Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Log File


  • Please log in to reply
1 reply to this topic

#1 Marti

Marti

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 09 March 2006 - 10:04 PM

I noticed something strange in my PC so i checked more and realized first that MSN messenger starts automatically every time i run windows, even if option to start msn messenger on messenger menu is off.
When log in in safe mode as administrator, open explorer and right click on file names listed in HKLM/software/microsoft/windows/run (such as 00THotkey.exe), open property window of such file and check "security tab" i see the following string as user name, beside ADMINISTRATOR, SYSTEM, etc:
S-1-5-21-3049402432-1959195367-1455537910-1003

I had the same string in:
-HKLM/SOFTWARE/MICROSOFT/IMEJP/8.1/MIGRATEUSER
-HKLM/SOFTWARE/MICROSOFT/IMKR/6.1/MIGRATEUSER
-HKCU/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/CHINA

*i deleted the keys above

Could you please somebody check and let me kindly know?

Thank you.



Logfile of HijackThis v1.99.1
Scan saved at 11:20:47, on 2006/03/10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\SigmaTel\SigmaTel AC97 オーディオ ドライバ\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Smooth View\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\ja-jp\bin\WindowsSearch.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\ja-jp\bin\WindowsSearchIndexer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Arti\LOCALS~1\Temp\hijackthis.zip の一時ディレクトリ 2\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSN サーチ ツールバー Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\ja-jp\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: The翻訳インターネット V9.0 - {E22DDC73-5644-40b8-A62A-061EA0F5C7A6} - C:\Program Files\TTI_V9LE\def_bar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN サーチ ツールバー - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\ja-jp\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 オーディオ ドライバ\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Smooth View\SmoothView.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &MSN サーチ - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\ja-jp\msntb.dll/search.htm
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: The翻訳_ページ翻訳 - C:\Program Files\TTI_V9LE\addins\Ie\afi_pagetran.htm
O8 - Extra context menu item: The翻訳_範囲指定翻訳 - C:\Program Files\TTI_V9LE\addins\Ie\afi_seltran.htm
O8 - Extra context menu item: The翻訳_翻訳設定 - C:\Program Files\TTI_V9LE\addins\Ie\afi_setdlg.htm
O8 - Extra context menu item: The翻訳_辞書参照 - C:\Program Files\TTI_V9LE\addins\Ie\ttp_showdic.htm
O8 - Extra context menu item: 新しいバックグラウンドのタブで開く - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\ja-jp\msntabres.dll/229?4c10a8a652154e59a09f943459297310
O8 - Extra context menu item: 新規作成した最前面のタブ内で開く - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\ja-jp\msntabres.dll/230?4c10a8a652154e59a09f943459297310
O8 - Extra context menu item: 英日翻訳 - res://C:\Program Files\Nova\pika1v4\addins\ie\pagetran.exe /pagetran.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 英日翻訳 - {B7B7905C-374A-4BB6-BC52-43F36436996D} - C:\Program Files\Nova\pika1v4\addins\ie\pagetran.exe
O9 - Extra 'Tools' menuitem: 英日翻訳 - {B7B7905C-374A-4BB6-BC52-43F36436996D} - C:\Program Files\Nova\pika1v4\addins\ie\pagetran.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: ページ翻訳 - {EE8CA0E1-B126-4ee6-A74B-81491B91D579} - C:\Program Files\TTI_V9LE\addins\Ie\afi_pagetran.htm
O9 - Extra 'Tools' menuitem: The翻訳_ページ翻訳 - {EE8CA0E1-B126-4ee6-A74B-81491B91D579} - C:\Program Files\TTI_V9LE\addins\Ie\afi_pagetran.htm
O9 - Extra button: (no name) - {EE8CA0E7-B126-4ee6-A74B-81491B91D579} - C:\Program Files\TTI_V9LE\addins\Ie\ttp_showdic.htm
O9 - Extra 'Tools' menuitem: The翻訳_辞書参照 - {EE8CA0E7-B126-4ee6-A74B-81491B91D579} - C:\Program Files\TTI_V9LE\addins\Ie\ttp_showdic.htm
O9 - Extra button: (no name) - {EE8CA0E8-B126-4ee6-A74B-81491B91D579} - C:\Program Files\TTI_V9LE\addins\Ie\afi_seltran.htm
O9 - Extra 'Tools' menuitem: The翻訳_範囲指定翻訳 - {EE8CA0E8-B126-4ee6-A74B-81491B91D579} - C:\Program Files\TTI_V9LE\addins\Ie\afi_seltran.htm
O9 - Extra button: (no name) - {EE8CA0EA-B126-4ee6-A74B-81491B91D579} - C:\Program Files\TTI_V9LE\addins\Ie\afi_setdlg.htm
O9 - Extra 'Tools' menuitem: The翻訳_翻訳設定 - {EE8CA0EA-B126-4ee6-A74B-81491B91D579} - C:\Program Files\TTI_V9LE\addins\Ie\afi_setdlg.htm
O9 - Extra button: 辞書バー - {EE8CA0EC-B126-4EE6-A74B-81491B91D579} - C:\Program Files\TTI_V9LE\IeTbandTate.dll
O9 - Extra button: 翻訳バー - {EE8CA0EE-B126-4EE6-A74B-81491B91D579} - C:\Program Files\TTI_V9LE\IeTbandYoko.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dynabook.com/assistpc/index_j.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O18 - Protocol: msjwwdat - {BAAB02DC-913E-40AA-B9ED-8068DEE42CFA} - C:\Program Files\Microsoft Office\Home Style\JWW\JWWData.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: BeatJam Music Server - HTTP (BeatJamMusicStreamingServer) - Justsystem Corporation - C:\Program Files\Justsystem\BeatJam Music Server\BeatJamHttpService.exe
O23 - Service: BeatJam Music Server - UPnP (BeatJamUPnPMusicServer) - Justsystem Corporation - C:\Program Files\Justsystem\BeatJam Music Server\BeatJamUPnPService.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:42 AM

Posted 11 March 2006 - 03:32 PM

Hello Marti and welcome to the BC HijackThis forum. I do not see any signs of viruses or malware in the log. It is clean.

The number S-1-5-21-3049402432-1959195367-1455537910-1003 represents windows's way of keeping track of users. It is called a SID (Security ID). Each user on the computer is assigned a SID by windows (including built-in accounts like SYSTEM, Administrator, USER etc). By removing a SID from the security option for a file you are simply denying whoever that user is access to the file. That might or might not cause problems, especially if the SID is for the SYSTEM or the Administrator accounts. I would highly recommend not editing or removing any SID information from a file unless you are quite sure of what the SID belongs to.

I do not use MSN Messenger so I cannot be of much help there. XP also includes the Windows Messenger (not the Messenger Service) and if MSN Messenger is not starting up it might be the Windows Messenger that is starting. I would suggest posting a question in the XP forum for information on disabling both of those programs.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users