1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] Another Search Exe question

Discussion in 'Virus & Other Malware Removal' started by Eiki, Mar 31, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Eiki

    Eiki Thread Starter

    Joined:
    Mar 31, 2004
    Messages:
    7
    Firstly, thank you whomever is reading this message. It's been a mindboggling endeavor for the past week to identify what is incorrect and causing my PC to act as it is. I've looked everywhere and tried everything to get rid of this item, however, alas, with no result - actually just making it worse I think. I hope that you can be of help and thank you for your time.

    I've identified that I have the searchexe issue on my computer. Yet I think there are more issues since I cannot open IE anymore, and various functions on my start menu/shortcuts (start menu e.g. search files/folders, short cuts - IE doesn't open (although when I run task manager it shows it is running)) do not function anymore.

    I have downloaded/run numerous spyware programs - Xosftspy, Ad-Aware 6.0, norton, Stinger (Mcafee), SpyHunter and numerous others I unfortunately cannot recall the names of, that have identified the problems on my pc, and supposedly deleted it. Still, I have not gotten rid of the searchexe "bug" for lack of better term.

    I am attaching my HijackThis logs, in hope that possibly you could help me idenitify what I would need to do.

    Again, thank you very much for your help and time.

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\SYSTEM32\DNTUS26.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\loadqm.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\BROWSE~1\online plan.exe
    C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Netscape\Communicator\Program\netscape.exe
    C:\My Download Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/index.html?http://about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
    O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {B04EE623-86AB-2000-09A3-46B7413EEAAD} - C:\PROGRA~1\CURBBA~1\Lies Barb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Mix sign - {5CA75F01-6484-3C2F-B698-731199071E63} - C:\PROGRA~1\CURBBA~1\Lies Barb.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Services] C:\WINNT\system32\sna.exe
    O4 - HKLM\..\Run: [TaskMgnr] c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
    O4 - HKLM\..\Run: [WinMgmt] c:\winnt\system32\drivers\disdn\OEM\WinNt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll
    O4 - HKLM\..\Run: [WinNT] c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CornFilm] C:\PROGRA~1\BROWSE~1\online plan.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4344/mcfscan.cab
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Hi Eiki

    Welcome to TSG! :)

    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/in...p://about :blank

    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

    O2 - BHO: (no name) - {B04EE623-86AB-2000-09A3-46B7413EEAAD} - C:\PROGRA~1\CURBBA~1\Lies Barb.dll

    O3 - Toolbar: Mix sign - {5CA75F01-6484-3C2F-B698-731199071E63} - C:\PROGRA~1\CURBBA~1\Lies Barb.dll

    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O4 - HKLM\..\Run: [Services] C:\WINNT\system32\sna.exe

    O4 - HKLM\..\Run: [CornFilm] C:\PROGRA~1\BROWSE~1\online plan.exe

    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"


    Restart to safe mode and delete:

    The C:\Program Files\AutoUpdate folder
    The C:\Program Files\BROWSE~1 folder (See *Note below)
    The C:\Program Files\CURBBA~1 folder (See *Note below)
    The C:\WINNT\system32\sna.exe file

    Note: I have no way of knowing the exact name of these folder, but the first six letters of each one will be BROWSE and CURBBA.

    How to start your computer in safe mode

    Thes really look suspicious:

    O4 - HKLM\..\Run: [WinMgmt] c:\winnt\system32\drivers\disdn\OEM\WinNt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll

    O4 - HKLM\..\Run: [WinNT] c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat

    O4 - HKLM\..\Run: [TaskMgnr] c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe


    This one in particular:

    TaskMgnr.exe

    The first two all have legitimate file names, but I've never seen them starting from those locations. The TaskMgnr.exe isn't a legitimate windows file. It should be Taskmgr.exe.

    Let's start by checking out the TaskMgnr.exe file.

    Go here

    Scroll to the bottom of the page and look for the Submit file section.

    Click on Browse

    Navigate to the c:\winnt\system32\drivers\disdn\OEM folder and upload the .... Taskmgr.exe .... file and let us know what you find.
     
  3. Option^Expli

    Option^Expli

    Joined:
    Aug 18, 2003
    Messages:
    65
    Lotsa Trojans ...



    C:\WINNT\SYSTEM32\DNTUS26.EXE can be monitoring software if this computer is owned by a company office..etc I'm guessing it is just used as a trojan.

    On my Win2000 fresh install, I had TaskMgnr.exe all over the place, and would return on every reboot.
    You actually can't clean a Win2000 computer unless you have it patched to date, or you'll have this stuff back on the next reboot.. TaskMgnr.exe you didn't download, it just migrates into the system when you are online.

    Download a Firewall somewhere(even if just to stay protected until all MS Updates can be installed), and open network connections and find your Adapter used to connect to the Internet...uncheck File and Printer sharing for MS Networks

    I couldnt see the top portion of the HJT log so I don't know what Service packs you have installed.
    You can check if you are at least patched with the 2 most critical patches MS_KB824146 use my Utility click "Am I patched" and wait for status.
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Thanks OE. I knew something was wrong there, but I've never seen any of those before and I couldn't find anything about them anywhere. Do you know what trojan that is?
     
  5. Eiki

    Eiki Thread Starter

    Joined:
    Mar 31, 2004
    Messages:
    7
    Thank you both for such a quick response .... I will have to check tonight. I will let you know what I find/resolve. :rolleyes: Thank you.
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    (y)

    Let us know how it goes.
     
  7. Eiki

    Eiki Thread Starter

    Joined:
    Mar 31, 2004
    Messages:
    7
    Flman1 and OE, Thank you!

    It’s taken me a few hours to go through all the different items you suggested, but all I can say as an end-result is -- Wow! How wonderful my computer is working so far. Thank you. I did want to run down what I did (for other people to possibly benefit) – and would have not known without your guidance.

    1. I followed your (flman1) instruction to run the HijackThis log again and deleted the files.
    2. Started in safe menu and deleted all files except one (C:\WINNT\system32\sna.exe) I couldn’t find it. Below I’ve included the detail of the files I deleted. Thought this may be of help to you.
    3. Per OE’s recommendation, downloaded a Security Internet software with a firewall (I had some security, but not enough)
    4. and updated my MS 2000 to newest patch – 4.

    So, after all this I can say… Wonderful!!!

    1. searchexe is gone! It really is a nasty bugger…
    2. I can open my files again! My computer, my search in start up menu etc. (Very happy)
    3. and believe it or not, my menus and startup looks a little different (like it used to) and my explorer, windows is working extremely fast


    Lastly, I ran as you recommended the TaskMgr.exe. Unfortunately, the file must be very big, since I only received an error message page after I submitted the file on your recommended link.

    Lastly, per your recommendation, I think there are still some issues with my computer. I will post my current Hijackthis log in a separate posting. I do want to try to figure out what else I need to delete and get rid of. **Note that in my review in safe mode I came across a very questionable application – (two different files) – drwatson, DRWTSN32. I do not think this is supposed to be in my system. Any suggestions?

    Here are the details of the files I deleted – hopefully this gives you some insight or help moving forward with other people running into this problem:

    Deleted files out of C/Program Files:
    Folder: browsowns
    File names/types:
    online plan 228k application
    sixth ante vc 24kb application
    style 6kb application

    Folder: CurbBashDrive
    File names/types:
    6341 55kb application
    FileDogFile 1kb DAT
    FileDogFileFile 1kb DAT
    HopeDogFile 1kb DAT
    Folder:
    File, DRIVE BASH, FileCurbBashDrive (Each of these folder had the same file):
    File names/types:
    HopeDogFile 1kb DAT

    Folder: AutoUpdate
    File names/types:
    No file names/types appeared – appeared to be an empty folder.

    I’ll post my HijackThis files in another reply.

    Thank you.
     
  8. Eiki

    Eiki Thread Starter

    Joined:
    Mar 31, 2004
    Messages:
    7
    Hi again, Here is my latest, up-to-date HijackThis file.... Thank you! If you see anything that is questionable, do appreciate you letting me know. Also, I checked the drwatson files and they gave me an OK result. So I suppose these files are legit.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:22:44 PM, on 4/1/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\WINNT\SYSTEM32\DNTUS26.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\My Download Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.placesoftheworld.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [TaskMgnr] c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
    O4 - HKLM\..\Run: [WinMgmt] c:\winnt\system32\drivers\disdn\OEM\WinNt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll
    O4 - HKLM\..\Run: [WinNT] c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKLM\..\Run: [CornFilm] C:\PROGRA~1\BROWSE~1\online plan.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4344/mcfscan.cab
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    O4 - HKLM\..\Run: [TaskMgnr] c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe

    O4 - HKLM\..\Run: [WinMgmt] c:\winnt\system32\drivers\disdn\OEM\WinNt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll

    O4 - HKLM\..\Run: [WinNT] c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat

    O4 - HKLM\..\Run: [CornFilm] C:\PROGRA~1\BROWSE~1\online plan.exe


    Restart to safe mode and delete:

    The C:\Program Files\BROWSE~1 folder
    The c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe file
     
  10. Eiki

    Eiki Thread Starter

    Joined:
    Mar 31, 2004
    Messages:
    7
    Thank you flrman1. For some reason I cannot find the file C:\Program files\BROWSE... folder in safe mode or when looking at my program files. I've even gone through the different folders to see if it is there, but can't seem to find it.

    Thank you very much for your help. I'll make sure to recommend your help and the site to my friends.

    I'm posting my hijackthis file... hopefully I got everything. Thank you.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:12:54 PM, on 4/2/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\WINNT\SYSTEM32\DNTUS26.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
    C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\My Download Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.placesoftheworld.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4344/mcfscan.cab
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Did you look for a folder beginning with BROWSE? That is not the full name of the folder.

    The log looks good now. I'd be interested to see if Option^Expli has anything to add.
     
  12. Option^Expli

    Option^Expli

    Joined:
    Aug 18, 2003
    Messages:
    65
    Eiki

    Download this utility KillBox and unzip to your desktop.
    Copy & paste each of these lines and click "Kill File" and wait for success/fail message.

    c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
    c:\winnt\system32\drivers\disdn\OEM\WinNt.exe
    c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe
    c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll
    c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat
    C:\PROGRA~1\BROWSE~1\online plan.exe
    C:\Program Files\BROWSE~1


    and this one is still running:

    C:\WINNT\SYSTEM32\DNTUS26.EXE

    the more I look at it , the more it looks as something you never purposely installed. add it to the KillBox as well and kill it.
    All these files will be backed up if we need them to restore, submit etc.
    This is a little easier than finding files manually in safe mode.
    Do that then post new HiJackThis log(y)
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    OE I was about 90% sure that those other files in the OEM folder should be deleted, but I wanted to see what you had to say first.

    Do you know what trojan this is?
     
  14. Option^Expli

    Option^Expli

    Joined:
    Aug 18, 2003
    Messages:
    65
    Yea, the whole OEM folder and whatever is inside should be deleted.
    As for the trojan, just looking at info on the DNTUS26.EXE , I can't get any 100% answer on it, but it always looks suspicious.

    This Link makes this look very bad. Thats why i say..Kill it, if need be you can always put it back.

    Also there is no startup entry for it..yet it runs.. so it's either running as a service or being started by something else. It claims to be part of legitimate "Monitoring software" yet i see no reference to any legitimate company name etc.

    dunno what to say, i wouldn't let that thing run on my system unless i had some hard info as to why it was needed, and what installed it.
     
  15. Eiki

    Eiki Thread Starter

    Joined:
    Mar 31, 2004
    Messages:
    7
    Hello flrman1 and OE. Thank you for all your input. It appears however that I cannot find the certain files that you are requesting me to delete. I feel somewhat lost, since it appears you can see them on my logs, and I can't find them on my computer.

    I found only two of the eight files OE pointed out, which I deleted (through the link provided):

    Files found and deleted:
    c:\winnt\system32\drivers\disdn\OEM\WinNt.exe
    C:\WINNT\SYSTEM32\DNTUS26.EXE

    Files not found:
    c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
    c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe
    c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll
    c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat
    C:\PROGRA~1\BROWSE~1\online plan.exe
    C:\Program Files\BROWSE~1

    I've attached in the document some of my search results and also screen views for you to see what is in the OEM folder - really not sure where the files are - I've also used search to find them and they were not on my system. Apart from one (WinMgmt). I've included my search result for that file since I'm not sure if these are the files you want me to delete. Please see attached doc.

    Lastly, unfortunately, I still cannot find any files that have "Browse" in my program files or c drive. I've looked through most of the folders to try to see if it's possibly in another folder. Also, I've searched for the online plan.exe and cannot find it. Not sure what to do? :rolleyes:

    I am posting my hijack this logs again as well. Thank you!!

    I've attached the screengrabs and hijack this files in the techguy_files.doc
     

    Attached Files:

  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/216383