need advice on Hijack this

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by nickson2, May 19, 2004.

  1. nickson2

    nickson2 Master Sergeant

    when we run hijack this, are there any certain entries we should delete? i've always posted my logs on geeks but feel as though i may be wasting other peoples time if theres some obvious entries that usually keep reappearing and should be deleted.
     
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Sure, anything you recognize running on startup not needed. This can be tens of thousands of software items, Real player, Quicktime, etc.
     
  3. nickson2

    nickson2 Master Sergeant

    Thanks Major Attitude, and what about the log entries with numbers, ive attached a copy of my latest log file.



    Logfile of HijackThis v1.97.7
    Scan saved at 17:27:10, on 19/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes: WHICH OF THESE COULD I DELETE?
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Messenger Plus! 2\MsgPlus.exe
    D:\Program Files\Norton Internet Security\IAMAPP.EXE
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\WINDOWS\System32\ctfmon.exe
    D:\Program Files\MSN Messenger\msnmsgr.exe
    D:\Program Files\Executive Software\Diskeeper\DkService.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    D:\Program Files\Norton Internet Security\NISUM.EXE
    D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    D:\WINDOWS\System32\nvsvc32.exe
    D:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Norton Internet Security\SymProxySvc.exe
    D:\Program Files\Norton Internet Security\NISSERV.EXE
    D:\Program Files\Norton Internet Security\ATRACK.EXE
    D:\Program Files\Messenger\msmsgs.exe
    D:\WINDOWS\System32\devldr32.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\WinRAR\WinRAR.exe
    D:\DOCUME~1\Marie\LOCALS~1\Temp\Rar$EX00.074\HijackThis.exe

    AND WHAT ABOUT THESE BELOW, I DONT REALLY UNDERSTAND A LOT ABOUT THIS EITHER.... WHAT ABOUT THE - 02 - BHO: (no name) - {{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll ........ as in line 3 if they have (no name) am I safe to delete? Are there any usefull articles on majorgeeks that would give a novice like me a little more understanding of these log files?

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.majorgeeks.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [iamapp] D:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Shareaza] "D:\Program Files\Shareaza\Shareaza.exe" -tray
    O4 - HKCU\..\Run: [ccleaner] "D:\Program Files\CCleaner\ccleaner.exe" /AUTO
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: Rainlendar.lnk = D:\Program Files\Rainlendar\Rainlendar.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38111.6244675926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Which items should be deleted and kept is not always an easy thing to say. Only you know which items you really need to use. But from your log here are some items that are not bad but that are not typically necessary:

    1) D:\WINDOWS\System32\ctfmon.exe

    From http://www.answersthatwork.com/Tasklist_pages/tasklist_c.htm

    [font=Verdana, Arial]CTFMon comes with Microsoft Office XP and Windows XP – it activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. As long as the Text Services & Speech are enabled in the Control Panel, this program will force itself back into your list of background programs.
    Recommendation :
    Disable “Text Services & Speech” in the Control Panel if you are not using them. Then, disable CTFMon using Startup Manager. (Note that if you use Word, Excel or PowerPoint to write in different languages, eg. English and Arabic, then you will be using “Text Services & Speech” facilities).
    [/font]


    2) D:\Program Files\Executive Software\Diskeeper\DkService.exe

    From http://www.answersthatwork.com/Tasklist_pages/tasklist_d.htm
    Background scheduling task which belongs to Diskeeper and Diskeeper Lite
    and which runs Diskeeper as scheduled.
    Recommendation :
    You can disable it with The Ultimate Troubleshooter
    under Win95/98/ME or set
    it as "Manual" under Windows NT4/2000/XP where it is installed as a service.

    3) D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    Mdm.exe is the Machine Debug Manager, which is used by the Windows NT Option
    Pack and Microsoft Developer Studio to provide application debugging.

    4) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    5) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
    6) O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    7) O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    8) O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
    9) Do you use Rainlendar all the time? Is it really necessary to load at startup? If not you can remove this line:
    O4 - Startup: Rainlendar.lnk = D:\Program Files\Rainlendar\Rainlendar.exe
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds