| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 60155 | 2005-07-24 09:42:00 | Results of Hijack This - whats what | nanpoly (8563) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 374846 | 2005-07-24 09:42:00 | Entry Kind (Safe, Nasty, Unknown) Description Tip Logfile of HijackThis v1.99.1 Safe. Shows the version of HijackThis an. The newest version is: v1.99.1! This should be the newest version. (v1.99.1) Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Safe. Shows the version of your Internet Explorer. Newest Version is: 6.00.2800.1106! This should be the newest version. (6.00.2900.2180) C:\WINDOWS\System32\smss.exe Safe. running process. (smss.exe) Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und löschen. C:\WINDOWS\system32\winlogon.exe Safe. running process. (winlogon.exe) Systemprozess - Windows Login Routine C:\WINDOWS\system32\services.exe Safe. running process. (services.exe) Systemprozess - Verwaltet die Systemdienste. C:\WINDOWS\system32\lsass.exe Safe. running process. (lsass.exe) Systemprozess C:\WINDOWS\system32\svchost.exe Safe. running process. (svchost.exe) Systemprozess - Allgemeiner Hostprozessname für Dienste. C:\WINDOWS\System32\svchost.exe Safe. running process. (svchost.exe) Systemprozess - Allgemeiner Hostprozessname für Dienste. C:\WINDOWS\Explorer.EXE Safe. running process. (Explorer.EXE) Systemprozess für Desktop und Taskleiste. C:\WINDOWS\system32\spoolsv.exe Safe. running process. (spoolsv.exe) Systemprozess C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe Safe. running process. (avgamsvr.exe) Antivirensoftware Possibly nasty! According to our database this process runs normally in c:\program files\grisoft\avg free! Check if you know this process and arrange a viruscheck where required. C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe Safe. running process. (avgupsvc.exe) Antivirensoftware Possibly nasty! According to our database this process runs normally in c:\progra~1\grisoft\avgfre~1! Check if you know this process and arrange a viruscheck where required. C:\windows\system\hpsysdrv.exe Safe. running process. (hpsysdrv.exe) C:\WINDOWS\System32\svchost.exe Safe. running process. (svchost.exe) Systemprozess - Allgemeiner Hostprozessname für Dienste. C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe Safe. running process. (hpqcmon.exe) Hewlett-Packard Digital Imaging Possibly nasty! According to our database this process runs normally in c:\programme\hp\digital imaging\unload\! Check if you know this process and arrange a viruscheck where required. C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe Safe. running process. (HPWuSchd.exe) Hewlett Packard Software Update Possibly nasty! According to our database this process runs normally in c:\programme\hp\hp software update\! Check if you know this process and arrange a viruscheck where required. C:\WINDOWS\System32\hphmon05.exe Safe. running process. (hphmon05.exe) Part of Hewlett-Packard C:\HP\KBD\KBD.EXE Unknown running process. (KBD.EXE) This is a unknown process. C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe Safe. running process. (WkUFind.exe) C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe Safe. running process. (mmtask.exe) C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe Safe. running process. (mwsoemon.exe) C:\WINDOWS\system32\S3tray2.exe Safe. running process. (S3tray2.exe) S3 Video card task tray utility. C:\Program Files\ScanSoft\OmniPageSE\opware32.exe Safe. running process. (opware32.exe) C:\WINDOWS\ALCXMNTR.EXE Nasty running process. (ALCXMNTR.EXE) Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers This is a nasty process! You should fix it and try to delete it manually! C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe Safe. running process. (avgcc.exe) Antivirensoftware Possibly nasty! According to our database this process runs normally in c:\program files\grisoft\avg free! Check if you know this process and arrange a viruscheck where required. C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe Safe. running process. (avgemc.exe) Antivirensoftware Possibly nasty! According to our database this process runs normally in c:\program files\grisoft\avg free! Check if you know this process and arrange a viruscheck where required. C:\PROGRA~1\MYPRES~1\Presario\XPHAPRF3EN\plugin\bi n\PCHButton.exe Safe. running process. (PCHButton.exe) Used by HP Instant Support Not dangerous, but unnecessary. C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe Unknown running process. (BackWeb-1940576.exe) This is a unknown process. C:\Program Files\CreataCard\Gold\FMRemind.exe Unknown running process. (FMRemind.exe) This is a unknown process. C:\PROGRA~1\INCRED~1\bin\IMApp.exe Safe. running process. (IMApp.exe) Incredi Mail C:\Program Files\Internet Explorer\iexplore.exe Safe. running process. (iexplore.exe) Internet Explorer - Wir empfehlen einen sichereren alternativen Browser zu verwenden. (z.B. Firefox) C:\Documents and Settings\Owner\Desktop\New Folder\HijackThis.exe Safe. running process. (HijackThis.exe) Tool, mit dem sie dieses Logfile erzeugt haben. Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups! R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qau9.hpwis.com/ Safe. This page has been identified as safe. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.xtra.co.nz Safe. This page has been identified as safe. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.xtra.co.nz Safe. This page has been identified as safe. O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWay\SearchAt\1.bin\MWSSRCAS.DLL Nasty Entries found in this registry zone are potentially nasty. This application ([00A6FAF1-072E-44cf-8957-5838F569A31D] - Result: 00A6FAF1-072E-44cf-8957-5838F569A31D) has been checked. Hit rate: 99 % Must be fixed! O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx Safe. Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked. Hit rate: 99 % O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\1.bin\MWSBAR.DLL Nasty Entries found in this registry zone are potentially nasty. This application ([07B18EA1-A523-4961-B6BB-170DE4475CCA] - Result: 07B18EA1-A523-4961-B6BB-170DE4475CCA) has been checked. Hit rate: 99 % Must be fixed! O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll Nasty Entries found in this registry zone are potentially nasty. This application ([243B17DE-77C7-46BF-B94B-0B5F309A0E64] - Result: 243B17DE-77C7-46BF-B94B-0B5F309A0E64) has been checked. Hit rate: 99 % Must be fixed! O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) Unnecessarily Entries found in this registry zone are potentially nasty. This application ([FDD3B846-8D59-4ffb-8758-209B6AD74ACC] - Result: FDD3B846-8D59-4ffb-8758-209B6AD74ACC) has been checked. Hit rate: 99 % Must be fixed! Unnecessary (deactivated) entry that can be fixed. O3 - Toolbar: My &Way Speedbar - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\1.bin\MWSBAR.DLL Nasty Entries found in this registry zone are potentially nasty. This application ([07B18EA9-A523-4961-B6BB-170DE4475CCA] - Result: 07B18EA9-A523-4961-B6BB-170DE4475CCA) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 % Must be fixed! O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 Safe. Part of MS Input Method Editor which is used to ease the input of Asian characters in MS Office (Chinese, Korean and this one is Japanese) Hit rate: 61 % (result) Not dangerous, but unnecessary. O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC Safe. Hit rate: 99 % (result) O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC Safe. Part of Microsofts Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word Hit rate: 82 % (result) Not dangerous, but unnecessary. O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName Safe. Part of Microsofts Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word Hit rate: 75 % (result) Not dangerous, but unnecessary. O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe Safe. Hewlett-Packard Hit rate: 99 % (result) O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe Safe. Application that implements the Intel Hotkey command. Hit rate: 99 % (result) O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe Safe. Part of Hewlett-Packard Hit rate: 99 % (result) O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe Unknown ? Hit rate: 99 % (result) Unknown application. O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" Safe. Hewlett-Packard Softwre Update Hit rate: 99 % (result) O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe Safe. Part of Hewlett-Packard Hit rate: 99 % (result) O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE Unknown Hit rate: -1 % (result) Unknown application. O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE Safe. Hewlett Packard Software Hit rate: 99 % (result) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup Safe. Part of NVidia Hit rate: 99 % (result) O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect Safe. Application that allows a users to have 32 virtual desktops, get a desktop larger than the viewable area of the monitor, divide the display across more than one monitor, manage applications, and many more features. Hit rate: 99 % (result) O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" Nasty Virus Hit rate: 99 % (result) Must be fixed! O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe Unknown Hit rate: -1 % (result) Unknown application. O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe Safe. Microsoft Works Shared Hit rate: 99 % (result) O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe Safe. Part of MusicMatch Jukebox - digital music player / CD burner and ripper / music organizer / playlist creator Hit rate: 99 % (result) O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe Nasty "My Web Search" malware Hit rate: 99 % (result) Must be fixed! O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe Safe. S3 display configuration taskbar utility for S3 chipset based graphics cards. Can be run from Start-> Settings -> Control Panel -> Display Hit rate: 58 % (result) O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r Safe. StorageGuard from Veritas (this version by Sonic). Free utility that integrates with Backup MyPC (formerly Backup Exec Desktop), Simple Backup and MS Backup. Provides system tray access and background monitoring - warning you of files that havent recently been backed up. Required unless you backup manually on a regular basis or have scheduled backups Hit rate: 99 % (result) O4 - HKLM\..\Run: [BrowserBrand] C:\Program Files\ONLINE~1\XTRA\brand.exe Unknown Hit rate: 11 % (result) Unknown application. O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe Safe. Omnipage Hit rate: 99 % (result) O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE Nasty Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers Hit rate: 57 % (result) Must be fixed! O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP Safe. AVG Anti-Virus 7.0 Control Center. Allows you to manage and control all AVG Anti-Virus components, settings and updates Hit rate: 71 % (result) O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe Safe. AVG Anti-Virus 7.0 Email Cleaner. Scans incoming and outgoing email for viruses Hit rate: 69 % (result) O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u Safe. O4 - HKLM..Run: [UserFaultCheck] %systemroot%system32dumprep 0 -u Hit rate: 99 % (result) O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook Safe. NVidia Nview Hit rate: 99 % (result) O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe" Safe. Microsoft Money Hit rate: 99 % (result) Not dangerous, but unnecessary. O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\MYPRES~1\Presario\XPHAPRF3EN\plugin\bi n\PCHButton.exe Safe. Used by HP Instant Support Hit rate: 83 % (result) Not dangerous, but unnecessary. O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c Safe. Incredi Mail Hit rate: 99 % (result) O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe Unknown Hit rate: 2 % (result) Unknown application. O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe Unknown Hit rate: 4 % (result) Unknown application. O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm Safe. The entry &Add animation to IncrediMail Style Box has been identified as safe. If the entry '&Add animation to IncrediMail Style Box ' is not needed anymore, it should be fixed. O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll Safe. The entry has been identified as safe. If the entry '' is not needed anymore, it should be fixed. O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll Safe. The entry Sun Java Console has been identified as safe. If the entry 'Sun Java Console ' is not needed anymore, it should be fixed. O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll Safe. The entry MoneySide has been identified as safe. If the entry 'MoneySide ' is not needed anymore, it should be fixed. O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe Safe. The entry Messenger has been identified as safe. If the entry 'Messenger ' is not needed anymore, it should be fixed. O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe Safe. The entry Windows Messenger has been identified as safe. If the entry 'Windows Messenger ' is not needed anymore, it should be fixed. O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll Safe. Most of the entries present in this registry area are safe. Only OnFlow adds an unwanted plugins can be found here. OnFlow-Plugins have the following extension *.ofb. O14 - IERESET.INF: START_PAGE_URL=http://www.xtra.co.nz Possibly nasty This entry should be fixed if this address does not belong to your PC-manufacturer or your 'Internet-Service-Provider (ISP)'. This entry should be fixed if 'http://www.xtra.co.nz' is not your PC-manufacturer or your 'Internet-Service-Provider (ISP)'. O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - ak.imgfarm.com .0.6.cab Nasty This entry is possibly nasty. Should be fixed. O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com .cab?1120903725781 Safe. This entry has been identified as safe. O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - www2.incredimail.com Nasty This entry is possibly nasty. Should be fixed. O17 - HKLM\System\CCS\Services\Tcpip\..\{CDA95F80-AC71-4A39-9747-5710542C8BAF}: NameServer = 202.27.184.3 202.27.184.5 Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain '202.27.184.3 202.27.184.5'? If not, fix this entry. O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll Unknown O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service (avgamsvr.exe) was identified as a good one. O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service (avgupsvc.exe) was identified as a good one. O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service (nvsvc32.exe) was identified as a good one. O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service (SymWSC.exe) was identified as a good one. This log has been checked automatically. Check your log file automatically at www.hijackthis.de. |
nanpoly (8563) | ||
| 374847 | 2005-07-24 09:53:00 | Dont post the same thing twice Nanpoly . You've already posted this in the previous post . pcworld . co . nz/showthread . php?t=60150" target="_blank">pressf1 . pcworld . co . nz Its not a good idea, to go to http://www . hijackthis . de/ and paste a log then paste the log and the results from this site . Its hard to read . Continue in the above post . This and the above post need to be merged . If u do a scan with hijackthis, just post the log it creates . Not the log and results from http://www . hijackthis . de/ |
Speedy Gonzales (78) | ||
| 1 | |||||