Another HJT Log

Discussion in 'adware, spyware & hijack cleaning' started by puff-m-d, Dec 31, 2003.

Thread Status:
Not open for further replies.
  1. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    I have a few items in question in my HJT log, so I thought I would post it and receive the experts advice before I do anything.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:03:44 PM, on 12/31/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\PROGRA~1\SOFT4E~1\LOOKNS~1\looknstop.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\DCS\ProcessGuard Free\pg_msgprot.exe
    C:\WINDOWS\System32\PGPsdkServ.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Pwrchute\ups.exe
    C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Motherboard Monitor 5\MBM5.EXE
    C:\DCS\ProcessGuard Free\procguard.exe
    C:\Program Files\CpuIdle\cpuidle.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Cacheman\Cacheman.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\a2\a2guard.exe
    C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
    C:\Program Files\ARM Software\MacroMaker\macromaker.exe
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\DCS\TDS3\tds-3.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
    C:\Program Files\Trillian\trillian.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\The Bat!\thebat.exe
    C:\Program Files\Opera75\opera.exe
    C:\Program Files\Wisdom-soft ScreenHunter\ScreenHunter.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/v5/home/0,1793,108,00.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com/v5/home/0,1793,108,00.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/v5/home/0,1793,108,00.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com/v5/home/0,1793,108,00.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.bat
    O1 - Hosts: 195.249.40.108 asp.flaaten.dk
    O1 - Hosts: 209.123.109.175 broadbandreports.com
    O1 - Hosts: 209.123.205.211 i.dslr.net
    O1 - Hosts: 209.123.109.175 www.dslreports.com
    O1 - Hosts: 195.249.40.108 www.flaaten.dk
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
    O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
    O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
    O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ProcGuard_Startup] "C:\DCS\ProcessGuard Free\procguard.exe" -minimize
    O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdle\cpuidle.exe
    O4 - HKLM\..\Run: [CSSplash] C:\Program Files\CryptoSuite_Demo\cs_splash.exe
    O4 - HKCU\..\Run: [Cacheman] C:\Program Files\Cacheman\Cacheman.exe
    O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\regrun2.exe /c 1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MacroMaker.lnk = ?
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: tds-3.exe.lnk = C:\DCS\TDS3\tds-3.exe
    O4 - Startup: Trillian.lnk = ?
    O4 - Global Startup: ats.exe.lnk = C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: PGPtray.lnk = ?
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative.com/SU/ocx/12118/CTSUEng.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37859.3880208333
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/SU/ocx/12118/CTPID.cab

    Thanks in advance!!!
    Happy New Year!!! :D
    Regards,
    Kent
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Kent,

    Is this something you installed yourself:
    C:\WINDOWS\system32\userinit.bat ?

    Regards,

    Pieter
     
  3. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Pieter,

    Yes, It is one of Phantom's tweaks to have Look"n"Stop load up as early as possible on boot-up.....

    Regards,
    Kent
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Kent,

    In that case, you´re looking good (as usual ;) ).

    Regards,

    Pieter
     
  5. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Thanks ;) ...

    Kent
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Here is my latest:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:39:27 AM, on 1/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\PROGRA~1\SOFT4E~1\LOOKNS~1\looknstop.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\DCS\ProcessGuard Free\pg_msgprot.exe
    C:\WINDOWS\System32\PGPsdkServ.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    C:\Program Files\Motherboard Monitor 5\MBM5.EXE
    C:\DCS\ProcessGuard Free\procguard.exe
    C:\Program Files\CpuIdle\cpuidle.exe
    C:\Program Files\Cacheman\Cacheman.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
    C:\Program Files\ARM Software\MacroMaker\MacroMaker.exe
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\DCS\TDS3\tds-3.exe
    C:\Program Files\Trillian\trillian.exe
    C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Opera75\opera.exe
    C:\Program Files\The Bat!\thebat.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/v5/home/0,1793,108,00.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com/v5/home/0,1793,108,00.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/v5/home/0,1793,108,00.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com/v5/home/0,1793,108,00.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.bat
    O1 - Hosts: 209.123.109.175 broadbandreports.com
    O1 - Hosts: 209.123.205.211 i.dslr.net
    O1 - Hosts: 209.123.109.175 www.dslreports.com
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
    O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
    O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
    O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
    O4 - HKLM\..\Run: [ProcGuard_Startup] "C:\DCS\ProcessGuard Free\procguard.exe" -minimize
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdle\cpuidle.exe
    O4 - HKCU\..\Run: [Cacheman] C:\Program Files\Cacheman\Cacheman.exe
    O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\regrun2.exe /c 1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MacroMaker.lnk = ?
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: tds-3.exe.lnk = C:\DCS\TDS3\tds-3.exe
    O4 - Startup: Trillian.lnk = ?
    O4 - Global Startup: ats.exe.lnk = C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: PGPtray.lnk = ?
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37859.3880208333
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab

    There is now a new item that has appeared and I do not know if I need to worry about it.

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

    Regards,
    Kent
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Kent,

    Setting the value of 'ProxyOverride' to equal '<local>' will stop internal addresses from going through the proxy.

    Source: http://www.winguides.com/registry/display.php/292/

    Regards,

    Pieter
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Pieter,

    As far as I know, I do not use a proxy in any way... I do use a hosts file with 127.0.0.1 as my localhost, and then all banned sites as 0.0.0.0. I just wonder where this came from... Could CWshredder possibly done this in it's fixing of hosts redirects? Other than that, I have not a clue where it came from or if I need it....

    Regards,
    Kent
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Kent,

    I can imagine programs that would make that entry for various reasons like an AV, firewall, spamfilter and probably more.

    It will certainly not harm you. If it said anything that was not local, it would certainly be worth investigating.
    Fixing it now, without knowing where it came form could slow you down or even get in the way of one of your security apps.

    Regards,

    Pieter
     
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Pieter,

    Thanks for the help.... I was a little confused o_O and just wanted to be sure it was not causing any harm ;) !!!

    As always, thanks for the link and shedding some light on my confusion :D ....

    Have a karma cookie on me after all your hard work :eek: !!!

    Regards,
    Kent
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    My pleasure Kent.
    I learned a few things myself while investigating.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.