MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack
Home » Spyware Protection » Hijacked Browser Analysis » Re: HijackThisLog Analysis - Nick » 

DNTUS26.EXE

DNTUS26.exe program is part of DameWare Mini Remote Control.  A lightweight remote control intended primarily for administrators and help desks for quick and easy deployment without external dependencies and machine reboot.

How to remove the Mini Remote and/or NT Utilities Client Agent Service:

Please note that if the DWRCS.exe and/or DNTUS26.exe files are not located in the system32 folder, then please search for them and perform the following steps from that folder instead of the system32 folder.

  • Go to a command prompt.
  • Type cd %systemroot%\system32 and press Enter.
  • Type DWRCS.exe -remove and press Enter.
  • Type DNTUS26.exe -remove and press Enter.
  • After the service removal you can delete the following files, however this may require a re-boot before you can delete them.
    • DNTUS26.EXE
    • DWRCS.EXE
    • DWRCS.INI
    • DWRCK.DLL
    • DWRCSET.DLL (v 3.6x and later)
    • DWRCSHELL.DLL (v 3.6x and later)
      If you cannot delete the DWRCShell.dll, then more than likely the Windows Explorer Shell must have already loaded it.  Reboot the machine and do not right-click on anything.  Click on the Start button and then select run.  Type CMD and press ENTER. Once you have the DOS prompt, type: CD %systemroot%\system32 and press Enter.   Now delete the DWRCShell.dll file.

How to possibly discover who installed the software:

Please note that the account (Username) used to install the Client Agent Service must have Administrative rights. Since an Administrator has full rights, and can do anything that they want to do on the machine, there is no guarantee that you will find any traces of the access intrusion. Here are a few possible methods of discovering how the person accessed the machine.

Some suggestions on how to possibly improve a machine's security:

  • Please note that the suggestions here are not guaranteed to cover every aspect of securing a computer and that they will only help in the most common and simplest areas of computer security. It is the responsibility of the owner of the computer to take every possible measure to insure that the machine is secured from unwarranted network access.
  • Consider changing all administrative account passwords and make sure there are no new unwanted user accounts created on the machine.
  • Consider implementing a firewall for all internet access points. The following TCP ports should be blocked in order to thwart unwanted service installations.

To block NetBIOS over TCP/IP:

  • UDP port 137 (name services)
  • UDP port 138 (datagram services)
  • TCP port 139 (session services)

To block Direct Hosting over TCP/IP (Active Directory):

  • TCP port 445 (DNS Direct Hosting).

commentPost your comment 
Mail this pageMail this page


© 2004-2008. All Rights Reserved.