Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Refiebar & unknown DPFs


  • Please log in to reply

#1
flaterp

flaterp

    New Member

  • Member
  • Pip
  • 2 posts
I have used the online HJT analyzer (http://hijackthis.de/index.php) with good success. However, there are couple items that the tool does not recognize or believes to be "possibly nasty." Specific items are the refiebar.dll (Is this simply the "Research" command button for Office programs?) and the O16s. Please let me know of anything that I may have missed. Thanks in advance for the help.

Logfile of HijackThis v1.99.0
Scan saved at 2:43:34 PM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Tivoli\tma\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\scardmon\scardmon.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tivoli\tma\bin\w32-ix86\mrt\lcfep.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Tivoli\tma\dat\1\Mobile\mobile.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Documents and Settings\flater\Desktop\TASO\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\tma\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [Mobile] "C:\Program Files\Tivoli\tma\dat\1\Mobile\epspawn.exe" -w "C:\Program Files\Tivoli\tma\dat\1\Mobile" "C:\Program Files\Tivoli\tma\dat\1\Mobile\mobile.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.et.afrl.mnmw.eg-194-061] "C:\PROGRA~1\Tivoli\tma\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Sign Out Board.xnk
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {501B3E1A-83F6-1048-5AEA-7F860E0AED80} - http://209.8.161.54/1/rdgUS1022.exe
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094133399366
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eglin.afmc.ds.af.mil
O17 - HKLM\Software\..\Telephony: DomainName = eglin.afmc.ds.af.mil
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eglin.afmc.ds.af.mil
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eglin.afmc.ds.af.mil
O23 - Service: ActivCard Gold Autoregister - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Tivoli Endpoint - Unknown - C:\Program Files\Tivoli\tma\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Symantec Client Firewall Service - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Smart Card Monitor - AFRL/PROE - c:\scardmon\scardmon.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Client Firewall Proxy Service - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
  • 0

Advertisements


#2
Joey

Joey

    Member

  • Member
  • PipPip
  • 94 posts
I'm working on your log, as soon as another staff member reviews it I'll post a reply. :tazz: Thank you for your patience.
  • 0

#3
Joey

Joey

    Member

  • Member
  • PipPip
  • 94 posts
Hello, flaterp, welcome to GeeksToGo forums! :tazz:

refiebar.dll is legitimate, since it's in the Microsoft Office folder.
(It stands for Reference IE bar)

There's only one baddie left in your log, but we'll take care of it.
Run HijackThis, hit 'Scan' and place a check by this item (If there):

O16 - DPF: {501B3E1A-83F6-1048-5AEA-7F860E0AED80} - http://209.8.161.54/1/rdgUS1022.exe

Close all open browsers and windows (Even this one), and hit 'Fix selected'.

Do you know what these are?
  • c:\scardmon\scardmon.exe
  • Sign Out Board.xnk
If you're not sure, go to Jotti's Malware Scan. Paste c:\scardmon\scardmon.exe in the 'File to Upload and Scan' box and hit 'Submit'. Wait a while, then copy the results to NotePad. Do the same for
C:\Documents and Settings\flater\Start Menu\Programs\Startup\Sign Out Board.xnk
Post back with the results, along with a new HijackThis log.
  • 0

#4
flaterp

flaterp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Yes, I know what scardmon and sign our board are; they are safe. I fixed the suggested item and my newest log is posted below. Thanks for the help, Joey.

Logfile of HijackThis v1.99.0
Scan saved at 4:18:04 PM, on 1/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Tivoli\tma\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\scardmon\scardmon.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Tivoli\tma\bin\w32-ix86\mrt\lcfep.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Tivoli\tma\dat\1\Mobile\mobile.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\flater\Desktop\TASO\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\tma\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [Mobile] "C:\Program Files\Tivoli\tma\dat\1\Mobile\epspawn.exe" -w "C:\Program Files\Tivoli\tma\dat\1\Mobile" "C:\Program Files\Tivoli\tma\dat\1\Mobile\mobile.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.et.afrl.mnmw.eg-194-061] "C:\PROGRA~1\Tivoli\tma\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Sign Out Board.xnk
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {012F24D4-35B0-11D0-BF2D-0000E8D0D146} (AtlCam Class) - http://129.61.194.68/sns100.ocx
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094133399366
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eglin.afmc.ds.af.mil
O17 - HKLM\Software\..\Telephony: DomainName = eglin.afmc.ds.af.mil
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eglin.afmc.ds.af.mil
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eglin.afmc.ds.af.mil
O23 - Service: ActivCard Gold Autoregister - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Tivoli Endpoint - Unknown - C:\Program Files\Tivoli\tma\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Symantec Client Firewall Service - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Smart Card Monitor - AFRL/PROE - c:\scardmon\scardmon.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Client Firewall Proxy Service - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
  • 0

#5
Joey

Joey

    Member

  • Member
  • PipPip
  • 94 posts
Clean now, good job!

There are a few optional ones, which could be fixed safely to make your computer boot faster:
  • O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime<<<System Tray access to Apple's "Quick Time" viewer from version 5 onwards
  • O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE<<<Resource hog that launches common MS Office components to help speed up the launch of Office programs.
Now that you're cleaned up, it would be a good idea to do the following:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


Update Windows and IE to get all the Latest Security Patches to protect your computer from the malware that is around on the internet. Please go to
Microsoft Windows and Internet Explorer Updates to get the critical updates.
Note: If you're on dial-up, this might takes a few hours, so you might consider ordering SP2 on CD(free), which has all past updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update





Please go to this page for links to recommended anti-spyware programs, and here for guides on using them.

Be careful with spyware "removers and scanners"-- there are many "rogue/suspect" programs that "claim to remove" spyware : http://spywarewarrio...nti-spyware.htm





You should also clean out temp folders to increase disk space: http://forums.tomcoy...showtopic=23832

Watch what you download, and where you download it from. Many programs come bundled with crapware. Make sure you know what it is you will be downloading and installing. Visit the makers website, learn more about the program, Does the program you want come bundled with other "3rd party" programs? What do the 3rd party programs do? Will they deliver ads? Track your surfing habits? You may be installing more than you think, Read the EULA agreement, you know that paragraph of stuff you "agree to" before the software installs? Stay away from warez and crack sites. Be careful what you download from file sharing networks. If you are not sure, scan it with your Antivirus app. A small file (in KB) is probably not what you think it is.

A good article which shows how to prevent re-infection: Prevent Hijackings

More security information :
http://www.dslreports.com/faq/8463
http://www.wilders.org/index.htm
http://groups.msn.co...netSecuritySite

:tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP