Greenknight HijackThis log 0.1

[greenknight]

Ran all your recommended scans plus a few others, found nothing. Is there any crap here I can clean out?

Logfile of HijackThis v1.99.1

Scan saved at 6:19:23 AM, on 10/29/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\LXSUPMON.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\ISP.COM Internet Services\dialer.exe

C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\toolbar.dll

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Forget Me Not.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121046752693

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C8F83FF1-3F27-454A-9B9E-C780537CD2FF}: NameServer = 209.244.0.3 209.244.0.4

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

[Tarun]

I'd switch to eTrust AntiVirus, avast and AVG miss a lot. Scrap WinPatrol, it's crappy. MSAS RealTime does better, and Arovax is said to be excellent too.

These can go:

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Forget Me Not.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

They are also optional. ;)

[greenknight]

Deleted 5 of those items. They were removed and backups made successfully, but I got this error message: Unexpected error occurred!

Error #52 (Bad file name or number) in Sub GetLongPath(?.exe).

Please send a report to merijn@spywareinfo.com, mentioning what you were doing, and what version of Windows you have.

This message has been copied to your clipboard.

Is this worth worrying about? Should I bother sending a report?

[Tarun]

Nah, I wouldn't worry about it. HijackThis is made with Visual Basic, so that was just a VB error.

[SenutyEnool]

....so that was just a VB error...

A VB error? How can Victoria Bitter be an error????

It's one of the nicer brews down here and definitely is not an error in my books

Cheers ;)

[greenknight]

Turns out there was a problem, this was back:

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

I used Spybot to turn it off, then ran HT and removed it again, this time with no error message. Hopefully it will stay gone this time.

[Tarun]

Yeah Ctfmon is a pain to remove.

Read this for more info.

[greenknight]

Yeah Ctfmon is a pain to remove.

Read this for more info.

Been there, done that. Google found that page for me, but the links for uninstalling Ctfmon are dead, just lead to blank pages.

About MSAS Realtime, is there a way to get it to stop seeing ERUNT Autoback.exe as a new program every time I boot up?

Yokenny I suspect you're right about OSA.exe. I've disabled it for now, since I'm not sure what it does. If there's no problem with that, I'll remove it later.

I haven't removed WinPatrol. Wimpy it may be, but it doesn't use a lot of resources.

You should watch what you say about Tarun, he has the power here. Fortunately, he also has a sense of humor. ;)

[Tarun]

You should watch what you say about Tarun, he has the power here. Fortunately, he also has a sense of humor.

At his age, he should know better.

[greenknight]

I found that information about removing ctfmon on another site: http://knowledgebase.scansoft.com/view.asp?tnID=3244

It sounded like a big hassle, though. I also found a program that claimed to remove it in less than a second. For some reason I was feeling more reckless than usual, so I tried it. It seems to work as advertised, so far I haven't seen any sign of problems from using it: http://members.fortunecity.com/dx50azlm/

Removing all that stuff has made a surprising difference, boot-up especially is much quicker.

[Tarun]

When I removed my Ctfmon I followed the directions on the Microsoft site, and had no problems at all.

Here's the two steps that worked for me.

Microsoft Windows 2000 and Microsoft Windows XP:

1. Quit all Office programs.
   
2. Click Start, point to Settings, and then click Control Panel. NOTE: In Windows XP, click Start and then click Control Panel.
   
3. In Control Panel, double-click Add/Remove Programs.NOTE: In Windows XP, click Add or Remove Programs.
   
4. In the Currently installed programs list, click to select Microsoft Office XP product, where Office XP product is the name of the specific Office product being used. If you are using a standalone version of one of the Office programs, click to select the appropriate product in the list. Click Change.
   
5. In the Maintenance Mode Options dialog box, select Add or Remove Features, and then click Next. This displays the Choose installation options for all Office applications and tools dialog box.
   
6. Click the plus sign (+) next to Office Shared Features to expand it.
   
7. Click the icon next to Alternative User Input, and then select Not Available.
   
8. Click Update.
   NOTE: If you have multiple Office XP products installed, for example, Office XP Professional and Publisher 2002, you must repeat the preceding steps for each installed product.
   

Step 2: Remove Alternative User Input Services from Text Services

1. Click Start, point to Settings, and then click Control Panel.
   
2. In the Control Panel, double-click Text Services.NOTE: In Windows XP, click Date, Time, Language, and Regional Options, and then click Regional and Language Options. On the Languages tab, click Details.
   
3. Under Installed Services, select each input item that is listed, and then click Remove to remove the item. All items must be removed, one by one, except the following input service:
   English (United States)- default Keyboard United States 101
   

[SenutyEnool]

G'day folks,

Ermm, colour me dumb , but what exactly does ctfmon.exe actually do?

Reason I ask, I like knowing what it is that I'm removing/disabling before I go ahead and do it. That way if problems crop up I know what it is I need to fix.

Cheers ;)

[Tarun]

F.A.Q. about CtfMon.exe.

[SenutyEnool]

Thanks for that folks, it answered my questions.

Cheers ;)

[greenknight]

That program I found that was supposed to kill ctfmon didn't stop it from coming back. So I followed the instructions above, it still came back. So I told WinPatrol to shut it down, I'll see if that can keep it from running.

[Tarun]

That program I found that was supposed to kill ctfmon didn't stop it from coming back. So I followed the instructions above, it still came back. So I told WinPatrol to shut it down, I'll see if that can keep it from running.

See my link above, it works like a charm. :hello:

[greenknight]

Ok, I think I see the problem. Tarun, I went to that link, and there's a step 3 you didn't include above. So I copied that in case I need it, but for now WinPatrol is keeping it down effectively.

[Tarun]

I successfully stopped it without doing step 3. :hello:

[greenknight]

I successfully stopped it without doing step 3. 

After being asked by WinPatrol twice in the space of a minute if I wanted to allow ctfmon to start, I'd had enough. I went ahead and did step 3, that seems to have done the trick.