**Help with unknown .exe's* - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 07-09-2005, 08:38 PM   #1 (permalink)
Newb Techie
 
Join Date: Jul 2005
Posts: 2
Default **Help with unknown .exe's*

Can any of you take a look at this HJT log and recommend any pointers? been trying to "clean" this computer for a friend for seven days now.

Thanks,

NQ

Logfile of HijackThis v1.99.1
Scan saved at 7:13:56 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\sdkej.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\iexq32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Keith Jacobs\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1B8F483E-94BD-24D3-A479-2063E618DDF5} - C:\WINDOWS\ievb32.dll
O2 - BHO: Class - {80CF49B5-91F6-D2DB-57D7-7086D2A8C9AB} - C:\WINDOWS\system32\winin.dll (file missing)
O2 - BHO: Class - {97D855EA-1734-8802-A3F4-6568F257371E} - C:\WINDOWS\winik32.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [d3of.exe] C:\WINDOWS\d3of.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [sdkej.exe] C:\WINDOWS\system32\sdkej.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {DA835204-50D4-411E-8CCD-D46649200E9E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DA835204-50D4-411E-8CCD-D46649200E9E} - (no file) (HKCU)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/sq...-ob-assets.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {22222222-2222-2222-4444-566661888858} - file://c:\x.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {23232323-2323-2323-2323-232323231122} - file://c:\x.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {36D29A5B-CBAA-149A-166C-4C7608226039} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {572A8F22-C0B1-146A-849F-1AAB74DCD997} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\iexq32.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.
__________________

NQBUS is offline  
Old 07-09-2005, 09:36 PM   #2 (permalink)
Master Techie
 
Join Date: Oct 2003
Posts: 2,258
Default

here is what you will want to do...

Download all the following on another machine, burn to CD and load on the machine:

http://www.safer-networking.org/en/download/
http://www.download.com/Ad-Aware-SE-...bj=dl&tag=top5
http://www.microsoft.com/athome/secu...e/default.mspx
http://www.intermute.com/spysubtract..._download.html
http://vil.nai.com/vil/averttools.asp

From here, once you have the files on CD, shutdown the machine you want to clean. Disconnect the network cable from the machine
Boot the machine into safemode. To do this, as soon as you power on the machine, start pressing (not holding-tap twice a second) the F8 button. When windows goes to start, it will give you a screen to select the boot mode. Select safemode, and boot. Once you are in the system, you will want to do the following. Load stinger (last download) and run it. That will find any of the current malicious viruses. Then run Lava soft. That will install, so you will want to uninstall it before you go on to the next one. Then do Spybot. Install and run the full system scan and the imunization. Then uninstall. After that, install the MS antispyware tool.... This one, is actually pretty good, so you should keep it on the system, especially since that is SP2.

You shouldn't need to reboot for any install. if prompted, just select no.
When you are finished with getting things installed and have finished running them, make sure you uninstall them, since you only need 1 to get the job done. The MS one seems to do the most work to remove things, even from the registry.

Anyway, reboot to the normal mode, and then make sure that the system is setup for automaitc scans at least once a day. that will keep it clean for a while.

Good luck.
__________________

Inaris is offline  
Old 07-09-2005, 09:52 PM   #3 (permalink)
True Techie
 
Join Date: Mar 2003
Posts: 200
Default

I just had a quick skim read over hte first half, . get rid of iexq32.exe and get rid of sdkej.exe.

If the two exe's mentioned keep popping up, open regedit (in safe mode) and search for em and remove traces. Also find out what else they are linked to/with and remove them accordingly.

None the less, saying that. If you really want a clean computer, format is the only way.

EDIT:
Delete the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {1B8F483E-94BD-24D3-A479-2063E618DDF5} - C:\WINDOWS\ievb32.dll

O2 - BHO: Class - {80CF49B5-91F6-D2DB-57D7-7086D2A8C9AB} - C:\WINDOWS\system32\winin.dll (file missing)

O2 - BHO: Class - {97D855EA-1734-8802-A3F4-6568F257371E} - C:\WINDOWS\winik32.dll

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [d3of.exe] C:\WINDOWS\d3of.exe

O4 - HKLM\..\Run: [sdkej.exe] C:\WINDOWS\system32\sdkej.exe

O15 - Trusted IP range: 206.161.125.149

O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/s...s-ob-assets.cab

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab

O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab

O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab

O16 - DPF: {22222222-2222-2222-4444-566661888858} - file://c:\x.cab

O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll

O16 - DPF: {23232323-2323-2323-2323-232323231122} - file://c:\x.cab

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {36D29A5B-CBAA-149A-166C-4C7608226039} - http://69.50.182.94/1/rdgUS896.exe

O16 - DPF: {572A8F22-C0B1-146A-849F-1AAB74DCD997} - http://69.50.182.94/1/rdgUS994.exe

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

O23 - Service: Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\iexq32.exe
_________________________________________________

vbsys2.dll works in conjunction with Trojan-Clicker.Win32.Agent.ac.

The best thing to do in your position, would be to install AVG Free (and update it), install Adaware 1.06 (and update it) and install Spybot search and destroy (and update). Delete all the contents of your temp folders, turn off system restore (right click on my computer, click on properties, click on system restore tab, and disable it). Then delete your IE temp internet files, and all offline content.

Boot into safe mode (F8 during computer bootup and select safe mode from the list), then run adaware through full system scan, then run avg through full system scan, same for spybot S&D, and then run hijackthis and remove any offending objects.

Take a note of the offending objects (particularly dll names, and exe names), then go start > run > regedit and search for them in registry, if you find any trace delete it (be safe).

Once you've gone through and deleted (most) traces in registry, reboot normally and run hijack this again.

Post here if anything comes back again, and we'll look into it deeper for you.

All the best!
imation is offline  
Old 07-09-2005, 10:13 PM   #4 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

Remove these:

C:\WINDOWS\system32\sdkej.exe

C:\WINDOWS\iexq32.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {1B8F483E-94BD-24D3-A479-2063E618DDF5} - C:\WINDOWS\ievb32.dll

O2 - BHO: Class - {80CF49B5-91F6-D2DB-57D7-7086D2A8C9AB} - C:\WINDOWS\system32\winin.dll (file missing)

O2 - BHO: Class - {97D855EA-1734-8802-A3F4-6568F257371E} - C:\WINDOWS\winik32.dll

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE

O4 - HKLM\..\Run: [d3of.exe] C:\WINDOWS\d3of.exe

O4 - HKLM\..\Run: [sdkej.exe] C:\WINDOWS\system32\sdkej.exe

O4 - HKCU\..\Run: [Yahoo! Pager] 1

O15 - Trusted IP range: 206.161.125.149

O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/s...s-ob-assets.cab

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab

O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab

O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab

O16 - DPF: {22222222-2222-2222-4444-566661888858} - file://c:\x.cab

O16 - DPF: {23232323-2323-2323-2323-232323231122} - file://c:\x.cab

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

16 - DPF: {36D29A5B-CBAA-149A-166C-4C7608226039} - http://69.50.182.94/1/rdgUS896.exe

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
__________________
Osiris is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 05:57 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.