hijackthis log

[Marik]

Scan saved at 1:02:28 AM, on 8/22/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Join Air\AssistantServices.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Join Air\UIExec.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Join Air\UIMain.exe
C:\Program Files\Join Air\CMUpdater.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\ACD Systems\ACDSee Pro\4.0\ACDSeeQVPro4.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eu.ask.com/?l=dis&o=14597
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (filesize 210352 bytes, MD5 EC9B79503155F56E9502AFDE8C703B78)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\WINDOWS\system32\PxSecure.dll (filesize 71880 bytes, MD5 83558BA17363A65C75C1BE39282E08C5)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL (filesize 4222864 bytes, MD5 94CA6D847D08514A087E8A4C43D65BF9)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (filesize 408448 bytes, MD5 B7899C3E21B299D7A3C0DA96CAE340BD)
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL (filesize 561552 bytes, MD5 0A63D9A102C3C0209465EA60199E6882)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (filesize 42272 bytes, MD5 E7D55E121FF1951CB86C7E0DC6A33877)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (filesize 79648 bytes, MD5 2C003D049CD5E45BB88B6F8583561035)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE (filesize 577536 bytes, MD5 80FD4D46B0E9B620CF757A9A5C789329)
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exeC:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray (filesize 443728 bytes, MD5 87FFC1FF3B269FD8E0BB010294B697F6)
O4 - HKLM\..\Run: [UIExec] "C:\Program Files\Join Air\UIExec.exe" (filesize 132096 bytes, MD5 AEAB274571F151BB6143952258F5C84F)
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme (filesize 3216664 bytes, MD5 933E558B679914DC302005F22D8F0306)
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot (filesize 3417496 bytes, MD5 32D6955938E99FF02770BC0B10D985DC)
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Zero\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (filesize 135664 bytes, MD5 8F0DE4FEF8201E306F9938B0905AC96A)
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun (filesize 357696 bytes, MD5 F34E7705751BB413283434697BF8E55D)
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" (filesize 409320 bytes, MD5 2E910A638B507C98EE3BC6986C07863A)
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm (filesize 283 bytes, MD5 648E7B2602158D2FF9197D664F59B28B)
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm (filesize 277 bytes, MD5 7EE0CC294B365F8FC4FAB2F06E01AC95)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (filesize 643472 bytes, MD5 97B792AB337F7274CD3CFC59BD73A931)
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (filesize 643472 bytes, MD5 97B792AB337F7274CD3CFC59BD73A931)
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (filesize 496528 bytes, MD5 7D13B35D051BEBE6D2CCADFE17294DB5)
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (filesize 496528 bytes, MD5 7D13B35D051BEBE6D2CCADFE17294DB5)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O17 - HKLM\System\CCS\Services\Tcpip\..\{91777D8F-DD53-4B63-B51F-40D61546A8CE}: NameServer = 193.231.236.30 193.231.236.25
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (filesize 49024 bytes, MD5 81E7E920312D372CF57A817049AC7C76)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll (filesize 1025024 bytes, MD5 E392E172687BE172F8600C5F41AB03D9)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll (filesize 1025024 bytes, MD5 E392E172687BE172F8600C5F41AB03D9)
O23 - Service: CyberGhost VPN Client (CGVPNCliSrvc) - mobile concepts GmbH - C:\Program Files\S.A.D\CyberGhost VPN\CGVPNCliService.exeC:\Program Files\S.A.D\CyberGhost VPN\CGVPNCliService.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeC:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Hitman Pro 3.5 Crusader (HitmanPro35Crusader) - SurfRight B.V. - C:\Program Files\Hitman Pro 3.5\HitmanPro35.exeC:\Program Files\Hitman Pro 3.5\HitmanPro35.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NitroPDFReaderDriverCreatorReadSpool (NitroReaderDriverReadSpool) - Nitro PDF Software - C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exeC:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exeC:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exeC:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exeC:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeC:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony Ericsson PCCompanion - Avanquest Software - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exeC:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exeC:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: UI Assistant Service - Unknown owner - C:\Program Files\Join Air\AssistantServices.exeC:\Program Files\Join Air\AssistantServices.exe

--
End of file - 10886 bytes

Logfile of Trend Micro HijackThis v2.0.4

Now I noticed the line "O1 - Hosts:  & #65279 ;# Copyright © 1993-1999 Microsoft Corp."....my question is, should it even look like that?

also what else is safe to delete?

[hullboy]

No.

Have a look here to have a very useful file HOSTS on your PC

http://winhelp2002.mvps.org/hosts.htm

For an automatic check of your Hijackthis log, cut & paste here

http://www.hijackthis.de/

[Marik]

No.

Have a look here to have a very useful file HOSTS on your PC

http://winhelp2002.mvps.org/hosts.htm

For an automatic check of your Hijackthis log, cut & paste here

http://www.hijackthis.de/

ok, for the first link I had no knowledge.

the second I knew and made use of it prior to making my post.

it said that I should delete the file, but I also wanted more confirmation

thanks for the first link :D

[HX1]

Short of it is it should look like this by default.. answer is NO... and technically the HOSTS file could be empty..

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

#  127.0.0.1       localhost
#  ::1             localhost

I am coming back with a post of your entire log when I am done.. :)

[HX1]

Okay this my notation on your logfile.. Some is about my own preferences and others should be looked at for infection and optimization.. :troll:

Running processes:

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe - Do you want this at startup?
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe - Do you really need this one ( actually think its overall slower than Foxit 5.. and needs to consume more resources.. )

O1 - Hosts: # Copyright (c) 1993-1999 Microsoft Corp. - Removed as it is wrong..

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) - These usually can be removed..

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL (filesize 4222864 bytes, MD5 94CA6D847D08514A087E8A4C43D65BF9) - If you do not use Groove ( which is unlikely ) this can be removed.

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (filesize 408448 bytes, MD5 B7899C3E21B299D7A3C0DA96CAE340BD) - This is not necessary, so it could be removed but the service has to be able to run WLIDXXX.exe in Services..

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Zero\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (filesize 135664 bytes, MD5 8F0DE4FEF8201E306F9938B0905AC96A) - This is should be removed, however it will re-appear, each update so on.. You have to hunt it down and remove it, possibly the service as well, Then clean registry..

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe - This may be hard to kill but is support for translation type services such as other keyboards and language support.. seems to be running several services, Should be in System32, IF NOT REMOVE its an infection..

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O17 - HKLM\System\CCS\Services\Tcpip\..\{91777D8F-DD53-4B63-B51F-40D61546A8CE}: NameServer = 193.231.236.30 193.231.236.25 - I am guessing this is your DNS Server - that you want?

Hitman Crusader - I deleted it as I found no reason for t to be on my system..but I did it almost a whole version ago.. there was also a file dropped into my WINODWS or System32 folder as I remember... not necessary if not possibly curious IMO..

O23 - Service: NitroPDFReaderDriverCreatorReadSpool (NitroReaderDriverReadSpool) - Nitro PDF Software - C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exeC:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe

O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeC:\Program Files\PC Connectivity Solution\ServiceLayer.exe - Do you have two phones?
O23 - Service: Sony Ericsson PCCompanion - Avanquest Software - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exeC:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe- Do you have two phones?

O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exeC:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe - This is not needed for most people..

O23 - Service: UI Assistant Service - Unknown owner - C:\Program Files\Join Air\AssistantServices.exeC:\Program Files\Join Air\AssistantServices.exe - I question most of these and test for them being useful.. and if they work without the extra services... ( after a few reboots, so on.. ) seems to be quite a few for this one...

--

[toyo]

Two small notes:

- MBAM's service needs to be put on Manual from services.msc or it will start (as delayed) anyway, regardless of the setting.

- Switchboard will also start properly on demand with other Adobe apps, no need to start at the login...

[hullboy]

Don't delete ctfmon.exe!

[HX1]

Yeah deletion actually should not be allowed and it probably will come back unless you have done something odd.. but IF it is an infection it needs to be properly cleaned.. if its source is verified to be in the WINDOWS/System32 directory, and in its properties.. then leave it alone.. but usually it is not necessary to run the service in XP.. it would only be on if there was a need for translation or display of other languages.. especially Asian fonts and user accessibility issues..

EDIT: The reason I state the above is that in fact some infection can make entries into the registry will cause the load of an application from another directory when trying to reach the original.. ( as we know )