Dl.exe Hijack This File

  1. 25-01-2006  #1
    siradam134
    siradam134 is offline Newbie

    Dl.exe Hijack This Log

    Currently Have Windows xp running, with a nice black dos screen named DL.EXE. Disables my internet, so i cant run housecall. Please Help j.f.y.i. the 'Soft Touch' stuff you see is a restaurant POS software, no need to worry about those files.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:57:26 AM, on 1/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\Program Files\DigitalPersona\Bin\DpHost.exe
    C:\WINDOWS\system32\EloSrvce.exe
    C:\Program Files\Firebird\Firebird_1_5\Bin\fbguard.exe
    C:\Program Files\Firebird\Firebird_1_5\Bin\fbserver.exe
    C:\WINDOWS\system32\EloLnchr.exe
    C:\SOFTTO~1\SOFTCA~1.EXE
    C:\SOFTTO~1\SoftFTP.exe
    C:\SOFTTO~1\SMAINS~1.EXE
    C:\SOFTTO~1\SOFTRE~1.EXE
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\SOFTTO~1\start_Softtouch.exe
    C:\WINDOWS\system32\EloDkMon.exe
    C:\WINDOWS\system32\EloTTray.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [SoftTouch] C:\SOFTTO~1\start_Softtouch.exe
    O4 - HKLM\..\Run: [softclient] \softclient.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1127411847125
    O17 - HKLM\System\CCS\Services\Tcpip\..\{71DB3771-DCA9-4B59-B5D2-92613F749973}: NameServer = 65.32.1.65,65.32.1.70
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: DpHost - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
    O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
    O23 - Service: Firebird Guardian - Default Instance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\Bin\fbguard.exe
    O23 - Service: Firebird Server - Default Instance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\Bin\fbserver.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: SoftTouch Caller Server (SoftCallerServer) - Unknown owner - C:\SOFTTO~1\SOFTCA~1.EXE
    O23 - Service: SoftTouch FTP Server (SoftFTPServer) - Unknown owner - C:\SOFTTO~1\SoftFTP.exe
    O23 - Service: SoftTouch Main Server (SoftMainServer) - Unknown owner - C:\SOFTTO~1\SMAINS~1.EXE
    O23 - Service: SoftTouch Report Server (SoftReportServer) - Unknown owner - C:\SOFTTO~1\SOFTRE~1.EXE
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
    Last edited by siradam134; 25-01-2006 at 04:05 PM.

  3. 25-01-2006  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    See similar cases here - any other error messages being given?:
    http://www.d-a-l.com/help/showthread...8853#post78853
    Possible Trojan: http://www.sophos.com/virusinfo/anal...jlamedond.html



    HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here



    Try the following steps in NORMAL MODE first:
    SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).


    DELETE FILES, if found:

    DL.EXE (locate all instances using Start>Search)
    Also look for: dlm.exe, mstasks.exe, mstaskss.exe, sherlok2.exe, kemuri32.exe and mssys.exe


    (if any process is reported as running, try ending the running process - Ctrl+Alt+Delete keys)



    Reboot.


    If you now regain access to the internet run the following tool:

    Please download, install, update and scan your system with the free (trial) version of Ewido trojan scanner:
    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    3. From the main ewido screen, click on update in the left menu, then click the Start update button.
    4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
    5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
    6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.


    Let us know how you made out.
+ Reply to Thread
« My Internet Explorer is acting funny. need help | cawdur45 icon on desktop »