# [Solved] Another Search Exe question



## Eiki (Apr 1, 2004)

Firstly, thank you whomever is reading this message. It's been a mindboggling endeavor for the past week to identify what is incorrect and causing my PC to act as it is. I've looked everywhere and tried everything to get rid of this item, however, alas, with no result - actually just making it worse I think. I hope that you can be of help and thank you for your time.

I've identified that I have the searchexe issue on my computer. Yet I think there are more issues since I cannot open IE anymore, and various functions on my start menu/shortcuts (start menu e.g. search files/folders, short cuts - IE doesn't open (although when I run task manager it shows it is running)) do not function anymore.

I have downloaded/run numerous spyware programs - Xosftspy, Ad-Aware 6.0, norton, Stinger (Mcafee), SpyHunter and numerous others I unfortunately cannot recall the names of, that have identified the problems on my pc, and supposedly deleted it. Still, I have not gotten rid of the searchexe "bug" for lack of better term.

I am attaching my HijackThis logs, in hope that possibly you could help me idenitify what I would need to do.

Again, thank you very much for your help and time.

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\loadqm.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BROWSE~1\online plan.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Netscape\Communicator\Program\netscape.exe
C:\My Download Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/index.html?http://about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B04EE623-86AB-2000-09A3-46B7413EEAAD} - C:\PROGRA~1\CURBBA~1\Lies Barb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Mix sign - {5CA75F01-6484-3C2F-B698-731199071E63} - C:\PROGRA~1\CURBBA~1\Lies Barb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\sna.exe
O4 - HKLM\..\Run: [TaskMgnr] c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
O4 - HKLM\..\Run: [WinMgmt] c:\winnt\system32\drivers\disdn\OEM\WinNt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll
O4 - HKLM\..\Run: [WinNT] c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CornFilm] C:\PROGRA~1\BROWSE~1\online plan.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4344/mcfscan.cab


----------



## Flrman1 (Jul 26, 2002)

Hi Eiki

Welcome to TSG! 

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/in...p://about :blank

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

O2 - BHO: (no name) - {B04EE623-86AB-2000-09A3-46B7413EEAAD} - C:\PROGRA~1\CURBBA~1\Lies Barb.dll

O3 - Toolbar: Mix sign - {5CA75F01-6484-3C2F-B698-731199071E63} - C:\PROGRA~1\CURBBA~1\Lies Barb.dll

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Services] C:\WINNT\system32\sna.exe

O4 - HKLM\..\Run: [CornFilm] C:\PROGRA~1\BROWSE~1\online plan.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"*

Restart to safe mode and delete:

The C:\Program Files\*AutoUpdate* folder
The C:\Program Files\*BROWSE~1* folder (See *Note below)
The C:\Program Files\*CURBBA~1* folder (See *Note below)
The C:\WINNT\system32\*sna.exe* file

*Note:* I have no way of knowing the exact name of these folder, but the first six letters of each one will be *BROWSE* and *CURBBA*.

How to start your computer in safe mode

Thes really look suspicious:

*O4 - HKLM\..\Run: [WinMgmt] c:\winnt\system32\drivers\disdn\OEM\WinNt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll

O4 - HKLM\..\Run: [WinNT] c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat

O4 - HKLM\..\Run: [TaskMgnr] c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe*

This one in particular:

*TaskMgnr.exe*

The first two all have legitimate file names, but I've never seen them starting from those locations. The TaskMgnr.exe isn't a legitimate windows file. It should be Taskmgr.exe.

Let's start by checking out the TaskMgnr.exe file.

Go here

Scroll to the bottom of the page and look for the *Submit* file section.

Click on *Browse*

Navigate to the c:\winnt\system32\drivers\disdn\OEM folder and upload the .... *Taskmgr.exe* .... file and let us know what you find.


----------



## Option^Expli (Aug 19, 2003)

Lotsa Trojans ...

*C:\WINNT\SYSTEM32\DNTUS26.EXE* can be monitoring software if this computer is owned by a company office..etc I'm guessing it is just used as a trojan.

On my Win2000 fresh install, I had *TaskMgnr.exe* all over the place, and would return on every reboot.
You actually can't clean a Win2000 computer unless you have it patched to date, or you'll have this stuff back on the next reboot.. TaskMgnr.exe you didn't download, it just migrates into the system when you are online.

Download a Firewall somewhere(even if just to stay protected until all MS Updates can be installed), and open network connections and find your Adapter used to connect to the Internet...*uncheck File and Printer sharing for MS Networks*

I couldnt see the top portion of the HJT log so I don't know what Service packs you have installed.
You can check if you are at least patched with the 2 most critical patches *MS_KB824146* use my Utility click "Am I patched" and wait for status.


----------



## Flrman1 (Jul 26, 2002)

Thanks OE. I knew something was wrong there, but I've never seen any of those before and I couldn't find anything about them anywhere. Do you know what trojan that is?


----------



## Eiki (Apr 1, 2004)

Thank you both for such a quick response .... I will have to check tonight. I will let you know what I find/resolve.  Thank you.


----------



## Flrman1 (Jul 26, 2002)

:up:

Let us know how it goes.


----------



## Eiki (Apr 1, 2004)

Flman1 and OE, Thank you!

Its taken me a few hours to go through all the different items you suggested, but all I can say as an end-result is -- Wow! How wonderful my computer is working so far. Thank you. I did want to run down what I did (for other people to possibly benefit)  and would have not known without your guidance.

1.	I followed your (flman1) instruction to run the HijackThis log again and deleted the files.
2.	Started in safe menu and deleted all files except one (C:\WINNT\system32\sna.exe) I couldnt find it. Below Ive included the detail of the files I deleted. Thought this may be of help to you.
3.	Per OEs recommendation, downloaded a Security Internet software with a firewall (I had some security, but not enough)
4.	and updated my MS 2000 to newest patch  4. 

So, after all this I can say Wonderful!!!

1.	searchexe is gone! It really is a nasty bugger
2.	I can open my files again! My computer, my search in start up menu etc. (Very happy)
3.	and believe it or not, my menus and startup looks a little different (like it used to) and my explorer, windows is working extremely fast


Lastly, I ran as you recommended the TaskMgr.exe. Unfortunately, the file must be very big, since I only received an error message page after I submitted the file on your recommended link.

Lastly, per your recommendation, I think there are still some issues with my computer. I will post my current Hijackthis log in a separate posting. I do want to try to figure out what else I need to delete and get rid of. **Note that in my review in safe mode I came across a very questionable application  (two different files)  drwatson, DRWTSN32. I do not think this is supposed to be in my system. Any suggestions?

Here are the details of the files I deleted  hopefully this gives you some insight or help moving forward with other people running into this problem:

Deleted files out of C/Program Files:
Folder: browsowns
File names/types:
online plan	228k	application
sixth ante vc	24kb	application
style 6kb	application

Folder: CurbBashDrive
File names/types:
6341 55kb	application
FileDogFile 1kb	DAT
FileDogFileFile	1kb	DAT
HopeDogFile 1kb	DAT
Folder: 
File, DRIVE BASH, FileCurbBashDrive (Each of these folder had the same file):
File names/types:
HopeDogFile 1kb	DAT

Folder: AutoUpdate
File names/types:
No file names/types appeared  appeared to be an empty folder.

Ill post my HijackThis files in another reply.

Thank you.


----------



## Eiki (Apr 1, 2004)

Hi again, Here is my latest, up-to-date HijackThis file.... Thank you! If you see anything that is questionable, do appreciate you letting me know. Also, I checked the drwatson files and they gave me an OK result. So I suppose these files are legit.

Logfile of HijackThis v1.97.7
Scan saved at 10:22:44 PM, on 4/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Winamp\Winampa.exe
C:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\My Download Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.placesoftheworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [TaskMgnr] c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
O4 - HKLM\..\Run: [WinMgmt] c:\winnt\system32\drivers\disdn\OEM\WinNt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll
O4 - HKLM\..\Run: [WinNT] c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [CornFilm] C:\PROGRA~1\BROWSE~1\online plan.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4344/mcfscan.cab


----------



## Flrman1 (Jul 26, 2002)

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

*O4 - HKLM\..\Run: [TaskMgnr] c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe

O4 - HKLM\..\Run: [WinMgmt] c:\winnt\system32\drivers\disdn\OEM\WinNt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll

O4 - HKLM\..\Run: [WinNT] c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat

O4 - HKLM\..\Run: [CornFilm] C:\PROGRA~1\BROWSE~1\online plan.exe*

Restart to safe mode and delete:

The C:\Program Files\*BROWSE~1* folder
The c:\winnt\system32\drivers\disdn\OEM\*TaskMgnr.exe* file


----------



## Eiki (Apr 1, 2004)

Thank you flrman1. For some reason I cannot find the file C:\Program files\BROWSE... folder in safe mode or when looking at my program files. I've even gone through the different folders to see if it is there, but can't seem to find it.

Thank you very much for your help. I'll make sure to recommend your help and the site to my friends.

I'm posting my hijackthis file... hopefully I got everything. Thank you.

Logfile of HijackThis v1.97.7
Scan saved at 8:12:54 PM, on 4/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Download Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.placesoftheworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4344/mcfscan.cab


----------



## Flrman1 (Jul 26, 2002)

Did you look for a folder beginning with BROWSE? That is not the full name of the folder.

The log looks good now. I'd be interested to see if Option^Expli has anything to add.


----------



## Option^Expli (Aug 19, 2003)

Eiki

Download this utility KillBox and unzip to your desktop.
Copy & paste each of these lines and click "Kill File" and wait for success/fail message.

*c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
c:\winnt\system32\drivers\disdn\OEM\WinNt.exe
c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe
c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll
c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat
C:\PROGRA~1\BROWSE~1\online plan.exe
C:\Program Files\BROWSE~1*

and this one is still running:

*C:\WINNT\SYSTEM32\DNTUS26.EXE*

the more I look at it , the more it looks as something you never purposely installed. add it to the KillBox as well and kill it.
All these files will be backed up if we need them to restore, submit etc. 
This is a little easier than finding files manually in safe mode.
Do that then post new HiJackThis log:up:


----------



## Flrman1 (Jul 26, 2002)

OE I was about 90% sure that those other files in the OEM folder should be deleted, but I wanted to see what you had to say first.

Do you know what trojan this is?


----------



## Option^Expli (Aug 19, 2003)

Yea, the whole OEM folder and whatever is inside should be deleted.
As for the trojan, just looking at info on the DNTUS26.EXE , I can't get any 100% answer on it, but it always looks suspicious.

This Link makes this look very bad. Thats why i say..Kill it, if need be you can always put it back.

Also there is no startup entry for it..yet it runs.. so it's either running as a service or being started by something else. It claims to be part of legitimate "Monitoring software" yet i see no reference to any legitimate company name etc.

dunno what to say, i wouldn't let that thing run on my system unless i had some hard info as to why it was needed, and what installed it.


----------



## Eiki (Apr 1, 2004)

Hello flrman1 and OE. Thank you for all your input. It appears however that I cannot find the certain files that you are requesting me to delete. I feel somewhat lost, since it appears you can see them on my logs, and I can't find them on my computer. 

I found only two of the eight files OE pointed out, which I deleted (through the link provided):

Files found and deleted:
c:\winnt\system32\drivers\disdn\OEM\WinNt.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE

Files not found:
c:\winnt\system32\drivers\disdn\OEM\TaskMgnr.exe
c:\winnt\system32\drivers\disdn\OEM\WinMgmt.exe
c:\winnt\system32\drivers\disdn\OEM\WinMgmt.dll
c:\winnt\system32\drivers\disdn\OEM\NTsys.exe WinNT.bat
C:\PROGRA~1\BROWSE~1\online plan.exe
C:\Program Files\BROWSE~1

I've attached in the document some of my search results and also screen views for you to see what is in the OEM folder - really not sure where the files are - I've also used search to find them and they were not on my system. Apart from one (WinMgmt). I've included my search result for that file since I'm not sure if these are the files you want me to delete. Please see attached doc.

Lastly, unfortunately, I still cannot find any files that have "Browse" in my program files or c drive. I've looked through most of the folders to try to see if it's possibly in another folder. Also, I've searched for the online plan.exe and cannot find it. Not sure what to do?  

I am posting my hijack this logs again as well. Thank you!!

I've attached the screengrabs and hijack this files in the techguy_files.doc


----------



## Flrman1 (Jul 26, 2002)

The log is clean now.

Did you find the OEM folder? I have to agree with OE when he says that you should just delete the entire OEM folder.


----------



## Option^Expli (Aug 19, 2003)

Eiki

That is ok if those files cannot be found, it's more of a double check as HiJackThis will list the startup entry even if the File does not exist, KillBox checks if the file exists before deleting & confirm the file is gone.
The screenshot of search for WinMgnt.exe shows some of the legit ones and the fake one (notice it does not have the same icon) and the legitimate ones are in locations known to Windows.
Your attached Hijackthis log looks ok, none of the offending entries have come back after they were removed.

I guess just check if the path c:\winnt\system32\drivers\disdn\OEM exists..
if it does delete the OEM folder.
other wise looks ok

*i type slow and flrman posted b4 me..


----------



## Eiki (Apr 1, 2004)

Hello flrman1 and OE.

I can't thank you enough for all your help. I am recommending everyone to this sight. 

I think I do have a file OEM as you pointed out (OE) and I will check that this is deleted. I'll take a look at the WinMgmt files again as well.

Thank you for all your help. I hope that I won't run into these problems again... but at least I know where to go to if I get another trojan horse or spyware (but let's hope not).

Eiki


----------



## Flrman1 (Jul 26, 2002)

Glad we were able to help! 

I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".


----------

