This seems to be the place for HijackThis - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: This seems to be the place for HijackThis

  1. #11
    Member
    Join Date
    Dec 2004
    Posts
    81
    I just ran it on Help2Go and got six hits

    It says these one:
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

    have been positively identified as malicious programs

    These four:
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe


    are not necessarily spyware/malware, but they suggest I remove them anyway
    \"Champagne for my real friends, real pain for my sham friends\"-Ed Norton/25th Hour

  2. #12
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    Ummm hey Outer_Heaven? I hate to disagree with you but....

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    is the viewpoint media player's management file - it's a bona-fide file, not spyware, and without it Viewpoint/Videolan won't run.

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing)
    is from the weather channel's website - it allows him to run and check his weather on the fly. Although it doesn't appear to have or be malware, I still don't quite trust it...

    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    Dude, this is winamp. Nuff said.

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    is the Intel hotkey command manager.

    The rest of them I agree should be removed, as I don't truly trust *any* messenger program since bad experiences with aim and winblowsmessenger, but that's at his option..

    While spyware can be named anything, odds are the ones with true program names like ViewMgr.exe aren't. Don't take them out unless you know exactly what they are and decide you don't want them anymore.

    Your post is PRECISELY why folks around here always tell newbies to HJT to ask before fixing. Secondly, I advise you to know for sure what you're about to advise someone to do before you advise them. I tapped you red for this reason to re-enforce this, because you can royally screw up someone's box that way. Oh, and I don't really hate disagreeing with you. In fact, this time around it was quite enjoyable. Salut.
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  3. #13
    Senior Member
    Join Date
    Feb 2004
    Posts
    202
    Originally posted here by Outer_Heaven
    I just ran it on Help2Go and got six hits

    It says these one:
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

    have been positively identified as malicious programs


    Well, the Viewpoint line is one I would remove, but even that isn't necesarily malicious - just annoying. I don't even bother with Weatherbug anymore. It's not much of a threat at all. Of course, the option is up to you to remove them.

    But they're not malicious.


    These four:
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe


    are not necessarily spyware/malware, but they suggest I remove them anyway
    All quotes from http://computercops.biz/StartupList.html

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

    Installed by the Intel 810 and 815 chipset graphic drivers. If you want the Ctrl Alt F12 or similar keypresses to access Intel's customised graphics properties, you need it, otherwise not. Can be disabled via Control Panel -> Display Properties

    It's not malicious, but I would think that you would need the above information to make an informed decision. Did this scanner give you any information and/or links?

    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

    Loads the System Tray icon for the WinAmp media player. Can be used to mantain file associations so programs like QuickTime and RealPlayer don't take over as default player for various media types. Available via Start -> Programs

    Same for this one.

    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

    Installed with the software for Logitech products. Automatically checks for software upgrades AND new products, services and special offerings from Logitech. Also listed under Logitech Desktop Messenger

    Once again, the same.

    Just think what an uninformed user might do with one of these scanners!


    By the way, were you having problems with this system? Your log looks fine.

  4. #14
    Member
    Join Date
    Dec 2004
    Posts
    81
    Yeah, as you know, the weatherbug was something that was installed automatically when I downloaded AIM. But I unistalled it and scanned everything with spybot and ad-adaware, but I guess there is still a trace of it in there.

    No, there was no suspicious activity that prompted me to use this. I just downloaded it after reading threads and wanted to learn about it, but after the first time I scanned it and got the results, I didn't have a clue what it was telling me, what was good and what was bad, so I just left it alone. Then I was reading this thread yesterday and today, and now I'm here.

    And no, there were no links or any other information given by the scanner, only how to remove them.

    But these four:
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    were suggested for removal because they may be taking up system resources.

    Secondly, I advise you to know for sure what you're about to advise someone to do before you advise them. I tapped you red for this reason to re-enforce this, because you can royally screw up someone's box that way.
    I don't recall ever mentioning I was going to advise anyone. I was only hear trying to learn about this. And any statements I made were those relayed from the scanner so I could tell you guys what they were saying. I was just trying to follow a link that was given to me so I could learn from it.
    \"Champagne for my real friends, real pain for my sham friends\"-Ed Norton/25th Hour

  5. #15
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    sounds like this link needs a bit of debugging -

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dfw.speakeasy.net/
    This is my connection speed site out of Dallas, and the only time I use MSIE other than windows update. Amazingly enough the site said it was spyware.

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
    Ok, this one's for sure not spyware - but the site said it might be. Of course we *all* know msie is malware

    04 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESmart.exe
    Now it was at least honest and admitted that it didn't know what this software was - it's my temperature/fan speed monitor. Not essential to my system's operation, but disabling it would seriously raise my paranoia level.

    The whole (clean and sanitized) log follows:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:08:58 PM, on 2/27/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\ITE\Smart Guardian\ITESmart.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\XXXXXXX\Desktop\utilities\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dfw.speakeasy.net/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
    O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESmart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...ab?XXXXXXXXXXX
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

    Sorry folks, I removed certain other progs I run integral to my system security, and otherwise sanitized the log for personal info. I won't reveal everything Oh, and the runservice.exe that whatis.techtarget.com said was spyware so long ago? It's directly related to the license control service (which I run so my Zmud program will work properly). It ain't spyware.

    [edit]Oh and O_H - apols for not reading the entire thread before I posted - looked like you were trying to help someone instead of posting up for gen info - my bad. I'm quite glad there's others more 'on the ball' than I am who balanced my reds with their greens. I owe you one.[/edit]
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  6. #16
    Member
    Join Date
    Dec 2004
    Posts
    81
    lol, not a prob |3lack|ce, you know us jar heads got thick skins (some of us, thick heads, as well).
    But I was thinking, What did I do? lol, I was just trying to educate myself. But it's all good, those other guys balanced it out. Let me try to make sense of what you just posted.
    \"Champagne for my real friends, real pain for my sham friends\"-Ed Norton/25th Hour

  7. #17
    Member
    Join Date
    May 2003
    Posts
    83
    Hi all
    I use help2go as a 1st step. its not bad but I donít depend on it.
    I used to copy an infected HJT log from castle cops and post me in the site and see what dost return and I notice its not 100 % correct.

    My main source is what Google return to me and my 1st choice is castle cops.
    I highlight the file name in the log and search Google for it .

    I have 3 questions I want you to help me with :

    What is your judgment on the messenger plus?

    In some M.B. they ask the users to down load some Extra *flies while
    the spyware adware remove programs installed like Spybot S&D, ad-ware,..etc.
    Are not these programs and the tools in HJT enough ?
    * http://www.downloads.subratam.org/AboutBuster.zip
    * http://www.niksoft.at/_data/startdreck.zip
    * http://downloads.subratam.org/DllCompare.exe

    What the indication for VX2 infection in HJT log?

    thnx.

  8. #18
    Senior Member
    Join Date
    Feb 2004
    Posts
    202
    What is your judgment on the messenger plus?
    MessengerPlus3! by Patchou comes with a nasty LOP infection if you download it and opt to include the sponsor package. For that reason alone I would not recommend it, although I must say that it's pretty clear in the EULA (if anyone ever reads them!) that you're about to download some nasty stuff.

    In some M.B. they ask the users to down load some Extra *flies while
    the spyware adware remove programs installed like Spybot S&D, ad-ware,..etc.
    Are not these programs and the tools in HJT enough ?
    * http://www.downloads.subratam.org/AboutBuster.zip
    * http://www.niksoft.at/_data/startdreck.zip
    * http://downloads.subratam.org/DllCompare.exe
    No.

    What the indication for VX2 infection in HJT log?
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch

    These are the most common indications.

    You're asking some questions that would take hours for me to answer fully. I recommend, if you have an interest in fixing these things, that you sign up with the Bootcamp at SpywareInfo. They will teach you all you need to know about fighting spyware/adware/malware.

    Here's the link to sign-up for Bootcamp: http://forums.spywareinfo.com/index.php?showtopic=34

  9. #19
    Member
    Join Date
    May 2003
    Posts
    83
    hi meeeeeee
    Regarding the Extra files , are there a list of these flies and tuts ?
    thnx for the fast reply and the link and I will register soon.
    thnx

  10. #20
    Senior Member
    Join Date
    Feb 2004
    Posts
    202
    Originally posted here by coolcamel
    hi meeeeeee
    Regarding the Extra files , are there a list of these flies and tuts ?
    thnx for the fast reply and the link and I will register soon.
    thnx
    There are almost as many individual fixes as there are infections. I don't think you appreciate how much there is to learn before you can begin applying these fixes. If used incorrectly, some of these fixes can do more harm than the infections!

    The Boot Camp is your best resource for a list like you're looking for. There are also many tutorials there to help you learn the proper way to go about fixing malware. And there are people & practice logs there to help you learn in a safe environment, without damaging someone else's computer.

    I have little else to say on the subject. Go there, sign up & learn things properly. I'm not going to aid you in finding a list of programs to use randomly. From your questions above it's clear you have a lot to learn. Go. Learn.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •