 |  |  |  |  |  |  |  |
I need advice with my HijackThis log
 |
Hello, I too had my IE 6.0 browser hijacked and have been experiencing some annoying slow system.
I have scanned my Win 98 computer with Ad-ware SE and Spybot S&D. They found some cookies and some registry keys from Windows Media Player but didn't solve anything. I also made an online scanning at a site I read about on this forum. I need to know which entries from this log I have to delete:
Logfile of HijackThis v1.99.0
Scan saved at 0.48.50, on 25/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMMI\CYBERLINK DVD SOLUTION\POWERDVD\PDVDSERV.EXE
C:\PROGRAMMI\AHEAD\INCD\INCD.EXE
C:\WINDOWS\JGRMLFS.EXE
C:\PROGRAMMI\SYMANTEC\WINFAX\WFXCTL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\SYMANTEC\WINFAX\WFXMOD32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dr-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dr-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\SYSTEM\Rscmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [jiqoktc] c:\windows\tcplddh.exe < very strange!
O4 - Startup: Controller.LNK = C:\Programmi\Symantec\WINFAX\WFXCTL32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O18 - Protocol: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - D:\PROGRAMMI\OFFLINE COMMANDER\SSP.DLL
I have done several scans with HijackThis and deleted the most obvious malicious entries. Yesterday in my log instead of the line written in bold there was another version:
04 -HKLM\...\Run:[mtsodrp] C:\windows\ajebxyw.exe
Every time I reboot these <strangename>.exe change. I believe there must be some other file in charge that has to be deleted. In my IE browser 4 new pages pointing to http://dr-search4u.com/sp.htm keep coming back and the home page gets changed too.
I connect to Internet with a 56 k Conexant modem. Since I got hijacked I noticed that I can connect at 33600 bps instead of the previous 44000 pbs. And the negotiating phase takes more than usual,but I don't get redirected to any strange pages. It seems like my computer is always busy doing his things and when I try to do mine it blocks and have to use the ctrl+alt+del to turn off some backgroud procesess.
I would appreciate too if you could specify what the running processes in the log do.(e.g. InCd.exe is a software I have installed with my cd-dvd writer)
I have scanned my Win 98 computer with Ad-ware SE and Spybot S&D. They found some cookies and some registry keys from Windows Media Player but didn't solve anything. I also made an online scanning at a site I read about on this forum. I need to know which entries from this log I have to delete:
Logfile of HijackThis v1.99.0
Scan saved at 0.48.50, on 25/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMMI\CYBERLINK DVD SOLUTION\POWERDVD\PDVDSERV.EXE
C:\PROGRAMMI\AHEAD\INCD\INCD.EXE
C:\WINDOWS\JGRMLFS.EXE
C:\PROGRAMMI\SYMANTEC\WINFAX\WFXCTL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\SYMANTEC\WINFAX\WFXMOD32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dr-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dr-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\SYSTEM\Rscmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [jiqoktc] c:\windows\tcplddh.exe < very strange!
O4 - Startup: Controller.LNK = C:\Programmi\Symantec\WINFAX\WFXCTL32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O18 - Protocol: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - D:\PROGRAMMI\OFFLINE COMMANDER\SSP.DLL
I have done several scans with HijackThis and deleted the most obvious malicious entries. Yesterday in my log instead of the line written in bold there was another version:
04 -HKLM\...\Run:[mtsodrp] C:\windows\ajebxyw.exe
Every time I reboot these <strangename>.exe change. I believe there must be some other file in charge that has to be deleted. In my IE browser 4 new pages pointing to http://dr-search4u.com/sp.htm keep coming back and the home page gets changed too.
I connect to Internet with a 56 k Conexant modem. Since I got hijacked I noticed that I can connect at 33600 bps instead of the previous 44000 pbs. And the negotiating phase takes more than usual,but I don't get redirected to any strange pages. It seems like my computer is always busy doing his things and when I try to do mine it blocks and have to use the ctrl+alt+del to turn off some backgroud procesess.
I would appreciate too if you could specify what the running processes in the log do.(e.g. InCd.exe is a software I have installed with my cd-dvd writer)
•
•
•
•
Originally Posted by Perrom
I would appreciate too if you could specify what the running processes in the log do.(e.g. InCd.exe is a software I have installed with my cd-dvd writer)
KERNEL32.DLL - Windows Dynamic Link Library file
MSGSRV32.EXE - Windows file; handles 32-bit system messaging services
MPREXE.EXE - Windows file; handles certain network-related tasks
mmtask.tsk - Windows file; handles multitasking for multimedia applications
MSTASK.EXE - Windows' Task Scheduler
MDM.EXE - Windows file; provides debugging support
EXPLORER.EXE - Windows Explorer; the Windows Graphical User Interface
TASKMON.EXE - Windows' Task Manager
SYSTRAY.EXE - Windows System Tray; displays date/time, etc. on the Task Bar
STIMON.EXE - Windows' Still Image Monitor; camera, scanner, etc. support component
PDVDSERV.EXE - Power DVD remote control support
INCD.EXE - Nero CD writing support file
JGRMLFS.EXE - WTF?? I don't like the looks of that one! See Below...
WFXCTL32.EXE - Displays WinFax icon in the System Tray
SPOOL32.EXE - Windows file; handles print spooling services
TAPISRV.EXE - Windows file; provides telephony support
WFXMOD32.EXE - Provides Symantec WinFax modem support
C:\HIJACKTHIS\HIJACKTHIS.EXE - Our friend.
C:\WINDOWS\JGRMLFS.EXE <-- Find this file in Explorer, right-click on it, and choose "Properties" from the pop-up menu. Look through the Properties tabs for any identifying information such as the name of the company which made the file; let us know what you find (or don't find).
Start hijackthis. Click on Config and then click on Miscellaneous Tools. Go to delete a file on reboot and enter c:\windows\tcplddh.exe; when prompted to reboot choose yes.
Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dr-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dr-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htm
O4 - HKCU\..\Run: [jiqoktc] c:\windows\tcplddh.exe
Reboot, run HJT again, and post a fresh log.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
good idea finding out what jgrmlfs.exe is up to! this file has only the General tab in Properties. It's an application of about 46k and was created on 01/20/05.(the day I noticed my system was slowing down).It's not a hidden file and this is all about it. No version, no company name. Looking around my C:\windows I found more of these files.
All have random names of 7 letters, size of 46,592 bytes and were last modified on 01/20/05. The strange thing is that the date of generation differs from one to another. I would think there is a file that generates all these,but have no idea where it could be.
Here are the names of all weird files I found in C:\windows :
ajebxyw.exe < the one that substituted tcplddh.exe
bsmjwyl.exe
ejumeup.exe
fknngxc.exe
jgrmlfs.exe < the one you pointed out
jlksgyv.exe
lcpbvct.exe
lcrsomx.exe
njshjui.exe
oaqxacd.exe
oltfrfq.exe
qetxaqc.exe
qqhbheh.exe < the one that i can find in my tonight's ctrl+alt+del dialog window
rdmkdvh.exe
sbqetic.exe
tcplddh.exe < the one I wrote in bold
xxpxojj.exe
Unfortunately, in the Miscellaneous Tools the button Delete a file on reboot is grayed. How can I make it available?
All have random names of 7 letters, size of 46,592 bytes and were last modified on 01/20/05. The strange thing is that the date of generation differs from one to another. I would think there is a file that generates all these,but have no idea where it could be.
Here are the names of all weird files I found in C:\windows :
ajebxyw.exe < the one that substituted tcplddh.exe
bsmjwyl.exe
ejumeup.exe
fknngxc.exe
jgrmlfs.exe < the one you pointed out
jlksgyv.exe
lcpbvct.exe
lcrsomx.exe
njshjui.exe
oaqxacd.exe
oltfrfq.exe
qetxaqc.exe
qqhbheh.exe < the one that i can find in my tonight's ctrl+alt+del dialog window
rdmkdvh.exe
sbqetic.exe
tcplddh.exe < the one I wrote in bold
xxpxojj.exe
Unfortunately, in the Miscellaneous Tools the button Delete a file on reboot is grayed. How can I make it available?
I tried another way. I rebooted in Safe Mode my Win 98 system and deleted the strange files from C:\windows.
Then I rebooted in Normal Mode, checked all the malicious entries in HJT log,hit fix and then did a third reboot. The log now looks like this:
Logfile of HijackThis v1.99.0
Scan saved at 4.35.14, on 25/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMMI\CYBERLINK DVD SOLUTION\POWERDVD\PDVDSERV.EXE
C:\PROGRAMMI\AHEAD\INCD\INCD.EXE
C:\PROGRAMMI\SYMANTEC\WINFAX\WFXCTL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\SYMANTEC\WINFAX\WFXMOD32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\SYSTEM\Rscmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Controller.LNK = C:\Programmi\Symantec\WINFAX\WFXCTL32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O18 - Protocol: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - D:\PROGRAMMI\OFFLINE COMMANDER\SSP.DLL
The Collegamenti thing in the first line after the processes is italian for Links in Favourites Folder. If you have any suggestions or observations about this log please post them.
thanks for the great help!
Then I rebooted in Normal Mode, checked all the malicious entries in HJT log,hit fix and then did a third reboot. The log now looks like this:
Logfile of HijackThis v1.99.0
Scan saved at 4.35.14, on 25/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMMI\CYBERLINK DVD SOLUTION\POWERDVD\PDVDSERV.EXE
C:\PROGRAMMI\AHEAD\INCD\INCD.EXE
C:\PROGRAMMI\SYMANTEC\WINFAX\WFXCTL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\SYMANTEC\WINFAX\WFXMOD32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\SYSTEM\Rscmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Controller.LNK = C:\Programmi\Symantec\WINFAX\WFXCTL32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O18 - Protocol: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - D:\PROGRAMMI\OFFLINE COMMANDER\SSP.DLL
The Collegamenti thing in the first line after the processes is italian for Links in Favourites Folder. If you have any suggestions or observations about this log please post them.
thanks for the great help!
•
•
•
•
Originally Posted by Perrom
good idea finding out what jgrmlfs.exe is up to! this file has only the General tab in Properties. It's an application of about 46k and was created on 01/20/05.(the day I noticed my system was slowing down).It's not a hidden file and this is all about it. No version, no company name. Looking around my C:\windows I found more of these files.
All have random names of 7 letters, size of 46,592 bytes and were last modified on 01/20/05....
I rebooted in Safe Mode my Win 98 system and deleted the strange files from C:\windows.
Your log looks clean to me now; are you still experiencing any problems? If so, let us know.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
You should also go to Windows Update and get the Critical Updates for your system 
Links to help you help yourself :
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
I have waited these days to see if anything of the spyware came back. Until now my system seems to run normally whith no more slowdowns.
Though, I have another question. When looking around my C:\windows file I noticed a lot of .TMP files with apparently random names, of 0 kb and coupled in pairs by the last modified date. They have only the General tab in properties.
example:
fff4be75_{E989AFE0-393E-11D8-B236-444553540000}.tmp 0 kb last modified 12/28/03 14:05
fff4be75_{E989AFE1-393E-11D8-B236-444553540000}.tmp 0 kb last modified 12/28/03 14:05
fffe2a03_{0059D621-A10D-11D2-B29F-C85FED321A46}.tmp 0 kb last modified 01/01/99 00:00
fffe2a03_{0059D620-A10D-11D2-B29F-C85FED321A46}.tmp 0 kb last modified 01/01/99 00:00
fffe16bb_{67C51F40-6C22-11D9-B2A0-C5CFC19E4546}.tmp 0 kb last modified 01/22/05 03:05
fffe16bb_{67C51F41-6C22-11D9-B2A0-C5CFC19E4546}.tmp 0 kb last modified 01/22/05 03:05
Which program generates these files and what is their purpose?
Is it safe to delete them? It seems the files don't occupy space,but I just hate to strike 10 times page down to browse my files in C:\windows.
x dlh6213: you are right, but in the next two weeks I'll upgrade to Win XP ( I found out that the university is part of the Academic Alliance and all students cand get copies of Win Xp for studying and doing practice on PC. Our informatics lab supplies too CDs with Linux isos.) I'll upgrade my actual dual boot when my student account gets enabled.
Though, I have another question. When looking around my C:\windows file I noticed a lot of .TMP files with apparently random names, of 0 kb and coupled in pairs by the last modified date. They have only the General tab in properties.
example:
fff4be75_{E989AFE0-393E-11D8-B236-444553540000}.tmp 0 kb last modified 12/28/03 14:05
fff4be75_{E989AFE1-393E-11D8-B236-444553540000}.tmp 0 kb last modified 12/28/03 14:05
fffe2a03_{0059D621-A10D-11D2-B29F-C85FED321A46}.tmp 0 kb last modified 01/01/99 00:00
fffe2a03_{0059D620-A10D-11D2-B29F-C85FED321A46}.tmp 0 kb last modified 01/01/99 00:00
fffe16bb_{67C51F40-6C22-11D9-B2A0-C5CFC19E4546}.tmp 0 kb last modified 01/22/05 03:05
fffe16bb_{67C51F41-6C22-11D9-B2A0-C5CFC19E4546}.tmp 0 kb last modified 01/22/05 03:05
Which program generates these files and what is their purpose?
Is it safe to delete them? It seems the files don't occupy space,but I just hate to strike 10 times page down to browse my files in C:\windows.
x dlh6213: you are right, but in the next two weeks I'll upgrade to Win XP ( I found out that the university is part of the Academic Alliance and all students cand get copies of Win Xp for studying and doing practice on PC. Our informatics lab supplies too CDs with Linux isos.) I'll upgrade my actual dual boot when my student account gets enabled.
I don't know what specific programs are creating those, but the 32-digit strings enclosed in braces look like CLSIDs (CLass IDentifiers) to me. CLSIDs are unique identifiers for Windows COM (component Object Model) entities installed on your system, and those entities should have entries to their related CLSIDs hiding in your Registry. If I'm correct about this, you may be able to determine which programs are generating the tmp files by searching through your Registry for the CLSIDs in question:
1. In your Start menu, choose the "Run..." option and type the following in the "Open:" box to run the Registry Editor:
regedit
2. Once the program opens, choose the "Find..." option under the Edit menu
to bring up the search window, paste one of CLSIDs from the suspect filenames into the search box, perform the search, and see if the ID is found. If so, see if there's any helpful information within the found key. If not, there may be other listing for the CLSID elsewhere in the Registry; Pressing the F3 key will continue your search.
3. Repeat the above for each of the 32-digit strings in the other suspect files.
1. In your Start menu, choose the "Run..." option and type the following in the "Open:" box to run the Registry Editor:
regedit
2. Once the program opens, choose the "Find..." option under the Edit menu
to bring up the search window, paste one of CLSIDs from the suspect filenames into the search box, perform the search, and see if the ID is found. If so, see if there's any helpful information within the found key. If not, there may be other listing for the CLSID elsewhere in the Registry; Pressing the F3 key will continue your search.
3. Repeat the above for each of the 32-digit strings in the other suspect files.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
|
Similar Threads
- need advice on hijackthis log (Viruses, Spyware and other Nasties)
- For sTyLe: Critical system error; HijackThis log. (Viruses, Spyware and other Nasties)
- Hijackthis log RE: Potentially rootkit-masked files (Viruses, Spyware and other Nasties)
- hijackthis log (Viruses, Spyware and other Nasties)
- Hijackthis log: what do I delete? (Viruses, Spyware and other Nasties)
- My other half's HiJackThis log, please help (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: What to get rid of???
- Next Thread: Kuang2 The Virus (hackerwatch.org)
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec trojan unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
