Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Unknown Files and Processes

Status
Not open for further replies.
MuDgEtH

MuDgEtH

Technical User
Mar 1, 2004
2
GB
Hi There,
After reading a post on here about security issues, I thought it might be a good idea to check out my 'processes' box and found a host of things that I don't know wether they are good or not.

Here is my hijackthis log...

Logfile of HijackThis v1.97.5
Scan saved at 23:34:34, on 01/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
D:\quick time\qttask.exe
C:\windows\system32\win32gb.exe
C:\windows\system32\mscnt.exe
F:\SpeedTouch USB\Dragdiag.exe
C:\windows\system32\sysint16.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\mshta.exe
F:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
D:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
D:\Program Files\GetRight\getright.exe
D:\Program Files\WinZip\WZQKPICK.EXE
F:\iMesh\Client\iMeshClient.exe
F:\Program Files\SpywareGuard\sgmain.exe
F:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = (obfuscated)
R3 - URLSearchHook: (no name) - - (no file)
F1 - win.ini: run=c:\windows\system32\dvraudio.exe
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINDOWS\System32\expext.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: Games Domain - {68AE7BF6-C47E-44D2-9CCE-90FD6E69A0B0} - C:\PROGRAM FILES\GAMES DOMAIN\GD TOOLBAR\GDBAR.DLL (file missing)
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "D:\quick time\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Launcher] "C:\Program Files\MLH\launcher.exe" /P
O4 - HKLM\..\Run: [win32gb] c:\windows\system32\win32gb.exe /noconnect
O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /noconnect
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
O4 - HKLM\..\Run: [Explkw] C:\WINDOWS\System32\expup.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Sysint16] c:\windows\system32\sysint16.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "F:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "F:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - Startup: iMesh.lnk = F:\iMesh\Client\iMeshClient.exe
O4 - Startup: SpywareGuard.lnk = F:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: OpenMG Jukebox Startup.lnk = D:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = D:\Program Files\GetRight\getright.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Freeserve (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {91413D86-9F27-402C-B5E3-DEBDD122C339} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {D53B810F-6219-11D4-95B6-0040950375E7} - O17 - HKLM\System\CCS\Services\Tcpip\..\{F7E4A46F-F850-4E41-A3D2-738EA2C1DB9B}: NameServer = 195.92.195.94 195.92.195.95

Hope you can help....
 
Sort by date Sort by votes
First off, if you wish to clean a few things up, disable system restore:

Then, check these items off and let Hijack This! remove them:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = (obfuscated)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINDOWS\System32\expext.dll
O3 - Toolbar: Games Domain - {68AE7BF6-C47E-44D2-9CCE-90FD6E69A0B0} - C:\PROGRAM FILES\GAMES DOMAIN\GD TOOLBAR\GDBAR.DLL (file missing)
O4 - HKLM\..\Run: [Launcher] "C:\Program Files\MLH\launcher.exe" /P
O4 - HKLM\..\Run: [win32gb] c:\windows\system32\win32gb.exe /noconnect
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
O4 - HKLM\..\Run: [Explkw] C:\WINDOWS\System32\expup.exe
O4 - HKLM\..\Run: [Sysint16] c:\windows\system32\sysint16.exe
O4 - Startup: iMesh.lnk = F:\iMesh\Client\iMeshClient.exe
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - O16 - DPF: {D53B810F-6219-11D4-95B6-0040950375E7} -

Now, download and run this tool:
Let it pick up anything we may have left behind (as you DO have the CWS hijacker).

Reboot.



"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
Upvote 0 Downvote
Thanks for the reply..

I did everything you said, and that CWShredder came up with something called...

C:\Windows\WCUNINST.EXE

..and asked if it was a random filename, if it was, it would delete it... should I let it delete it, it didnt seem too random to me.

Oh, also, whenever i turn the computer on and get onto the desktop, a message appears saying "could not find dvraudio.exe, press browse to search for the specified file.." I noticed this on the hijackthis! log, should i delete that too?

Here is my new HijackThis! log...

Logfile of HijackThis v1.97.5
Scan saved at 15:44:19, on 02/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
D:\quick time\qttask.exe
C:\windows\system32\mscnt.exe
F:\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
D:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
D:\Program Files\GetRight\getright.exe
D:\Program Files\WinZip\WZQKPICK.EXE
F:\Program Files\SpywareGuard\sgmain.exe
F:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = F1 - win.ini: run=c:\windows\system32\dvraudio.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: Games Domain - {68AE7BF6-C47E-44D2-9CCE-90FD6E69A0B0} - C:\PROGRAM FILES\GAMES DOMAIN\GD TOOLBAR\GDBAR.DLL (file missing)
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "D:\quick time\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /noconnect
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "F:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "F:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - Startup: SpywareGuard.lnk = F:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: OpenMG Jukebox Startup.lnk = D:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = D:\Program Files\GetRight\getright.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Freeserve (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {91413D86-9F27-402C-B5E3-DEBDD122C339} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O17 - HKLM\System\CCS\Services\Tcpip\..\{F7E4A46F-F850-4E41-A3D2-738EA2C1DB9B}: NameServer = 195.92.195.94 195.92.195.95
 
Upvote 0 Downvote
Get rid of these entries:
F1 - win.ini: run=c:\windows\system32\dvraudio.exe
O3 - Toolbar: Games Domain - {68AE7BF6-C47E-44D2-9CCE-90FD6E69A0B0} - C:\PROGRAM FILES\GAMES DOMAIN\GD TOOLBAR\GDBAR.DLL (file missing)
O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /noconnect
O4 - Global Startup: GetRight - Tray Icon.lnk = D:\Program Files\GetRight\getright.exe
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) -
Reboot.

You should be on the road to wellness.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
Upvote 0 Downvote
I wouldn't go messing with WCUNINST.EXE just yet.



"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
Upvote 0 Downvote
WCUNINST.EXE appears to be an uninstaller for a client,probably shareware but thats all the info I could find :)
 
Upvote 0 Downvote
I have the same problem, everytime i reboot i get an error message saying that windows could not find dvraudio.exe, then it says about updating the registry, does anyone know how i go about sorting this problem out?
 
Upvote 0 Downvote
Your pc is trying to kick off whatever process was associated with that file on startup.
Go to Start > Run > type in msconfig > when the System Configuration Utility comes up, go to the StartUp tab and find dvraudio.exe. Uncheck it, Apply. You should not be bothered further.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
813
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
602
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
505
Nitta84
Nitta84
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
167
ITSUPPORTIT
ITSUPPORTIT
alex1002
  • Locked
  • Question
Sonicwall SSLVPN very slow Throughput accessing network files
Replies
1
Views
273
alex1002
alex1002

Part and Inventory Search

Sponsor

Back
Top