Jump to content
Sign in to follow this  
SenutyEnool

HJT Log - Senutyenool #1/07

Recommended Posts

Please scan at your convenience and let me know what I can trash.

Cheers :hello:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:45:13, on 18/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Stardock\SDMCP.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Logitech\G-series Software\LCDMon.exe

C:\Program Files\Logitech\G-series Software\LGDCore.exe

C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\QTTask.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\LClock\lclock.exe

C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe

C:\Program Files\Opdicom\OpdiTracker\OptT3STA.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Samurize\Client.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\Program Files\Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O1 - Hosts: 66.98.148.65 auto.search.msn.com

O1 - Hosts: 66.98.148.65 auto.search.msn.es

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - (no file)

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 2,0\CLRamCleaner.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"

O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe

O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [XPize Reloader] C:\WINDOWS\XPize\XPizeReloader.exe /S

O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Global Startup: Start OpdiTracker.lnk = C:\Program Files\Opdicom\OpdiTracker\OptT3STA.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O15 - Trusted Zone: http://www.woolff-tiggra.com

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132910925265

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O17 - HKLM\System\CS1\Services\Tcpip\..\{3D624CC7-338B-4834-B417-C2783E4DF6CF}: NameServer = 69.50.188.178,69.31.80.244

O22 - SharedTaskScheduler: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - Autodesk - (no file)

O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Trend Micro Protection Against Spyware  (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Share this post


Link to post
Share on other sites

Thanks boss.

So, there is absolutely nothing in there I can 'turn' off?

Reason I'm asking is that it's taking near on 5 minutes for my system to start up, one reason why I leave it on 24/7 and only reboot if absolutely necessary.

And was also wondering as there seem to be a hell of a lot of services running which I want to try an cull if possible.

Cheers :hello:

Share this post


Link to post
Share on other sites

Are your Hosts file redirects intentional? I see they redirect to a Redhat Linux server. :hello:

I honestly wonder how much the RAM "Cleaner" is slowing down your system, since it's set to run at boot.

Remember these are optional, so if you need them; obviously you shouldn't remove them.

Generated by Tarun's HijackThis Converter v0.50 Beta.

Default-color items are optional, red are known to be malicious.

Changed registry value

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Malware added these

O1 - Hosts: 66.98.148.65 auto.search.msn.com

O1 - Hosts: 66.98.148.65 auto.search.msn.es

Enumeration of existing IE's BHO's

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

Enumeration of existing IE's toolbars

O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - (no file)

Enumeration of suspicious auto-loading registry entries

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 2,0\CLRamCleaner.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"

O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe

O4 - HKCU\..\Run: [XPize Reloader] C:\WINDOWS\XPize\XPizeReloader.exe /S

O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Global Startup: Start OpdiTracker.lnk = C:\Program Files\Opdicom\OpdiTracker\OptT3STA.exe

Downloaded Program Files item

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

SharedTaskScheduler autorun Registry key

O22 - SharedTaskScheduler: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)

Share this post


Link to post
Share on other sites

Thanks again, however I need to possibly burst your bubble on one of them. Might be a red not a blue:

SharedTaskScheduler autorun Registry key

O22 - SharedTaskScheduler: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file) (You'll notice the CLSID is exactly as per CastleCops)

and here's why: -> Castle Cops

Is this accurate or not?

______________________________

Heh, yes your correct about RamCleaner, it does use resources, but nearer the minimal scale if left running and can near on stop your system once it 'runs' a clean up.

The reason I've got it set to run on boot is that after everything's loaded it 'releases' approx 200 - 300Mb from initial boot.

Without it, once every thing's loaded, I have 500-600Mb load out of 1Gb, with RamCleaner running only at boot (I close it once every thing's finished) it takes my system down to 300 - 350Mb load.

Cheers :hello:

Share this post


Link to post
Share on other sites

I marked the item as a non threat because the file itself is not there, all that is left is the CLSID that pointed to where the file was.

If that much RAM is being used when you boot, it's being used for a good reason. Unused RAM is wasted RAM. When the processes, dlls, programs, etc are finished with them upon boot; that RAM will then be freed by Windows itself. Using a program to force the release of RAM has more chance of degrading your system's performance than helping it. The files that had the RAM forcefully removed will have to reallocate the RAM yet again if they were not finished with their work.

"RAM Optimizers have no effect, and at worst, they seriously degrade performance. Although gaining more available memory might seem beneficial, it isn't. As RAM Optimizers force the available-memory counter up, they force other processes' data and code out of memory. Say that you're running Word, for example. As the optimizer forces the available-memory counter up, the text of open documents and the program code that was part of Word's working set before the optimization (and was therefore present in physical memory) must be reread from disk as you continue to edit your document. The act of allocating, then freeing a large amount of virtual memory might, as a conceivable side effect, lead to blocks of contiguous available memory. However, because virtual memory masks the layout of physical memory from processes, processes can't directly benefit from having virtual memory backed by contiguous physical memory. As processes execute and undergo working-set trimming and growth, their virtual-memory-to-physical-memory mappings will become fragmented despite the availability of contiguous memory."

Sources: Page 1 and Page 2.

Mark Russinovich (of SysInternals) is definitely the best and most reliable source for Windows Internals.

Share this post


Link to post
Share on other sites

I marked the item as a non threat because the file itself is not there, all that is left is the CLSID that pointed to where the file was.

Well. There you go, learn something new again :hello: . No idea where the heck this came from so I can't even say that I remember getting a virus/worm/trojan that this relates to.

Item now duly removed.

If that much RAM is being used when you boot, it's being used for a good reason. Unused RAM is wasted RAM. When the processes, dlls, programs, etc are finished with them upon boot; that RAM will then be freed by Windows itself. Using a program to force the release of RAM has more chance of degrading your system's performance than helping it. The files that had the RAM forcefully removed will have to reallocate the RAM yet again if they were not finished with their work.

Hmmm, okay, read the articles that you linked to and will trial leaving RamCleaner off and see if there is any noticeable difference. What I failed to mention in my last post is that once RamCleaner has finished 'optimising' I turn it off, I only use it for the initial boot/restart, because as stated it releases approx 200 - 300 Mb. Will see what transpires.

Cheers :D

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×