {DFE091D2-CAB9-B062-4548-24A5F62AEB7A} - C:\WINDOWS\ATLLB32.DLL

-

Let's see if this scan can pick anything up, if you haven't ran this already...


Download mwav.exe from MicroWorld, then:

1. Double-click the mwav.exe icon to run it ( it'll self extract).
2. Click " Scan".
3. When it completes, post back the results from the 'Virus log information' pane.


Mike.

Jo d

11 Posts

February 6th, 2005 04:00

Midnight Star,
No idea on what that DLL is. Here is a copy of the log from the MWAV.

Sat Feb 05 22:41:08 2005 => Total Files Scanned: 114855
Sat Feb 05 22:41:08 2005 => Total Virus(es) Found: 0
Sat Feb 05 22:41:08 2005 => Total Disinfected Files: 0
Sat Feb 05 22:41:08 2005 => Total Files Renamed: 0
Sat Feb 05 22:41:08 2005 => Total Deleted Files: 0
Sat Feb 05 22:41:08 2005 => Total Errors: 6
Sat Feb 05 22:41:09 2005 => Time Elapsed: 00:54:06
Sat Feb 05 22:41:09 2005 => Virus Database Date: 2005/02/06
Sat Feb 05 22:41:09 2005 => Virus Database Count: 110647

Sat Feb 05 22:41:09 2005 => Scan Completed.

Midnight Star

4.8K Posts

February 6th, 2005 11:00

Jo d,

I think we're in good shape! - Good work!


If everything is running ok, let's do some cleanup...

1.  Run "Disk Cleanup" and allow it to remove everything it finds.

2.  If you've downloaded MicroWorld AV (MWAV), run it again - but don't scan, just click "Clear Log" and exit the program.

3.  Go to www.trendmicro.com and click "Free Online Scan", then "Scan now, it's free!". When it's downloaded, select all available drives, then check(tick) "Auto clean", then click "Scan".

4.  Run AdAware SE Personal and "perform a full system scan", then Spybot S&D, and "Check for Problems". Let them both remove the residual 'problems' left that HiJackThis couldn't fix.

5.  Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system point manually.
 


If your having any more problems, post back.

-

Happy surfing,

Mike.

 

Was this post helpful?

View All

No Events found!

Top