PDA

View Full Version : Help Needed : DeskMate.Tahni wont go away. HJT log included.


I_Hate_Spyware
2006-10-28, 19:16
Hello.

Everytime i run Spybot (latest verson) it founds RED item: trojan called DeskMate.Tahni. it is removed nicely, but after i reboot computer, it is found again by Spybot. so it must somehow activate during reboot process.

I never installed any deskmate and nobody else has access to my comp. I never visited their homepages before.

i visited the deskmate home page after the infection to find help uninstalling the crap, but there were no indication of uninstaller except "go to programs -> deskmates -> uninstall" but there is no such folder in my harddrive as deskmates.

someone told me to "remove tahni.exe" but there is no such file in any of my hard drives.

I have AVAST antivirus and Zonealarm firewall, both updated to the latest. AVAST does not found the deskmate trojan. Neither does Panda Activescan or F-Secure antivirus. Also run all the other online virus scanners that were listed on the "BEFORE YOU POST" page.

Here's the HiJack this 1.99.1 log:

Logfile of HijackThis v1.99.1
Scan saved at 19:56:40, on 28.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Razer\Copperhead\razerhid.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
D:\Program Files\Razer\Copperhead\razerofa.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\nbpro\nbpro.exe
D:\Program Files\Opera\Opera.exe
E:\Tarpeelliset\HijackThis 1.99.1 final\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Copperhead] D:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "D:\WINDOWS\system32\E_S6F.tmp"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135967293796
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

any help is much appreciated.

P.S sorry if something were missing or wrong, its my first post here :heart:
pskelley
2006-10-31, 12:29
Welcome to the forum, a Google search turns up this information and the uninstall instructions are on the page:
http://www.oska.com/support.php?Product=Tahni
http://www.oska.com/support.php?Product=Tahni&MH=Uninstall
From what I could see this had to downloaded on purpose or bundled with another program where the EULA was not considered?

I also suggest you do this once that item is uninstalled.

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Turn off TeaTimer, it will block the changes: http://russelltexas.com/malware/teatimer.htm

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log.

Thanks
I_Hate_Spyware
2006-11-01, 12:05
Welcome to the forum, a Google search turns up this information and the uninstall instructions are on the page:
http://www.oska.com/support.php?Product=Tahni
http://www.oska.com/support.php?Product=Tahni&MH=Uninstall
From what I could see this had to downloaded on purpose or bundled with another program where the EULA was not considered?

In my previous posts i stated that i had already visited to that page and looked at the unistall instructions, but they are not valid as i dont have any such folders in my hard drive to uninstall.

I have never downloaded it on purpose or bundled with other programs.



I also suggest you do this once that item is uninstalled.

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Turn off TeaTimer, it will block the changes: http://russelltexas.com/malware/teatimer.htm


Will do those when i get home (posting from work now)



Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Why would i want to do this ? I have purposefully set them to about:blank with Javacool software's Spywareblaster.



Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log.

Thanks

will run the ATF cleaner when i get home. just wanted to know first if theres some special reason on removing the about:blank entries.
pskelley
2006-11-01, 12:45
just wanted to know first if theres some special reason on removing the about:blank entries
Leave them if you wish, it is an optional removal, your call.

Have you tried contacting anyone at the website for removal instructions?
http://www.oska.com/contact.php

When Spybot locates this item, where does it say it is located? When you seach for it do you have hidden files and folders enabled?
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Try turning off TeaTimer and running the scan, then remove the item. I have only seen this once before and the member never reported back so I do not know if they were successful removing it or not.

Let me have a look at the Uninstall list, I may see something in there?
Start HiJackThis
Press 'Config'
Press 'Misc Tools'
Press 'Open Uninstall Manager'
Press 'Save List'
Save the log to a convenient location
Copy the log and post its contents in this thread.

You seem to think it is a trojan, give this program a try if you wish, it's free to try.
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/
Thanks to John McKenna for the tutorial.

Thanks
I_Hate_Spyware
2006-11-01, 18:03
Leave them if you wish, it is an optional removal, your call.

Have you tried contacting anyone at the website for removal instructions?
http://www.oska.com/contact.php

Yes. Mailed them 2 times already, no answers yet.



When Spybot locates this item, where does it say it is located?

SpyBot says this about the item : DeskMate.Tahni:
HKEY_USERS\S-1-5-21-1644491937-162531612-725345543-1003\Software\VHLD



When you seach for it do you have hidden files and folders enabled?


Yes. I always have hidden files and file extensions shown anyway. Been using PC computers since DOS 3.30 and i kinda like the extensions showing :)



Try turning off TeaTimer and running the scan, then remove the item.


I usually disable TeaTimer when running spyware removal programs, because it did block removal of some item in the past.



Let me have a look at the Uninstall list, I may see something in there?
Start HiJackThis
Press 'Config'
Press 'Misc Tools'
Press 'Open Uninstall Manager'
Press 'Save List'
Save the log to a convenient location
Copy the log and post its contents in this thread.


OK. Here ya go:

HijackThis Unistall list:

Ad-Aware SE Personal
Adobe Reader 7.0.7
a-squared Free 2.0
ATI Control Panel
ATI Display Driver
avast! Antivirus
BugOff 1.10
CCleaner (remove only)
Doom 3
DOOM 3: Resurrection of Evil
EurobetPoker (remove only)
EVEREST Home Edition v2.20
Half-Life(R) 2
HijackThis 1.99.1
IrfanView (remove only)
K-Lite Mega Codec Pack 1.53
Marvell Miniport Driver
Max Payne
Max Payne 2
Microsoft Office XP Professional with FrontPage
Nero OEM
NewsBin Pro 4.3
Opera 9.02
Pacific Poker
PartyPoker
PeerGuardian 2.0
Poker Tracker Version 2.11.00e
PokerAce Hud (remove only)
PowerDVD
QuickPar 0.9
Razer Copperhead
Realtek AC'97 Audio
Security Update for Windows XP (KB913433)
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Steam(TM)
UltimateBet
VIA Platform Device Manager
Windows Genuine Advantage v1.3.0254.0
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
WinZip
xp-AntiSpy 3.95-2
ZoneAlarm


Thanks for the help. :bigthumb:

P.S. Sorry if i sounded unfriendly in my earlier post today from work, but i tend to be not at my best when my angry boss has shouted at me for no reason :lip:
pskelley
2006-11-01, 18:22
No need to copy everything I post, just a waste of space...thanks

There is some stuff in your uninstall programs list the I would not have on my computer but I suppose technically, they are not "malware". You might want to take a look and get rid of anything you are done with. I see nothing of your problem though.

I will suggest, since you seem to be comfortable with computer, that you edit the registry to get rid of the junk. You know where it is:

HKEY_USERS\S-1-5-21-1644491937-162531612-725345543-1003\Software\VHLD

Make sure you back up, you can probably back up just the one item, though I always back up my complete registry, being super careful in the registry.
http://ts.mcafeehelp.com/faq3.asp?docid=68037
http://www.theeldergeek.com/windows_xp_registry.htm

This is the best free registry tool I have found:
http://www.hoverdesk.net/freeware.htm

Backup Registry:
Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL
______________________________________________________

I recommend you download RegSeeker. Extract it to it's own folder,
open and double click RegSeeker.exe to start the program.
Maximize the window and click clean registry. Check all sections and click OK.
When the scan is complete, verify the backup box in lower left corner is checked
and click the select all button, then select all again. Then right click within
the search results and select delete. Run it again and again, deleting everything
it finds until it finds nothing. Reboot and make sure your programs are working properly,
control panel and add/remove programs windows open, etc (basically just do a quick check of everything).
In the event anything was 'broken', you can open RegSeeker, click backups and double click
any/all files to put the information back. A reboot may be required for the effects to be seen.
Reboot When done.

Hope this helps
I_Hate_Spyware
2006-11-02, 17:10
I will suggest, since you seem to be comfortable with computer, that you edit the registry to get rid of the junk. You know where it is:

HKEY_USERS\S-1-5-21-1644491937-162531612-725345543-1003\Software\VHLD


Yes, but thats the not so fun part of it : it can be removed from there manually, or by spybot s&d - but everytime i boot the computer, it reappears there :sad:

Well, i think theres only one solution left to get rid of it, format the hard drive and reinstall windows. Only problem is, i dont know where the bug came originally, so it might just come again. Thats why it would have been nice to get rid of it permanenty.

Thanks for trying to help anyway, will check the forums in case someone comes up with a solution to permanently get rid of this bug.
tashi
2006-11-07, 23:04
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.