Eek!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Jace Vorel

Thread Starter
Joined
Oct 16, 2003
Messages
18
Hi! I'm new to this whole HijackThis thingy, so could someone take a look at this for me?:

Logfile of HijackThis v1.97.3
Scan saved at 9:40:38 AM, on 17/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\PDG 3\pdg.exe
C:\Documents and Settings\All Users\Documents\Downloads\Apps\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
O1 - Hosts: 3510794918 auto.search.msn.com
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\System32\tapicfg.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DKQXBHOU] C:\WINDOWS\DKQXBHOU.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\Web\win.def (file missing)
O19 - User stylesheet: C:\WINDOWS\default.css (file missing) (HKLM)


I recently found 3 viruses on my system - "AnyWindowsBF.BruteForce"(or something to like that), "Trojan.Qhosts.A" and "Trojan.Bootconf". I thought I'd gotten rid of them, but they keep showing up - HELP!!
 

Jace Vorel

Thread Starter
Joined
Oct 16, 2003
Messages
18
Jeez! Talk about having ones system wide open! anyway, here's my new (and hopefully improved) log:

Logfile of HijackThis v1.97.3
Scan saved at 12:44:27 PM, on 17/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\supervisor.exe
C:\Documents and Settings\All Users\Documents\Downloads\Apps\HijackThis.exe

O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DKQXBHOU] C:\WINDOWS\DKQXBHOU.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37910.7357407407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



-Scott
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
this looks like a virus
O4 - HKLM\..\Run: [DKQXBHOU] C:\WINDOWS\DKQXBHOU.exe

and I have no idea what this one is,
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
it could be to do with a lan manager but I'm not sure

for now
Run an online antivirus check from at least one of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/

and then post back, while we attempt to do some research about the supervisor.exe entry
 

Jace Vorel

Thread Starter
Joined
Oct 16, 2003
Messages
18
Symantec Exposure Report: Port 445 open / ICMP Echo returned positive. Everything else: OK

Panda Active Scan: No Virus detected

Norton Realtime Scan: No virus Detected

I think supervisor.exe is related to PCDoorGuard 3 (also returned nothing in a virus scan)
 
Joined
Mar 25, 2001
Messages
3,334
Originally posted by AcaCandy:
Derek, I saw a post Eddie made back in time that mentioned it could be part of the script blocking in Norton? Does that make any sense? Also, it appears the user is running two virus programs......

http://forums.techguy.org/showthread.php?postid=290525#post290525

Candy....in looking closely at Eddie's post I'm not sure he was attributing supervisor.exe to NAV script blocking. Looks to me by not having any description next to it, he was in effect leaving it blank.

Much like the look on my face....... :p

MHO anyway.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Good golly batman, you might be right :D

What was I thinking earlier :eek: Of course that was prior to my tavern visit :eek:
 
Joined
Mar 25, 2001
Messages
3,334
Jace

If you're confident about supervisor.exe being a legitimate application, leave it for now.

I would take out this entry:

O4 - HKLM\..\Run: [DKQXBHOU] C:\WINDOWS\DKQXBHOU.exe


......close your browser, check the item in HJT, click Fix.

Reboot.

FYI, HJT has a backup feature if you need to restore an entry.

:)
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

O4 - HKLM\..\Run: [DKQXBHOU] C:\WINDOWS\DKQXBHOU.exe

then reboot & delete C:\WINDOWS\DKQXBHOU.exe

If it isn't a virus then it's definitely a spyware/adware pop up ads baddie

I am sure eventually we will find out what supervisor.exe is

for now can you navigate to C:\WINDOWS\supervisor.exe right click the file and look at it's properties and see which company If any is listed as it's installer/maker etc
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Jace

there can be major problems when running more than one AV

the main problem is that several of the major AV's clash and the result can be a virus getting through as neither actually gets to deal with it. What happens is that say Norton finds it & locks it to deal with, but mc'affee also finds the same virus, but locks a different infected file first, then neither can delete the virus becuse the other one has locked the files as in use and unable to be deleted.

also some av's find false viruses in the other av's definition file and try to remove them with drastic consequenses.

by all means have a second av as a backup, but only allow one to autoprotect the system and just run manual scans withn the second one.
 

Jace Vorel

Thread Starter
Joined
Oct 16, 2003
Messages
18
So what do you guys recommend along the lines of AV software? Norton? PC-cillian? Something else entirely??
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Originally posted by Jace Vorel:
So what do you guys recommend along the lines of AV software? Norton? PC-cillian? Something else entirely??

You would open that can of worms again :D

500 different people will give you 500 different answers.

I use AVG 7 now which suits me fine, many use AVG free edition, lots of forum users are perfectly happy with it and it appears to work well.

Others swear by NOD
some say Norton

The consensus seems to be that MC'affee isn't the best at the moment
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top