# Spyware doc found VNC Software



## angielynn (Apr 2, 2004)

Hello all

I just finished running spyware doctor (posted the log below). It's asking me to delete Common Components for VNC Software that were found in the registry. I'm not really sure what that is and wanted to know if it's ok to go ahead and delete it.

Thank You!


Infection Name Location Risk 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks## Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs## Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe## Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_GetUpdateRect Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_Timer Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_KeyPress Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_LButtonUp Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_MButtonUp Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_RButtonUp Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_Deferral Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe## Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_GetUpdateRect Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_Timer Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_KeyPress Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_LButtonUp Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_MButtonUp Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_RButtonUp Info 
Common Components for VNC Software HKU\S-1-5-21-1366262609-2759586855-3560938776-1006\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_Deferral Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks## Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs## Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe## Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_GetUpdateRect Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_Timer Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_KeyPress Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_LButtonUp Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_MButtonUp Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_RButtonUp Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpofxm08.exe##use_Deferral Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe## Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_GetUpdateRect Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_Timer Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_KeyPress Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_LButtonUp Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_MButtonUp Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_RButtonUp Info 
Common Components for VNC Software HKCU\Software\ORL\VNCHooks\Application_Prefs\hpqtra08.exe##use_Deferral Info


----------



## khazars (Feb 15, 2004)

hi, welcome to TSG.

Download hijack this from the link below.Please do this. Click here:

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

to download HijackThis. Click scan and save a logfile, then post it here so 
we can take a look at it for you. Don't click fix on anything in hijack this 
as most of the files are legitimate.


----------



## angielynn (Apr 2, 2004)

Thank you khazars!

Here's my hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 7:04:03 AM, on 7/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Temp\program stuff\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095572800578
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


----------



## khazars (Feb 15, 2004)

your log is clean!

As far as I know, and you should know more than me about this, that software is legitimate! What is VNC software?

Let's run a few tools to make sure, but I wouldn't go deleting those items found by spydoctor just yet!

download ccleaner

http://www.ccleaner.com/

* Install CCleaner
* Launch CCleaner and look in the upper right corner and click on the "Options" button.
* Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
* Click OK
* Do not run CCleaner yet. You will run it later in safe mode.

Note: If you are not instructed to boot to safe mode to run another 
application, then just run ccleaner in normal mode!

* Download the trial version of Ewido Security Suite here

http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know 
how.

How to boot to safe mode

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You 
will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in 
safe mode:

* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

now run ccleaner

go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk 
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the 
immunize button.

reboot again

Go here and download Microsoft Antispyware Beta. First in the top menu click 
File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick 
Scan Now" and click Spyware scan options. In that window put a tick by Run a
full system scan and then put a check by all three options below that then 
click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it 
quarantine the items that have that option rather than delete just in case. 
It is a beta program and there may be false positives)

Restart your computer.

All tools can be downloaded at the link below and found on that page!

. Microsoft® Windows AntiSpyware 
. SpyBot search and destroy
. AdAware SE

http://www.majorgeeks.com/downloads31.html

Run ActiveScan online virus scan here

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it. 
Make a note of the file location of anything that cannot be deleted so you 
can delete it yourself.
- Save the results from the scan!

post another hijack this log, the ewido and active scan logs


----------



## pctools (Nov 29, 2004)

Hi angielynn,

I am from PC Tools, maker of Spyware Doctor.

In reason why VNC was detected is because it can potentially be used to compromise the security of your system.

To turn such "information only" alerts, open Spyware Doctor, go to settings and uncheck the box: Include 'Information Only' low-level infections in scan results.

Should you still further queries regarding Spyware Doctor, you can also contact us on the link below, so that we can advise the best course of actions.

http://www.pctools.com/contact/support/guide/spyware-doctor/

Thank you.

PC Tools


----------



## angielynn (Apr 2, 2004)

Thank you so much pc!!!



pctools said:


> Hi angielynn,
> 
> I am from PC Tools, maker of Spyware Doctor.
> 
> ...


----------



## khazars (Feb 15, 2004)

Is this now solved then, do you need anymore help?


----------



## brendandonhu (Jul 8, 2002)

The real question is - do you use VNC or not?
If not, it can be uninstalled from the Control Panel.
Otherwise, leave it.


----------

