[Eiki]

Firstly, thank you whomever is reading this message. It's been a mindboggling endeavor for the past week to identify what is incorrect and causing my PC to act as it is. I've looked everywhere and tried everything to get rid of this item, however, alas, with no result - actually just making it worse I think. I hope that you can be of help and thank you for your time.

I've identified that I have the searchexe issue on my computer. Yet I think there are more issues since I cannot open IE anymore, and various functions on my start menu/shortcuts (start menu e.g. search files/folders, short cuts - IE doesn't open (although when I run task manager it shows it is running)) do not function anymore.

I have downloaded/run numerous spyware programs - Xosftspy, Ad-Aware 6.0, norton, Stinger (Mcafee), SpyHunter and numerous others I unfortunately cannot recall the names of, that have identified the problems on my pc, and supposedly deleted it. Still, I have not gotten rid of the searchexe "bug" for lack of better term.

I am attaching my HijackThis logs, in hope that possibly you could help me idenitify what I would need to do.

Again, thank you very much for your help and time.

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\loadqm.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BROWSE~1\online plan.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Netscape\Communicator\Program\netscape.exe
C:\My Download Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/ind...://about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B04EE623-86AB-2000-09A3-46B7413EEAAD} - C:\PROGRA~1\CURBBA~1\Lies Barb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Mix sign - {5CA75F01-6484-3C2F-B698-731199071E63} - C:\PROGRA~1\CURBBA~1\Lies Barb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\sna.exe
O4 - HKLM\..\Run: [TaskMgnr] c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
O4 - HKLM\..\Run: [WinMgmt] c:\winnt\system32\drivers\disdn\OEM\WinNt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll
O4 - HKLM\..\Run: [WinNT] c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CornFilm] C:\PROGRA~1\BROWSE~1\online plan.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...als/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...44/mcfscan.cab

[Flrman1]

Hi Eiki

Welcome to TSG!

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/in...p://about :blank

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

O2 - BHO: (no name) - {B04EE623-86AB-2000-09A3-46B7413EEAAD} - C:\PROGRA~1\CURBBA~1\Lies Barb.dll

O3 - Toolbar: Mix sign - {5CA75F01-6484-3C2F-B698-731199071E63} - C:\PROGRA~1\CURBBA~1\Lies Barb.dll

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Services] C:\WINNT\system32\sna.exe

O4 - HKLM\..\Run: [CornFilm] C:\PROGRA~1\BROWSE~1\online plan.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

Restart to safe mode and delete:

The C:\Program Files\AutoUpdate folder
The C:\Program Files\BROWSE~1 folder (See *Note below)
The C:\Program Files\CURBBA~1 folder (See *Note below)
The C:\WINNT\system32\sna.exe file

Note: I have no way of knowing the exact name of these folder, but the first six letters of each one will be BROWSE and CURBBA.

How to start your computer in safe mode

Thes really look suspicious:

O4 - HKLM\..\Run: [WinMgmt] c:\winnt\system32\drivers\disdn\OEM\WinNt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll

O4 - HKLM\..\Run: [WinNT] c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat

O4 - HKLM\..\Run: [TaskMgnr] c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe

This one in particular:

TaskMgnr.exe

The first two all have legitimate file names, but I've never seen them starting from those locations. The TaskMgnr.exe isn't a legitimate windows file. It should be Taskmgr.exe.

Let's start by checking out the TaskMgnr.exe file.

Go here

Scroll to the bottom of the page and look for the Submit file section.

Click on Browse

Navigate to the c:\winnt\system32\drivers\disdn\OEM folder and upload the .... Taskmgr.exe .... file and let us know what you find.

[Option^Expli]

Lotsa Trojans ...



C:\WINNT\SYSTEM32\DNTUS26.EXE can be monitoring software if this computer is owned by a company office..etc I'm guessing it is just used as a trojan.

On my Win2000 fresh install, I had TaskMgnr.exe all over the place, and would return on every reboot.
You actually can't clean a Win2000 computer unless you have it patched to date, or you'll have this stuff back on the next reboot.. TaskMgnr.exe you didn't download, it just migrates into the system when you are online.

Download a Firewall somewhere(even if just to stay protected until all MS Updates can be installed), and open network connections and find your Adapter used to connect to the Internet...uncheck File and Printer sharing for MS Networks

I couldnt see the top portion of the HJT log so I don't know what Service packs you have installed.
You can check if you are at least patched with the 2 most critical patches MS_KB824146 use my Utility click "Am I patched" and wait for status.

[Flrman1]

Thanks OE. I knew something was wrong there, but I've never seen any of those before and I couldn't find anything about them anywhere. Do you know what trojan that is?

[Eiki]

Thank you both for such a quick response .... I will have to check tonight. I will let you know what I find/resolve. Thank you.

[Flrman1]

Let us know how it goes.

[Eiki]

Flman1 and OE, Thank you!

It’s taken me a few hours to go through all the different items you suggested, but all I can say as an end-result is -- Wow! How wonderful my computer is working so far. Thank you. I did want to run down what I did (for other people to possibly benefit) – and would have not known without your guidance.

1. I followed your (flman1) instruction to run the HijackThis log again and deleted the files.
2. Started in safe menu and deleted all files except one (C:\WINNT\system32\sna.exe) I couldn’t find it. Below I’ve included the detail of the files I deleted. Thought this may be of help to you.
3. Per OE’s recommendation, downloaded a Security Internet software with a firewall (I had some security, but not enough)
4. and updated my MS 2000 to newest patch – 4.

So, after all this I can say… Wonderful!!!

1. searchexe is gone! It really is a nasty bugger…
2. I can open my files again! My computer, my search in start up menu etc. (Very happy)
3. and believe it or not, my menus and startup looks a little different (like it used to) and my explorer, windows is working extremely fast


Lastly, I ran as you recommended the TaskMgr.exe. Unfortunately, the file must be very big, since I only received an error message page after I submitted the file on your recommended link.

Lastly, per your recommendation, I think there are still some issues with my computer. I will post my current Hijackthis log in a separate posting. I do want to try to figure out what else I need to delete and get rid of. **Note that in my review in safe mode I came across a very questionable application – (two different files) – drwatson, DRWTSN32. I do not think this is supposed to be in my system. Any suggestions?

Here are the details of the files I deleted – hopefully this gives you some insight or help moving forward with other people running into this problem:

Deleted files out of C/Program Files:
Folder: browsowns
File names/types:
online plan 228k application
sixth ante vc 24kb application
style 6kb application

Folder: CurbBashDrive
File names/types:
6341 55kb application
FileDogFile 1kb DAT
FileDogFileFile 1kb DAT
HopeDogFile 1kb DAT
Folder:
File, DRIVE BASH, FileCurbBashDrive (Each of these folder had the same file):
File names/types:
HopeDogFile 1kb DAT

Folder: AutoUpdate
File names/types:
No file names/types appeared – appeared to be an empty folder.

I’ll post my HijackThis files in another reply.

Thank you.

[Eiki]

Hi again, Here is my latest, up-to-date HijackThis file.... Thank you! If you see anything that is questionable, do appreciate you letting me know. Also, I checked the drwatson files and they gave me an OK result. So I suppose these files are legit.

Logfile of HijackThis v1.97.7
Scan saved at 10:22:44 PM, on 4/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Winamp\Winampa.exe
C:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\My Download Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.placesoftheworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [TaskMgnr] c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
O4 - HKLM\..\Run: [WinMgmt] c:\winnt\system32\drivers\disdn\OEM\WinNt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll
O4 - HKLM\..\Run: [WinNT] c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [CornFilm] C:\PROGRA~1\BROWSE~1\online plan.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...als/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...44/mcfscan.cab

[Flrman1]

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [TaskMgnr] c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe

O4 - HKLM\..\Run: [WinMgmt] c:\winnt\system32\drivers\disdn\OEM\WinNt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll

O4 - HKLM\..\Run: [WinNT] c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat

O4 - HKLM\..\Run: [CornFilm] C:\PROGRA~1\BROWSE~1\online plan.exe

Restart to safe mode and delete:

The C:\Program Files\BROWSE~1 folder
The c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe file

[Eiki]

Thank you flrman1. For some reason I cannot find the file C:\Program files\BROWSE... folder in safe mode or when looking at my program files. I've even gone through the different folders to see if it is there, but can't seem to find it.

Thank you very much for your help. I'll make sure to recommend your help and the site to my friends.

I'm posting my hijackthis file... hopefully I got everything. Thank you.

Logfile of HijackThis v1.97.7
Scan saved at 8:12:54 PM, on 4/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Download Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.placesoftheworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...als/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...44/mcfscan.cab

[Flrman1]

Did you look for a folder beginning with BROWSE? That is not the full name of the folder.

The log looks good now. I'd be interested to see if Option^Expli has anything to add.

[Option^Expli]

Eiki

Download this utility KillBox and unzip to your desktop.
Copy & paste each of these lines and click "Kill File" and wait for success/fail message.

c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
c:\winnt\system32\drivers\disdn\OEM\WinNt.exe
c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe
c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll
c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat
C:\PROGRA~1\BROWSE~1\online plan.exe
C:\Program Files\BROWSE~1

and this one is still running:

C:\WINNT\SYSTEM32\DNTUS26.EXE

the more I look at it , the more it looks as something you never purposely installed. add it to the KillBox as well and kill it.
All these files will be backed up if we need them to restore, submit etc.
This is a little easier than finding files manually in safe mode.
Do that then post new HiJackThis log

[Flrman1]

OE I was about 90% sure that those other files in the OEM folder should be deleted, but I wanted to see what you had to say first.

Do you know what trojan this is?

[Option^Expli]

Yea, the whole OEM folder and whatever is inside should be deleted.
As for the trojan, just looking at info on the DNTUS26.EXE , I can't get any 100% answer on it, but it always looks suspicious.

This Link makes this look very bad. Thats why i say..Kill it, if need be you can always put it back.

Also there is no startup entry for it..yet it runs.. so it's either running as a service or being started by something else. It claims to be part of legitimate "Monitoring software" yet i see no reference to any legitimate company name etc.

dunno what to say, i wouldn't let that thing run on my system unless i had some hard info as to why it was needed, and what installed it.

[Eiki]

Hello flrman1 and OE. Thank you for all your input. It appears however that I cannot find the certain files that you are requesting me to delete. I feel somewhat lost, since it appears you can see them on my logs, and I can't find them on my computer.

I found only two of the eight files OE pointed out, which I deleted (through the link provided):

Files found and deleted:
c:\winnt\system32\drivers\disdn\OEM\WinNt.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE

Files not found:
c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe
c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll
c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat
C:\PROGRA~1\BROWSE~1\online plan.exe
C:\Program Files\BROWSE~1

I've attached in the document some of my search results and also screen views for you to see what is in the OEM folder - really not sure where the files are - I've also used search to find them and they were not on my system. Apart from one (WinMgmt). I've included my search result for that file since I'm not sure if these are the files you want me to delete. Please see attached doc.

Lastly, unfortunately, I still cannot find any files that have "Browse" in my program files or c drive. I've looked through most of the folders to try to see if it's possibly in another folder. Also, I've searched for the online plan.exe and cannot find it. Not sure what to do?

I am posting my hijack this logs again as well. Thank you!!

I've attached the screengrabs and hijack this files in the techguy_files.doc