Jump to content


Photo

Shrinkwrap.exe


  • This topic is locked This topic is locked
7 replies to this topic

#1 zeuseman1

zeuseman1

    Member

  • New Member
  • Pip
  • 3 posts

Posted 26 July 2004 - 09:51 PM

Hi
I am new here and have read the FAQ rules for newbie's.
Being fairly new to forums I will try my best to comply with the rules.
I had some trouble just figuring out how to post this so if I mesed up sorry in advanced.
We had a late night unauthorized visitor using the company computers and he left us a little problem to solve.
I have an exe file called shrinkwrap.exe that keeps popping up a window on my computer every 5 minuets or so saying :
shrinkwrap.exe Entry Point Not Found
The procedure entry point SHGetSpecialFolderPathA could not be located in the dynamic link library SHELL32.dll
I have run spybot and addaware and even found the file in:
winnt/sys32/
and removed it but it keeps coming back.
My OS is windows NT
Here is the hijackthis log.
Can anyone help?
Thank you
Zeuseman

Logfile of HijackThis v1.98.0
Scan saved at 8:39:18 AM, on 07/26/2004
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\RpcSs.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\System32\esserver.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\SENS.EXE
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\starter.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\loadwc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\logitech\mouse\system\em_exec.exe
C:\WINNT\System32\OnSrvr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\System32\AChkr.exe
C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
C:\Program Files\Outlook Express\msimn.exe
D:\a NEED TO PRINT\Shrinkwrap fix\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mapquest.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 view.atdmt.com
O1 - Hosts: 216.93.174.28 ad.doubleclick.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [OnSrv] C:\WINNT\System32\AChkr.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Iomega Startup Options.lnk = ?
O4 - Global Startup: Iomega Icons.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Outlook Express\setup50.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - http://ads.onwebmedi...m/dlver/1_5.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 204.147.80.5 206.196.128.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 204.147.80.5 206.196.128.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 204.147.80.5 206.196.128.1

Attached Files



#2 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 31 July 2004 - 09:20 PM

Hello zeuseman1

Just so that you know you are not being ignored - I will handle this case for you but
I need to ask for your patience while I review the log.
Please keep an eye on this message for a resolution.

So I do not forget, you did great in pasting the log to this thread.
There is no need to attach the .log file or any other file unless requested.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 01 August 2004 - 08:49 AM

Hello zeuseman1,

Print a copy of this topic to make it easier for you to follow the instructions and complete all of the necessary steps.
*
Then,
1 - Close all open Explorer windows and browsers
2 - Run HijackThis
3 - Click on the Scan button and when complete
4 - Put a check beside all of the items listed below
5 - Click on the "Fix Checked" button
6 - When complete and all files removed, close the application

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 view.atdmt.com
O1 - Hosts: 216.93.174.28 ad.doubleclick.net
O4 - HKLM\..\Run: [OnSrv] C:\WINNT\System32\AChkr.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O13 - WWW. Prefix: http://
O16 - DPF: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - http://ads.onwebmedi...m/dlver/1_5.exe

*
Make sure you are set to show hidden files and folders:
Show Hidden Files and Folders
*
Reboot, on restart, restart in "Safe Mode".

How to: Visual presentation at Symentec.
http://service1.syma...src=sec_doc_nam

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Also, Delete/Empty your Temporary Internet Cache completely
How To: and with most operating system.
http://www.mvps.org/...02/delcache.htm

Remove these files in BOLD if still present.

C:\WINNT\System32\OnSrvr.exe <-- File only
C:\WINNT\System32\AChkr.exe <-- File only
*
Reboot normally.
*
Here are some suggestions to reduce the potential for spyware infection in the future. I strongly recommend installing the following :
  • SpywareBlaster - It will prevent most spyware from ever being installed.
  • SpywareGuard - It offers realtime protection from spyware installation attempts.
  • IE-Spyad - IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
I also recommend reading this article.
How did I get infected in the first place?
http://forums.net-in...?showtopic=3051

Please post a new HijackThis log, and say if your problems persist.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 zeuseman1

zeuseman1

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 August 2004 - 11:48 PM

Hi nasdaq

Thank you very much for your help.
The direction you pointed me in will be of great help, the how to page is gold.

I am running windows NT and the how to link said NT cant be booted in safe mode, So I am not sure if I delete the files you said to remove that they may coming back. I gues I will find out when I start to try to fix it.

Is there an equivalent method of starting in safe mode for Windows NT?

The how to resources you sent me to look at are very informative, if you care to share other how to links for me to browse it would be appreciated.

#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 02 August 2004 - 07:24 AM

SOLUTION I found here.
http://www.laplink.c...icle.asp?ID=294

If your computer runs Windows NT

Reboot the computer.

Choose Windows NT 4.00 [VGA mode] when you see the message Please select the operating system to start....

Press Enter

Hope it helps.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 zeuseman1

zeuseman1

    Member

  • New Member
  • Pip
  • 3 posts

Posted 04 August 2004 - 09:05 PM

Hi nasdaq

It worked!!!!
Thank you very much for your help.

I still need purge the temp file fully. I was not able to be in VGA mode when I deleeted the temp files and of some thousand files about 30 or so was runing and would not deleet.
I will get to it when my work load allows.
I was in VGA mode when I deleeted OnSrvr.exe and AChkr.exe

Thanks for the tools, I now have more resource to fix problems on my own.

It took a while to find this forum and I have to say it ROCKS. (Great Site)

Thanks again
Zeuseman

#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 05 August 2004 - 09:25 AM

Nice to see that all is well.

Thanks for the feedback. :wave:
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 03 November 2004 - 02:06 AM

It has been a pleasure to help you :)

The problems here look to be resolved or there has been no response for a long period of time so I will close the topic. If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button