Processes

[KilnerLUFC]

As mentioned in the Questions topic, I needed some help trying to see if I have malicious software running on my PC, and as Wolf advised me to, I scanned and got the following as the result:

 

 

Logfile of Trend Micro HijackThis v2.0.4Scan saved at 19:57:54, on 10/09/2011Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\PROGRA~1\AVG\AVG2012\avgrsx.exeC:\Program Files\AVG\AVG2012\avgcsrvx.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\arservice.exeC:\Program Files\AVG\AVG2012\avgfws.exeC:\Program Files\AVG\AVG2012\avgwdsvc.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\CDBurnerXP\NMSAccessU.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\ehome\RMSvc.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\Program Files\NETGEAR\WNDA3200\WifiDevChkSvc.exeC:\Program Files\AVG\AVG2012\avgnsx.exeC:\Program Files\AVG\AVG2012\AVGIDSAgent.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\AVG\AVG2012\avgcsrvx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\ARPWRMSG.EXEC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\HP DigitalMedia Archive\DMAScheduler.exeC:\Program Files\HP\HP Software Update\HPwuSchd2.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\WINDOWS\system32\RunDLL32.exeC:\Program Files\AVG\AVG2012\avgtray.exeC:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exeC:\Program Files\RocketDock\RocketDock.exeC:\WINDOWS\ehome\RMSysTry.exeC:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exeC:\Program Files\NETGEAR\WNDA3200\WNDA3200WPSMgr.exeC:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeC:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exeC:\HP\KBD\KBD.EXEc:\windows\system\hpsysdrv.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Windows Media Player\wmplayer.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\msiexec.exeC:\Program Files\Trend Micro\HiJackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktopR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktopR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktopR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktopR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.daemon-search.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktopF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dllO2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheModeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXEO4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /runO4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exeO4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeO4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbyloginO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -loginO4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquietO4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-21-1570978228-2238442717-249551920-1011\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'UpdatusUser')O4 - S-1-5-21-1570978228-2238442717-249551920-1011 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'UpdatusUser')O4 - S-1-5-21-1570978228-2238442717-249551920-1011 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'UpdatusUser')O4 - S-1-5-21-1570978228-2238442717-249551920-1011 User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'UpdatusUser')O4 - S-1-5-21-1570978228-2238442717-249551920-1011 User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'UpdatusUser')O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exeO4 - Global Startup: McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exeO4 - Global Startup: NETGEAR WNDA3200 Smart Wizard.lnk = C:\Program Files\NETGEAR\WNDA3200\WNDA3200WPSMgr.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLLO9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htmO9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htmO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dllO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: ObjectDockShellExt - {1984D045-52CF-49cd-DB77-08F378FEA4DB} - (no file)O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - (no file)O23 - Service: AVG Firewall (avgfws) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgfws.exeO23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exeO23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: JumpStart Wi-Fi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WNDA3200\jswpsapi.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\3.0.207\McCHSvc.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeO23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exeO23 - Service: NETGEAR WNDA3200 Device Checking Service (WDCS_WNDA3200) - Unknown owner - C:\Program Files\NETGEAR\WNDA3200\WifiDevChkSvc.exeO24 - Desktop Component 1: (no name) - http://card.mygamercard.net/Kilner2011.html--End of file - 12976 bytes

 

 

I submitted it to the website Wolf mentioned, but alot of the results came up with question marks, so unsure on whether they are safe or not.

 

Anyway, purpose of the topic is for people to help try and locate anything that shouldn't be there.

 

Thanks in advance.

[yoječ]

Seems fine to me, apart from the last entry (O24 - Desktop Component 1: (no name) - http://card.mygamercard.net/Kilner2011.html). I'd try to run HijackThis scan again and fix this entry.

[Wolf68k]

Has far as the processes go, this much be an HP machine and you must have Windows Media Center running as well.

Other than that I would suggest a different anti-virus from AVG but if you're happy with it then use it.

 

For the rest of the log...

This isn't good

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.daemon-search.com

 

Not a big issue but can be fixed.

O22 - SharedTaskScheduler: ObjectDockShellExt - {1984D045-52CF-49cd-DB77-08F378FEA4DB} - (no file)

O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - (no file)

 

 

This is actually ok. It has something to do with Xbox which I'm assuming you have

O24 - Desktop Component 1: (no name) - http://card.mygamercard.net/Kilner2011.html

 

 

Don't really need this O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" But it is part of HP to remind you about creating something. I wouldn't surprised if it was to remind you to create a set of recovery discs which from the looks of things might be too late because you really should do that very soon after getting your system and starting it up the first time.

 

 

I'm also not a big fan of Nero these days, but again if you're happy with it then leave it be. If you want suggestions for other product(s), just ask and tell me/us what all you use Nero for.

 

I'm seeing traces of McAfee on there as well. Either the HP came with it pre-installed (likely) and you mostly removed but not quite or it's still on there and just not active.

If you're not using it, then try to completely get rid of it. If there is still something of it left in the Add/Remove Programs then start there. Other wise find the folder and manually delete it and use HJT to get rid of these lines

O4 - Global Startup: McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe

O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\3.0.207\McCHSvc.exe

 

[yoječ]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.daemon-search.com

This entry is safe, if I'm not mistaken it was added by Daemon Tools app. Fixing it won't hurt though.

[Wolf68k]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.daemon-search.com

This entry is safe, if I'm not mistaken it was added by Daemon Tools app. Fixing it won't hurt though.

You are correct. hijackthis.de red flagged it is why I posted it.

Also any time I see something like that want to take over the browser's start page I would red flag it as well; unless it was something like HP or Dell or Google Toolbar, something that is well known and very safe. From the name on that though, even if hjt.de didn't red flag it I still would have.

[KilnerLUFC]

Thanks for the help you two. I'm going to be trying to sort the PC out later tonight, so will try and fix a few of these problems that you have pointed out.

 

I'm not so bothered about the ones that have taken over IE, as I use Firefox anyway. Last time I opened up my IE browser, I had around 5 toolbars at the top of the browser, so I'm staying well away from that from now on.

 

And yes, that was an Xbox Gamercard that appeared on my desktop, but stopped working when Live updated, and just forgot to remove it, so thanks for pointing that one out, missed it when I scanned over it.

 

As for the Mcafee one, I installed the program not so long ago, but as it was the free version, all it did was tell me if I had any virus programs installed on my PC, so need to get rid of that anyway.

 

May seem like a pointless post, but didn't not want to reply to seem ignorant to your help.

 

PS: What is Daemon Tools?

 

PPS: Why do I have multiple copies of the same process running, such as the svchost one?

[Wolf68k]

Daemon Tools is a program that create a virtual drive.

 

svchost.exe is part of Windows. Different services use it.

 

You have 5 toolsbars? That's most likely because when you install something you're just going through the standard install and not select the Custom or Advanced option or just not reading everything as you do the install. A lot of times there "extras" that can get installed when you install something as simple as CCleaner. With CCleaner it tries to install Google Chrome and make it the default browser.