1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Input Needed with HijackThis Log

Discussion in 'Malware and Virus Removal Archive' started by Ann, 2006/04/09.

  1. 2006/04/09
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    I use SpyBot 1.4 - Updated 4-7-06
    NAV 2003 - updated 4-8-06
    AdAware - updated 4-8-06

    spyBot found 4 tracking cookies last week as follows:

    Opera4+ Counter hitslink.com (Prior Page)
    " " " " (Prior Page)
    " " " " VNO
    " " " " VSID

    I hit the fix it button.

    I checked my logs yesterday and found several new items that aI would like to know if I need to remove. If I must remove do I have to do anything else?

    Logfile of HijackThis v1.99.1
    Scan saved at 2:46:17 PM, on 4/9/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:

    C:\WINDOWS\system32\cisvc.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\WINDOWS\system32\cidaemon.exe (2)

    C:\WINDOWS\system32\ctfmon.exe


    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    017 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{7911F454-CFC7-490D-A3D3-CEFDD0E101B8}:
    NameServer = 209.244.0.3 209.244.0.4

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    I will appreciate any help!
     
    Ann,
    #1
  2. 2006/04/10
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Ann

    Are you having any specific problems? Tracking cookies are relatively harmless, but nevertheless are an invasion of your privacy.

    Have you used Immunised your system using Spybot? For more permanent protection against spyware/malware I suggest you download, update and run SpywareBlaster 3.5 - this provides permanent protection against a range of malware, update every 2 weeks.

    Would also recommend you download and run Windows Defender which provides real time protection, autoscanning and autoupdating (this will be in Vista).

    These are all legitimate ....

    C:\WINDOWS\system32\cisvc.exe - Microsoft Index Service Helper

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe - Sun Java

    C:\WINDOWS\system32\wuauclt.exe - Windows autotupdate

    C:\WINDOWS\system32\cidaemon.exe (2) - Microsoft Indexing Service

    C:\WINDOWS\system32\ctfmon.exe - Alternative User Input Services Microsoft Office

    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe - Sun Java Update Scheduler

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe - Alternative User Input Services Microsoft Office

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe - InstallShield driver - maybe put in by iTunes

    017 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{7911F454-CFC7-490D-A3D3-CEFDD0E101B8}:
    NameServer = 209.244.0.3 209.244.0.4 - Not sure on this one.

    Whois gives this ....

    OrgName: Level 3 Communications, Inc.
    OrgID: LVLT
    Address: 1025 Eldorado Blvd.
    City: Broomfield
    StateProv: CO
    PostalCode: 80021
    Country: US

    As a precaution download and run the trial version of Ewido. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu ". Run Ewido and post the log here.
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2006/04/10
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe - InstallShield driver - maybe put in by iTunes

    There is no iTunes installed on my computer. As far as I know I do not have ant Macrovision software. The only thing I installed before I got to check log was Office 2003 and Hallmark Card Studio.

    017 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{7911F454-CFC7-490D-A3D3-CEFDD0E101B8}:
    NameServer = 209.244.0.3 209.244.0.4 - Not sure on this one.

    Whois gives this ....

    OrgName: Level 3 Communications, Inc.
    OrgID: LVLT
    Address: 1025 Eldorado Blvd.
    City: Broomfield
    StateProv: CO
    PostalCode: 80021
    Country: US

    This one has me worried. I ran Hijackthis again and it was not listed, but I ran regedit and found the key installed.

    As a precaution download and run the trial version of Ewido. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu ". Run Ewido and post the log here.[/QUOTE]

    I am downloading ewido and will get back with log.
     
    Ann,
    #3
  5. 2006/04/10
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    After scan, view report gave me no threats found message.

    These are the only logs I found:

    ---------------------------------------------------------
    ewido anti-malware - Process report
    ---------------------------------------------------------

    + Created on: 10:18:01 AM, 4/10/2006
    + Report-Checksum: 549B6509

    0: System Process
    4: System Process
    164: C:\Program Files\Tiny Personal Firewall\persfw.exe
    180: C:\Program Files\Lexmark 6200 Series\ezprint.exe
    184: C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    252: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    312: C:\Program Files\Norton AntiVirus\SAVScan.exe
    388: \SystemRoot\System32\smss.exe
    432: C:\WINDOWS\system32\svchost.exe
    480: C:\WINDOWS\system32\ctfmon.exe
    600: J:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
    632: \??\C:\WINDOWS\system32\csrss.exe
    656: \??\C:\WINDOWS\system32\winlogon.exe
    700: C:\WINDOWS\system32\services.exe
    712: C:\WINDOWS\system32\lsass.exe
    848: C:\WINDOWS\system32\svchost.exe
    936: C:\WINDOWS\system32\svchost.exe
    980: C:\WINDOWS\System32\svchost.exe
    1008: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    1088: C:\WINDOWS\system32\svchost.exe
    1144: C:\WINDOWS\system32\svchost.exe
    1188: C:\WINDOWS\system32\NOTEPAD.EXE
    1196: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    1252: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    1420: C:\WINDOWS\Explorer.EXE
    1512: C:\WINDOWS\system32\spoolsv.exe
    1720: C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    1760: C:\WINDOWS\system32\cisvc.exe
    1796: C:\WINDOWS\SOUNDMAN.EXE
    1860: C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    1908: C:\WINDOWS\system32\sstray.exe
    1920: C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    1932: C:\Program Files\Norton AntiVirus\navapsvc.exe
    1940: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    1960: C:\Program Files\Digital Media Reader\shwiconem.exe
    2016: C:\WINDOWS\system32\nvsvc32.exe
    2032: C:\Program Files\Lexmark 6200 Series\lxbumon.exe
    2136: C:\WINDOWS\system32\lxbucoms.exe
    2492: C:\WINDOWS\System32\alg.exe
    2868: C:\WINDOWS\system32\wuauclt.exe
    2920: C:\WINDOWS\system32\wscntfy.exe
    3548: C:\WINDOWS\system32\cidaemon.exe
    3568: C:\WINDOWS\system32\cidaemon.exe
    3624: C:\WINDOWS\system32\NOTEPAD.EXE
    3732: C:\Program Files\ewido anti-malware\SecuritySuite.exe
    3848: C:\Program Files\Messenger\msmsgs.exe
    3872: C:\Program Files\ewido anti-malware\ewidoctrl.exe

    ---------------------------------------------------------
    ewido anti-malware - Startup report
    ---------------------------------------------------------

    + Created on: 10:17:37 AM, 4/10/2006
    + Report-Checksum: 820C3C66

    Reg\HKLM\Run RemoteControl "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    Reg\HKLM\Run SoundMan SOUNDMAN.EXE
    Reg\HKLM\Run NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    Reg\HKLM\Run NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    Reg\HKLM\Run nwiz nwiz.exe /install
    Reg\HKLM\Run nForce Tray Options sstray.exe /r
    Reg\HKLM\Run ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    Reg\HKLM\Run SunKistEM C:\Program Files\Digital Media Reader\shwiconem.exe
    Reg\HKLM\Run
    Reg\HKLM\Run LXBUCATS rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
    Reg\HKLM\Run lxbumon.exe "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
    Reg\HKLM\Run EzPrint "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
    Reg\HKLM\Run FaxCenterServer "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    Reg\HKLM\Run NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
    Reg\HKLM\Run SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    Reg\HKCU\Run NBJ "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    Reg\HKCU\Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
    Shell\CommonStartup Adobe Reader Speed Launch.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    Shell\CommonStartup Event Planner Reminder.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder.lnk


    ---------------------------------------------------------
    ewido anti-malware - Connection report
    ---------------------------------------------------------

    + Created on: 10:16:46 AM, 4/10/2006
    + Report-Checksum: 5AE300A1

    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:1033 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:445
    UDP 0.0.0.0:500
    UDP 0.0.0.0:1046
    UDP 0.0.0.0:1054
    UDP 0.0.0.0:1142
    UDP 0.0.0.0:4500
    UDP 0.0.0.0:44334
    UDP 127.0.0.1:123
    UDP 127.0.0.1:1900

    At the time I was not connected to Internet. What is this LISTENING????
    Now I really am worried.
     
    Ann,
    #4
  6. 2006/04/10
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Ann
    Do not fret :) Even though you are not connected to the Internet there are internal servers within Windows which talk to each other - this is how Windows communicates internally. What you see are those internal servers - some listening for instructions to come from another part of Windows.

    To put your mind at rest here is the same report from my desktop - which I can assure you is squeaky clean :) while physically disconnected from the Internet - ADSL modem unplugged ....
    Excellent
    You almost certainly have Macromedia Flash installed - no worry.
    To be certain export the key from regedit and then delete it. If something fails to work merge the string back into the registry by double clicking on the .reg file you exported.
     
    PeteC,
    #5
  7. 2006/04/10
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    WOW! I thought it was online listening. LOL! Thanks for educating me.

    .

    BUT - This entry is new and Micromedia Flash came with my computer, correct? It has to be something I recently installed. Can Office 2003 be responsible for this entry?

    .

    I did as you suggested and can't believe I dared to alter the registry. That is a first for me. Thanks so much for your kind help.

    I am printing out this topic for my reference.
     
    Ann,
    #6
  8. 2006/04/10
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Here is the lowdown on .....

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    Table Manager (IDriverT) is legitimate .....

    http://castlecops.com/o23list-495.html

    The entry does not exist on my computer which has Office 2003 installed, but as it is legitimate it is of no corcern.
     
    PeteC,
    #7
  9. 2006/04/10
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    Pete - Thanks so much for the link to castlecops and the good news about Macrovision being legitimate. Feeling better already.

    After deleting the rogue registry key, I wanted to delete my temp folder, but I can't find it. Is it possible to delete that folder in XP like I did in WIN98SE? I just want to make sure there is nothing else lurking around. TIA
     
    Ann,
    #8
  10. 2006/04/10
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Temp files are located in Documents & Settings .....

    Quickest route ....

    Start > Run > type in %temp% > OK - all the temp files and folders are safe to delete, but a couple will be in use and cannot be deleted.

    The other location is C:\Windows\Temp - same applies, probably a couple in use.

    Also delete Temp Internet files - IE > Tools > Internet Options - general tab > Temp Internet Files > Delete files.

    Would also suggest you go to the Advanced tab and scroll down towards the bottom of the list and check 'Empty TIF when browser closed'.
     
    PeteC,
    #9
  11. 2006/04/10
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    Pete, once more, I thank you sincerely for your great help. I am off to get rid of the unnecessary garbage. XP likes to hide things from the user.

    BTW, is there anyway I can avoid those Opera tracking cookies? SpyBot doesn't find them anymore,when I scan, but they could come back.
     
    Last edited: 2006/04/10
    Ann,
    #10
  12. 2006/04/11
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    These? ....

    Opera4+ Counter hitslink.com

    Are you using the Opera browser? this is basically an Opera hit counter, probably harmless and more than likely blocked either by immunisation in Spybot (have you done this?) or by SpywareBlaster or Windows Defender (have you installed these?). If they are undesirables one of the above should block.
     
    PeteC,
    #11
  13. 2006/04/12
    Ann

    Ann Well-Known Member Thread Starter

    Joined:
    2002/01/10
    Messages:
    597
    Likes Received:
    1
    I have SpywareBlaster installed. Prefer not to use Windows Defender. Since SpyBot found them, and I clicked the Fix Button, I guess they will be blocked.

    I am moving on to a more serioius problem. LOL!
     
    Ann,
    #12

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...