1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please look at my HJ log

Discussion in 'Virus & Other Malware Removal' started by munkee, Apr 2, 2004.

Thread Status:
Not open for further replies.
  1. munkee

    munkee Thread Starter

    Joined:
    Dec 19, 2003
    Messages:
    40
    Hey all security gurus, thank you for the help in the past. Please check this log, there are a few suspicious looking entries to me.

    :confused: O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

    :confused: O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe

    :confused: O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

    This was deleted, so why is this entry still there? O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\BlahBlah\YMGR\Messenger\ypager.exe -quiet

    Logfile of HijackThis v1.97.7
    Scan saved at 3:16:16 PM, on 4/2/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\crypserv.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Navnt\POPROXY.EXE
    C:\Program Files\D4\D4.exe
    C:\WINNT\system32\SxgTkBar.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
    C:\WINNT\system32\ctfmon.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Navnt\NAVAPW32.EXE
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\alertsvc.exe
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\isqlw.exe
    C:\Program Files\Primate32\Qmd.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.primate.com/
    O1 - Hosts: 64.3.108.41 TestIclDemo
    O1 - Hosts: 64.3.108.41 TestIclHonda
    O1 - Hosts: 64.3.108.41 TestIclIsuzu
    O1 - Hosts: 64.3.108.41 TestIclKia
    O1 - Hosts: 64.3.108.41 TestIclKiaCanada
    O1 - Hosts: 64.3.108.41 TestIclMercedes
    O1 - Hosts: 64.3.108.41 TestIclMitsubishi
    O1 - Hosts: 63.3.108.41 TestMMSCan
    O1 - Hosts: 64.3.108.41 TestIclSuzuki
    O1 - Hosts: 64.3.108.41 TestIclVw
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
    O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\BlahBlah\YMGR\Messenger\ypager.exe -quiet
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\NAVAPW32.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://link.mindleaders.com/dpec/shared/cabs/awswaxf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37865.4872800926
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://www.omnitrader.com/omnitrader/support/ot2003/updater/PreRelease/setup.exe
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BRICKSOFTWARE.OFFICE1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DC2514FC-5C6A-4B25-80A7-73EE9450608D}: NameServer = 192.168.0.201
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BRICKSOFTWARE.OFFICE1
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BRICKSOFTWARE.OFFICE1
     
  2. munkee

    munkee Thread Starter

    Joined:
    Dec 19, 2003
    Messages:
    40
    PS:

    Can anyone explain these, from another machine?

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
     
  3. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Those last two are NVIDIA files for video driver/adapter.

    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
    is Yamaha sound driver file

    CloneCD, Elby entry is normal....do you still have Clone?

    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    MS Office language bar assistant

    They are all safe, normal, leave them alone. They may not be totally neccessary, but they are not junk.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/216948

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice