Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A handful of items I don't recognise from HiJackThis.


  • Please log in to reply
18 replies to this topic

#1 qwerty12345

qwerty12345

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 12 January 2011 - 04:01 PM

Hello.

Firstly, I wasn't sure exactly where to post this. The only other place that seemed applicable was the "Virus, Trojan, Spyware, and Malware Removal Logs" forum, but I'm not sure that this machine is infected. Also, I'm not actually posting a full log.

I've installed and run HiJackThis and although I recognise most of the information it has given me, there are a handful of items that I'm not sure about. I was hoping some people here might be able to explain them for me.

O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O4 - HKUS\####\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\####\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\####\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\####\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

I have found out what CTFMON.exe is and "Turn off advanced text services" is already ticked, plus CTFMON doesn't seem to be running, so why is it appearing in HJT? And why four times?


O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

I can't see any of these buttons or menu items. Also, why is xpnetdiag.exe there twice (once with no name)?


O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


If you know what any of these are, what they do and whether or not I need them, then I'd appreciate you sharing your knowledge.

PS: I have looked these up on www.systemlookup.com, but I've never heard of the site before today, so I don't know how reliable it is and I don't know of anywhere else to verify the information. There's also the fact that it usually only says "Related to..." or "Part of...", which doesn't really tell me what it does or if I need it. So, if the only information you have comes from that site, then there probably isn't any need to post it. Thank you.

BC AdBot (Login to Remove)

 


#2 Yoshistr

Yoshistr

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 12 January 2011 - 04:59 PM

None of the items you posted are infections or known possible infection items.

CTFMON.exe is a windows executable that is set to auto run on start up for most Windows XP, Vista systems
that install Microsoft Office, it serves to detect user text input and is a non-necessary service/process.
You see 4 installations of it because it has registered itself to run for the 4 user types on your computer, this
is nothing to worry about.


O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
This is a browser extension for Real Player, a video/music player software.

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
This seems to be a partially removed netdiag utility from your original install of windows xp.

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
This is a menuitem addition most likely from an installation of windows service pack 3.


O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
This is a symantec antivirus class library file, part of a software installation of symantec.

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
This is a windows login notify tray icon, which is from avgrsstarter (AVG antivirus software @ startup), shows an icon near the time on startup for AVG Antivirus.

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
This is a service for intell driver installation known as install shield, searches for new drivers and checks current drivers.


There is no malware/virus/etc that I note however sometimes it can be masked or implemented to run within these files which requires you to run a MD5 checksum on the file to verify it matches the vendor's original file.
Yoshistr Support Team

#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:02 PM

Posted 12 January 2011 - 05:29 PM

O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)


{A3BC75A2-1F87-4686-AA43-5347D756017C} = AVG Security Toolbar BHO (May be old installation)
{AA58ED58-01DD-4d91-8333-CF10577473F7} = Google toolbar (Not unusual)

These 2 items are just related to current or old version Tool Bars - Most likely gone but just want to 'hang around' -
Please remove any Tool Bars that are not required (ASK is a main one to remove) -
See RA Products Uninstallers for removal of unwanted toolbars and see if you have any listed that you want removed -

Thank You -

EDITED for extra information -

Edited by noknojon, 12 January 2011 - 05:41 PM.


#4 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:09:02 AM

Posted 13 January 2011 - 05:53 AM

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


Xpnetdiag runs when you click the "Diagnose Connection Problems" button when Ex-PLODE-r connection fails (Screenshot)

Posted Image
Posted Image

Edited by Union_Thug, 13 January 2011 - 05:56 AM.


#5 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:09:02 AM

Posted 13 January 2011 - 07:52 AM

I can't see any of these buttons or menu items. Also, why is xpnetdiag.exe there twice (once with no name)?


xpnetdiag.exe appears in two instances in IE...once as an add-on which curiously shows it's publisher as "Not Available" & once under the "Tools" tab. I deleted both with HJT as they (it) appear(s) pretty useless, IMO.

Posted Image
Posted Image

#6 qwerty12345

qwerty12345
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 13 January 2011 - 03:29 PM

Thank you for the helpful replies.

Yoshistr - Your answers almost exactly match those from systemlookup, can I just check, is that where you got your information from, or is it from elsewhere/your own knowledge?

CTFMON.exe is a windows executable that is set to auto run on start up for most Windows XP, Vista systems
that install Microsoft Office, it serves to detect user text input and is a non-necessary service/process.
You see 4 installations of it because it has registered itself to run for the 4 user types on your computer, this
is nothing to worry about.

Considering I don't have any Office apps installed (the nearest is Powerpoint Viewer, which as far as I know, doesn't have any ability for inputs) and the fact that advanced text servies is disabled, I can't see why it is appearing in HJT, especially as it doesn't seem to be running at startup. Can I safely remove these entries with HJT?


O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
This is a symantec antivirus class library file, part of a software installation of symantec.

Yes, I could see it was from Symantec, but this machine has never had any Symantec software installed. So, what exactly is it? Maybe some sort of browser based antivirus scanner?


O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
This is a windows login notify tray icon, which is from avgrsstarter (AVG antivirus software @ startup), shows an icon near the time on startup for AVG Antivirus.

Well, AVG hasn't been installed for a few months, so I suppose I can "fix" this. The Windows directory and the lack of a filename seemed a bit suspicious, but I suppose it's because it's a leftover.


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
This is a service for intell driver installation known as install shield, searches for new drivers and checks current drivers.

When might this run? Looking at the services, it is set to manual and not running.


O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)


{A3BC75A2-1F87-4686-AA43-5347D756017C} = AVG Security Toolbar BHO (May be old installation)
{AA58ED58-01DD-4d91-8333-CF10577473F7} = Google toolbar (Not unusual)

These 2 items are just related to current or old version Tool Bars - Most likely gone but just want to 'hang around'

noknojon - I found these toolbars and uninstalled them a couple of months ago, as you say, they're probably just leftover registry entries.


Please remove any Tool Bars that are not required (ASK is a main one to remove) -
See RA Products Uninstallers for removal of unwanted toolbars and see if you have any listed that you want removed -

I'll admit I'm not at all sure what you mean by this. Do you mean this? (the only other RAProducts was for uninstalling Java) When you say "any listed" toolbars, do you mean in that software, if I install and run it?


O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


Xpnetdiag runs when you click the "Diagnose Connection Problems" button when Ex-PLODE-r connection fails (Screenshot)

Union_Thug - I see. It's not a button like in your screenshot, just a link, but that must be one of them.


xpnetdiag.exe appears in two instances in IE...once as an add-on which curiously shows it's publisher as "Not Available" & once under the "Tools" tab. I deleted both with HJT as they (it) appear(s) pretty useless, IMO.

Once again, thank you. I didn't realise there was another tools menu (I haven't used the newer versions of IE), but it's not there either. I'll probably get rid of it as well, but what about the files? Is there a way to actually uninstall it?

#7 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:09:02 AM

Posted 13 January 2011 - 03:42 PM

Once again, thank you. I didn't realise there was another tools menu (I haven't used the newer versions of IE), but it's not there either. I'll probably get rid of it as well, but what about the files? Is there a way to actually uninstall it?


LOL, me neither except for Micro$oft Update$ (use FF 3.6.13). AAMOF, I didn't even know it (xpnetdiag.exe) was there until I read your post and ran HJT just for the hell of it (I haven't used HJT in YEARS...I'd forgotten what a nifty little tool it was, Thanks for reminding me!) As for the .exe, just delete it and POOF! No more xpnetdiag......HJT took care of the reg entries

Edited by Union_Thug, 13 January 2011 - 03:49 PM.


#8 qwerty12345

qwerty12345
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 15 January 2011 - 07:54 PM

(I haven't used HJT in YEARS...I'd forgotten what a nifty little tool it was, Thanks for reminding me!)

Well, you caught me. I thought I was being subtle, but my whole reason for registering at the bleepingcomputer.com forum was to remind you of the joys of HJT. ;)


Yoshistr - Here they are again with the MD5 checksums (these are the only ones that had them)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll (filesize 1499136 bytes, MD5 C896F6270EC20A60799298B423D5F58B)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)


General - Just to be clear, none of these are really necessary (let alone useful) so I can safely "fix" (i.e. delete) all of them?

Thank you.

#9 Yoshistr

Yoshistr

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 16 January 2011 - 02:57 PM

Yes you can delete them, make sure you know how to clean them properly from the registry otherwise the browser may not be able to start properly and you may need to do a reinstall.
Yoshistr Support Team

#10 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:09:02 AM

Posted 16 January 2011 - 03:13 PM

Yes you can delete them, make sure you know how to clean them properly from the registry otherwise the browser may not be able to start properly and you may need to do a reinstall.



Autoruns for Windows v10.06

Simply run Autoruns and it shows you the currently configured auto-start applications as well as the full list of Registry and file system locations available for auto-start configuration. Autostart locations displayed by Autoruns include logon entries, Explorer add-ons, Internet Explorer add-ons including Browser Helper Objects (BHOs), Appinit DLLs, image hijacks, boot execute images, Winlogon notification DLLs, Windows Services and Winsock Layered Service Providers. Switch tabs to view autostarts from different categories.


Now I remember why I'd not used HJT in such a long time...
:P

Edited by Union_Thug, 16 January 2011 - 03:15 PM.


#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:02 PM

Posted 16 January 2011 - 11:33 PM

Please remove any Tool Bars that are not required (ASK is a main one to remove) -
See RA Products Uninstallers for removal of unwanted toolbars and see if you have any listed that you want removed -

I'll admit I'm not at all sure what you mean by this. Do you mean this? (the only other RAProducts was for uninstalling Java) When you say "any listed" toolbars, do you mean in that software, if I install and run it?

The link in the 'top quote' is a site for uninstalling any toolbars and antivirus programs you may have 'floating' on your system -
Click on the Blue link I left and it shows a page full of uninstallers for many items - If you Googled it you may have another result -
Thanks -

#12 qwerty12345

qwerty12345
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 17 January 2011 - 07:26 AM

Autoruns for Windows v10.06

Ah, I didn't know there was a new version, thanks for that. Is there a changelog anywhere?

Now I remember why I'd not used HJT in such a long time...

:P

And yet, it didn't show xpnetdiag.exe?

#13 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:09:02 AM

Posted 17 January 2011 - 10:22 AM

And yet, it didn't show xpnetdiag.exe?


Actually, it WILL if you uncheck "Hide Microsoft and Windows Entries" & "Hide Windows Entries" under the options tab:

Posted Image
:thumbup2: :busy:

#14 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:09:02 AM

Posted 17 January 2011 - 10:27 AM

Is there a changelog anywhere?


Dunno. Google is your friend. :hysterical:


#15 qwerty12345

qwerty12345
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 19 January 2011 - 07:53 AM

Yes you can delete them, make sure you know how to clean them properly from the registry otherwise the browser may not be able to start properly and you may need to do a reinstall.

I thought this was what HJT was doing.

For O2, O4 and O20 it says it deletes the registry entries. For O16, it doesn't say, but I presume it just deletes the file from Downloaded Program Files.

What do you mean by "Clean them properly"? Although the browser is starting properly, they have all come back (except for XPNetDiag).

Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users