Jump to content


Photo

Homepage problem and extra iexplore.exe


  • Please log in to reply
7 replies to this topic

#1 kerrin

kerrin

    Member

  • New Member
  • Pip
  • 4 posts

Posted 06 July 2004 - 08:51 PM

Hello all,

Here are my problems:

1. Hompage for IE returns to "http:\\yahoo.com"
2. Task Manager often Dr Watson's
3. There is an extra iexplore

Ran Adaware, Spybot and CW Shredder to no avail. Below is the log file - any help would be appreciated.

Kerrin...

Logfile of HijackThis v1.97.7
Scan saved at 9:40:13 PM, on 7/6/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\apps_pub\vscan\mcfe4521\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\apps_pub\vscan\mcfe4521\VsStat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\apps_pub\vscan\mcfe4521\Vshwin32.exe
C:\WINNT\system32\sysexec.exe
C:\WINNT\system32\vnxserv.exe
C:\apps_pub\vscan\mcfe4521\Avconsol.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\apps_pub\vscan\mcfe4521\Mcshield.exe
C:\WINNT\System32\soeagent.exe
C:\apps_pub\bsys2021\sspolicy.exe
C:\WINNT\Explorer.EXE
C:\WINNT\loadqm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\RRMedic\RRMedic.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\explorer.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webproxy.ssmb.com:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = ,
F1 - win.ini: run=C:\WINNT\System32\services\wmplayer.exe
F2 - REG:system.ini: UserInit=soeagent.exe,nddeagnt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Online Special] C:\WINNT\swchost.exe
O4 - HKLM\..\Run: [tcsetupd] C:\WINNT\System32\tcsetupd.exe
O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINNT\System32\mstaskm.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [UD8S.exe] c:\documents and settings\sp03574\local settings\temp\UD8S.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Macromedia Flash Update] C:\WINNT\System32\MStasks.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [sr64] C:\Documents and Settings\sp03574\Application Data\Microsoft\sr64\abcfoaoi.exe
O4 - HKCU\..\Run: [wmplayer.exe] C:\documents and settings\sp03574\local settings\temp\wmplayer.exe
O4 - HKCU\..\RunOnce: [rantwice_msie5078] wbat.exe regset HKEY_LOCAL_MACHINE\Software\SBIR\msie rantwice yes
O4 - Global Startup: Road Runner Medic.lnk = C:\Program Files\RRMedic\RRMedic.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8174.7509259259
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.ho...ex/HMAtchmt.ocx

#2 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 07 July 2004 - 11:24 AM

Hi there kerrin,

Please do this first,


Update HijackThis to version 1.98
run HijackThis
select config> misc tools and select "update online". then yes.
Run a scan and post a new Hijackthis log after you are done.


#3 kerrin

kerrin

    Member

  • New Member
  • Pip
  • 4 posts

Posted 07 July 2004 - 09:00 PM

Thanks 12G. I took a "scorched earth" approach to hjt log last night and removed some of the unnecessary stuff. R0 returns after deleting (including while in safe mode), so something else is driving that command each time.

Kerrin...

Here is what I am left with:


Logfile of HijackThis v1.98.0
Scan saved at 9:56:24 PM, on 7/7/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\apps_pub\vscan\mcfe4521\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\sysexec.exe
C:\apps_pub\vscan\mcfe4521\VsStat.exe
C:\apps_pub\vscan\mcfe4521\Vshwin32.exe
C:\WINNT\system32\vnxserv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\apps_pub\vscan\mcfe4521\Avconsol.exe
C:\WINNT\System32\soeagent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\apps_pub\vscan\mcfe4521\Mcshield.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\Explorer.EXE
C:\apps_pub\bsys2021\sspolicy.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\RRMedic\RRMedic.exe
C:\WINNT\explorer.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webproxy.ssmb.com:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=soeagent.exe,nddeagnt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\RunOnce: [rantwice_msie5078] wbat.exe regset HKEY_LOCAL_MACHINE\Software\SBIR\msie rantwice yes
O4 - Global Startup: Road Runner Medic.lnk = C:\Program Files\RRMedic\RRMedic.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.ho...ex/HMAtchmt.ocx
O21 - SSODL: Trayz - {F5B7D0BE-5f02-4211-96DB-386DFA244900} - C:\WINNT\gnjkocad.dll

#4 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 07 July 2004 - 10:06 PM

Hi there,

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';



R3 - Default URLSearchHook is missing

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present<<if you set this and know of it keep it


Reboot, then post a fresh logfile.

#5 kerrin

kerrin

    Member

  • New Member
  • Pip
  • 4 posts

Posted 09 July 2004 - 06:46 PM

Here you go:

Kerrin...

Logfile of HijackThis v1.98.0
Scan saved at 7:47:27 PM, on 7/9/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\apps_pub\vscan\mcfe4521\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\sysexec.exe
C:\WINNT\system32\vnxserv.exe
C:\apps_pub\vscan\mcfe4521\VsStat.exe
C:\apps_pub\vscan\mcfe4521\Avconsol.exe
C:\apps_pub\vscan\mcfe4521\Vshwin32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\soeagent.exe
C:\WINNT\System32\mspmspsv.exe
C:\apps_pub\vscan\mcfe4521\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ntvdm.exe
C:\apps_pub\bsys2021\sspolicy.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\RRMedic\RRMedic.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\traywc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\explorer.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webproxy.ssmb.com:8080
F2 - REG:system.ini: UserInit=soeagent.exe,nddeagnt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Road Runner Medic.lnk = C:\Program Files\RRMedic\RRMedic.exe
O4 - Global Startup: traywc.exe
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.ho...ex/HMAtchmt.ocx
O21 - SSODL: Trayz - {F5B7D0BE-5f02-4211-96DB-386DFA244900} - C:\WINNT\gnjkocad.dll

#6 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 10 July 2004 - 04:12 AM

Hi kerrin,


Please do this first, Press Ctrl/Alt/Del<< Click Task Manager<<Click Processes Tab<<Select traywc.exe<<Click End Process.


Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';


F2 - REG:system.ini: UserInit=soeagent.exe,nddeagnt.exe
O4 - Global Startup: traywc.exe
O21 - SSODL: Trayz - {F5B7D0BE-5f02-4211-96DB-386DFA244900} - C:\WINNT\gnjkocad.dll


Restart your computer in
Safe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,

C:\WINNT\System32\soeagent.exe<<<<File
C:\WINNT\gnjkocad.dll<<<<File


Reboot, then post a fresh logfile so that I can check to see if it is clean.

#7 kerrin

kerrin

    Member

  • New Member
  • Pip
  • 4 posts

Posted 11 July 2004 - 09:29 AM

OK, since this a corporate-built machine I know that the "soeagent" reference is valid. Other than that piece I followed your steps - unfortunately our friend is still there. I did notice that the set homepage went back to "about:blank" after removing the gnjkocad.dll file. Anyway, here is the log - thanks for your continued interest!

Kerrin,,,

Logfile of HijackThis v1.98.0
Scan saved at 10:24:53 AM, on 7/11/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\apps_pub\vscan\mcfe4521\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\sysexec.exe
C:\WINNT\system32\vnxserv.exe
C:\apps_pub\vscan\mcfe4521\VsStat.exe
C:\WINNT\System32\soeagent.exe
C:\apps_pub\vscan\mcfe4521\Avconsol.exe
C:\apps_pub\vscan\mcfe4521\Vshwin32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\apps_pub\vscan\mcfe4521\Mcshield.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\Explorer.EXE
C:\apps_pub\bsys2021\sspolicy.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\RRMedic\RRMedic.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\explorer.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webproxy.ssmb.com:8080
F2 - REG:system.ini: UserInit=soeagent.exe,nddeagnt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Road Runner Medic.lnk = C:\Program Files\RRMedic\RRMedic.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.ho...ex/HMAtchmt.ocx

#8 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 11 July 2004 - 10:21 AM

Thanks kerrin,

That's good about, soeagent.exe

What do you know about these 2 files?

C:\WINNT\system32\sysexec.exe
C:\WINNT\system32\vnxserv.exe

or check the properties.

Did you set this?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

If not fix check it.

Other than those I see nothing else suspicious.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button