Two Instances of explorer.exe Found!!!

Jerry McMorran · May 27, 2004

Hi all,

When I pressed Ctrl-Alt-Del, I found 2 instances of explorer.exe!
I then further looked into the problem, and I captured some screenshots in the threads of this post.
I'm afraid of directly deleting that strange explorer.exe.
Wish someone could help me to solve the problem safely.

Thanks in advance!

Jerry McMorran

Jerry McMorran · May 27, 2004

Using Process Explorer
Found that the extra explorer.exe resides in directory system32

Jerry McMorran · May 27, 2004

Showing threads being executed in system32/explorer.exe
http://blueboy1.hp.infoseek.co.jp/scrshot3.jpg

Jerry McMorran · May 27, 2004

Showing threads in normal explorer.exe
http://blueboy1.hp.infoseek.co.jp/scrshot4.jpg

Jerry McMorran · May 27, 2004

The search of string "system32/explorer.exe" using regedit
http://blueboy1.hp.infoseek.co.jp/scrshot5.jpg

Jerry McMorran · May 27, 2004

After reading this, it seems system32/explorer.exe is not strange?!
http://blueboy1.hp.infoseek.co.jp/scrshot6.jpg

sgopus · May 27, 2004

Nobody worth their salt is going to view that screenshot!
too much chance of a virus or hijack, you need to approach
this problem on a different tack.
get hijackthis

-----Original Message-----
Hi all,

When I pressed Ctrl-Alt-Del, I found 2 instances of explorer.exe!
I then further looked into the problem, and I captured

some screenshots in the threads of this post.

Jerry McMorran · May 27, 2004

I've just got hijackthis and let me post the log here:

=================================
Logfile of HijackThis v1.97.7
Scan saved at 02:19:57, on 2004/5/28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\GlobalSCAPE\Secure FTP Server 1.0\cftpstes.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
c:\windows\system32\explorer.exe
c:\windows\explorer.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
C:\Program Files\DaemonTools\daemon.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\No-IP\DUC20.exe
C:\Documents and Settings\Edward Lam\Desktop\HijackThis.exe

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport 2\NTIEHelper.dll
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\Program Files\Comet\Bin\csbho.dll
O2 - BHO: (no name) - {EBBFE27C-BDF0-11D2-BBE5-00609419F467} - C:\WINDOWS\System32\amcis.dll
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\Program Files\Comet\Bin\csietb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\DaemonTools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series"
/O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe" /run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: PUTTY.RND
O4 - Startup: sonique2.lnk
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Download by FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O13 - WWW. Prefix: http://
O16 - DPF: {1678F7E1-C422-11D0-AD7D-00400515CAAA} (CS15Cursor Class) - http://files.cometsystems.com/cometcursor/comet.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) -
http://install.wildtangent.com/bgn/partners/shockwave/meninblackII/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = roots-servers.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = roots-servers.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = roots-servers.net

=================================

StartupList report, 2004/5/28, 02:21:40
StartupList version: 1.52
Started from : C:\Documents and Settings\Edward Lam\Desktop\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\GlobalSCAPE\Secure FTP Server 1.0\cftpstes.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
c:\windows\system32\explorer.exe
c:\windows\explorer.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
C:\Program Files\DaemonTools\daemon.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\No-IP\DUC20.exe
C:\Documents and Settings\Edward Lam\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Edward Lam\Start Menu\Programs\Startup]
No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
InterVideo WinCinema Manager.lnk = C:\Program Files\Common\Bin\WinCinemaMgr.exe
Kirby Alarm.lnk = C:\Program Files\Kirby Alarm\kirbyalarm.exe
Panorama 32.lnk = C:\Panorama\Panorama.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
internat.exe = internat.exe
SystemTray = SysTray.Exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HTpatch = C:\WINDOWS\htpatch.exe
ASUS Probe = C:\Program Files\ASUS\Probe\AsusProb.exe
PowerS = C:\WINDOWS\PowerS.exe
Gnetmous = C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
DAEMON Tools-1033 = "C:\Program Files\DaemonTools\daemon.exe" -lang 1033 -lock
SysMetrix = C:\Program Files\SysMetrix\SysMetrix.exe
EPSON Stylus C41 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M
"Stylus C41"
WinDVR SchSvr = "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
pccguide.exe = "C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe"
PCClient.exe = "C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe"
TM Outbreak Agent = "C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe" /run

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
STYLEXP = C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=c:\windows\system32\explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\???~2.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}
(no name) - C:\Program Files\NetTransport 2\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}
CSBHO - C:\Program Files\Comet\Bin\csbho.dll - {D14D6793-9B65-11D3-80B6-00500487BDBA}
(no name) - C:\WINDOWS\System32\amcis.dll - {EBBFE27C-BDF0-11D2-BBE5-00609419F467}

--------------------------------------------------

Enumerating Task Scheduler jobs:

{4534B56E-F714-49B9-88A4-D17155F5955B}_STAR_jerry.job
{46D2E58E-800F-4BBB-BB13-D4CE56B927C3}_DEFAULT_Edward Lam.job
{62B48773-03CE-46CE-8F2E-22F1B0B12599}_STAR_Administrator.job
{C3AFBAA2-85BF-4A33-BC10-A01A14E9AC41}_STAR_HomeUsers.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_DEFAULT_Edward Lam.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_STAR_Administrator.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_STAR_HomeUsers.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_STAR_jerry.job

--------------------------------------------------

Enumerating Download Program Files:

[CS15Cursor Class]
InProcServer32 = C:\Program Files\Comet\Bin\cscore.dll
CODEBASE = http://files.cometsystems.com/cometcursor/comet.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe

[WTHoster Class]
InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WTHOSTCTL.DLL
CODEBASE = http://install.wildtangent.com/bgn/partners/shockwave/meninblackII/install.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,322 bytes
Report generated in 0.032 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

NobodyMan · May 27, 2004

task manager

You have commited a no-no. Please don't post binaries to this text
newsgroup. I didn't want your crappy picture on my hard drive.

Also, why did you post it? No explanation, no question, just a
picture of part of Task Manager. What do you want to know?

sgopus · May 27, 2004

Jerry, you really need to read the instructions that come
with hijackthis, DONOT post your HJT log on this forum.
You need to take it to the proper people for help.
I'm no expert however, I do see one item that certainly
needs to be removed and that's comet cursor.

Follow this link for removal instructions, and PLEASE
follow them step by step.

http://www.kephyr.com/spywarescanner/library/cometcursor/in
dex.phtml

-----Original Message-----
I've just got hijackthis and let me post the log here:

=================================
Logfile of HijackThis v1.97.7
Scan saved at 02:19:57, on 2004/5/28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\GlobalSCAPE\Secure FTP Server 1.0 \cftpstes.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
c:\windows\system32\explorer.exe
c:\windows\explorer.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
C:\Program Files\DaemonTools\daemon.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\No-IP\DUC20.exe
C:\Documents and Settings\Edward Lam\Desktop\HijackThis.exe

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-

0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-

B2868B609932} - C:\Program Files\NetTransport 2
\NTIEHelper.dll

O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} -

C:\Program Files\Comet\Bin\csbho.dll

O2 - BHO: (no name) - {EBBFE27C-BDF0-11D2-BBE5-

00609419F467} - C:\WINDOWS\System32\amcis.dll

O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-

00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-

883323913256} - C:\Program Files\Comet\Bin\csietb.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-

0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1

\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32

\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32

\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program

Files\DaemonTools\daemon.exe" -lang 1033 -lock

O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3
\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series"

/O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program

Files\Common Files\InterVideo\SchSvr\SchSvr.exe"

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend

Micro\PC-cillin 2004\pccguide.exe"

O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend

Micro\PC-cillin 2004\PCClient.exe"

O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program

Files\Trend Micro\PC-cillin 2004\TMOAgent.exe" /run

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32 \ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program

Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: PUTTY.RND
O4 - Startup: sonique2.lnk
O8 - Extra context menu item: Download all by Net

Transport - C:\PROGRA~1\NETTRA~1\NTAddList.html

O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Download by FlashGet -

C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Download all by FlashGet -

C:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O13 - WWW. Prefix: http://
O16 - DPF: {1678F7E1-C422-11D0-AD7D-00400515CAAA}

(CS15Cursor Class) -
http://files.cometsystems.com/cometcursor/comet.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.inf o.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) -
http://install.wildtangent.com/bgn/partners/shockwave/meni nblackII/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw flash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = roots-servers.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = roots-servers.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = roots-servers.net

=================================

StartupList report, 2004/5/28, 02:21:40
StartupList version: 1.52
Started from : C:\Documents and Settings\Edward Lam\Desktop\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\GlobalSCAPE\Secure FTP Server 1.0 \cftpstes.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
c:\windows\system32\explorer.exe
c:\windows\explorer.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
C:\Program Files\DaemonTools\daemon.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\No-IP\DUC20.exe
C:\Documents and Settings\Edward Lam\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Edward Lam\Start Menu\Programs\Startup]
No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
InterVideo WinCinema Manager.lnk = C:\Program Files\Common\Bin\WinCinemaMgr.exe
Kirby Alarm.lnk = C:\Program Files\Kirby Alarm\kirbyalarm.exe
Panorama 32.lnk = C:\Panorama\Panorama.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1

\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

PHIME2002ASync = C:\WINDOWS\System32

\IME\TINTLGNT\TINTSETP.EXE /SYNC

PHIME2002A = C:\WINDOWS\System32

\IME\TINTLGNT\TINTSETP.EXE /IMEName

internat.exe = internat.exe
SystemTray = SysTray.Exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32 \NvCpl.dll,NvStartup
HTpatch = C:\WINDOWS\htpatch.exe
ASUS Probe = C:\Program Files\ASUS\Probe\AsusProb.exe
PowerS = C:\WINDOWS\PowerS.exe
Gnetmous = C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
DAEMON Tools-1033 = "C:\Program

Files\DaemonTools\daemon.exe" -lang 1033 -lock

SysMetrix = C:\Program Files\SysMetrix\SysMetrix.exe
EPSON Stylus C41 Series = C:\WINDOWS\System32

\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus
C41 Series" /O6 "USB001" /M

"Stylus C41"
WinDVR SchSvr = "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
pccguide.exe = "C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe"
PCClient.exe = "C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe"
TM Outbreak Agent = "C:\Program Files\Trend Micro\PC- cillin 2004\TMOAgent.exe" /run

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
STYLEXP = C:\Program Files\TGTSoft\StyleXP\StyleXP.exe - Hide

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=c:\windows\system32\explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\???~2.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\FlashGet\jccatch.dll - {A5366673- E8CA-11D3-9CD9-0090271D075B}
(no name) - C:\Program Files\NetTransport 2

\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

CSBHO - C:\Program Files\Comet\Bin\csbho.dll - {D14D6793- 9B65-11D3-80B6-00500487BDBA}
(no name) - C:\WINDOWS\System32\amcis.dll - {EBBFE27C- BDF0-11D2-BBE5-00609419F467}

--------------------------------------------------

Enumerating Task Scheduler jobs:

{4534B56E-F714-49B9-88A4-D17155F5955B}_STAR_jerry.job
{46D2E58E-800F-4BBB-BB13-D4CE56B927C3}_DEFAULT_Edward Lam.job

{62B48773-03CE-46CE-8F2E-22F1B0B12599} _STAR_Administrator.job
{C3AFBAA2-85BF-4A33-BC10-A01A14E9AC41}_STAR_HomeUsers.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_DEFAULT_Edward Lam.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}

Click to expand...

_STAR_Administrator.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_STAR_HomeUsers.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_STAR_jerry.job

--------------------------------------------------

Enumerating Download Program Files:

[CS15Cursor Class]
InProcServer32 = C:\Program Files\Comet\Bin\cscore.dll
CODEBASE = http://files.cometsystems.com/cometcursor/comet.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info
..apple.com/bonnie/us/win/QuickTimeInstaller.exe

[WTHoster Class]
InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WTHOSTCTL.DLL
CODEBASE = http://install.wildtangent.com/bgn/partners/shockwave/menin
blackII/install.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32 \macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,322 bytes
Report generated in 0.032 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

.

sgopus · May 27, 2004

Try this link for the proper forum for the HJT log

http://www.spywareinfo.com/

-----Original Message-----
I've just got hijackthis and let me post the log here:

=================================
Logfile of HijackThis v1.97.7
Scan saved at 02:19:57, on 2004/5/28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\GlobalSCAPE\Secure FTP Server 1.0 \cftpstes.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
c:\windows\system32\explorer.exe
c:\windows\explorer.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
C:\Program Files\DaemonTools\daemon.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\No-IP\DUC20.exe
C:\Documents and Settings\Edward Lam\Desktop\HijackThis.exe

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-

0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-

B2868B609932} - C:\Program Files\NetTransport 2
\NTIEHelper.dll

O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} -

C:\Program Files\Comet\Bin\csbho.dll

O2 - BHO: (no name) - {EBBFE27C-BDF0-11D2-BBE5-

00609419F467} - C:\WINDOWS\System32\amcis.dll

O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-

00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-

883323913256} - C:\Program Files\Comet\Bin\csietb.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-

0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1

\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32

\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32

\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program

Files\DaemonTools\daemon.exe" -lang 1033 -lock

O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3
\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series"

/O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program

Files\Common Files\InterVideo\SchSvr\SchSvr.exe"

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend

Micro\PC-cillin 2004\pccguide.exe"

O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend

Micro\PC-cillin 2004\PCClient.exe"

O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program

Files\Trend Micro\PC-cillin 2004\TMOAgent.exe" /run

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32 \ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program

Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: PUTTY.RND
O4 - Startup: sonique2.lnk
O8 - Extra context menu item: Download all by Net

Transport - C:\PROGRA~1\NETTRA~1\NTAddList.html

O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Download by FlashGet -

C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Download all by FlashGet -

C:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O13 - WWW. Prefix: http://
O16 - DPF: {1678F7E1-C422-11D0-AD7D-00400515CAAA}

(CS15Cursor Class) -
http://files.cometsystems.com/cometcursor/comet.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.inf o.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) -
http://install.wildtangent.com/bgn/partners/shockwave/meni nblackII/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw flash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = roots-servers.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = roots-servers.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = roots-servers.net

=================================

StartupList report, 2004/5/28, 02:21:40
StartupList version: 1.52
Started from : C:\Documents and Settings\Edward Lam\Desktop\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\GlobalSCAPE\Secure FTP Server 1.0 \cftpstes.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
c:\windows\system32\explorer.exe
c:\windows\explorer.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
C:\Program Files\DaemonTools\daemon.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\No-IP\DUC20.exe
C:\Documents and Settings\Edward Lam\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Edward Lam\Start Menu\Programs\Startup]
No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
InterVideo WinCinema Manager.lnk = C:\Program Files\Common\Bin\WinCinemaMgr.exe
Kirby Alarm.lnk = C:\Program Files\Kirby Alarm\kirbyalarm.exe
Panorama 32.lnk = C:\Panorama\Panorama.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1

\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

PHIME2002ASync = C:\WINDOWS\System32

\IME\TINTLGNT\TINTSETP.EXE /SYNC

PHIME2002A = C:\WINDOWS\System32

\IME\TINTLGNT\TINTSETP.EXE /IMEName

internat.exe = internat.exe
SystemTray = SysTray.Exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32 \NvCpl.dll,NvStartup
HTpatch = C:\WINDOWS\htpatch.exe
ASUS Probe = C:\Program Files\ASUS\Probe\AsusProb.exe
PowerS = C:\WINDOWS\PowerS.exe
Gnetmous = C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
DAEMON Tools-1033 = "C:\Program

Files\DaemonTools\daemon.exe" -lang 1033 -lock

SysMetrix = C:\Program Files\SysMetrix\SysMetrix.exe
EPSON Stylus C41 Series = C:\WINDOWS\System32

\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus
C41 Series" /O6 "USB001" /M

"Stylus C41"
WinDVR SchSvr = "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
pccguide.exe = "C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe"
PCClient.exe = "C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe"
TM Outbreak Agent = "C:\Program Files\Trend Micro\PC- cillin 2004\TMOAgent.exe" /run

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
STYLEXP = C:\Program Files\TGTSoft\StyleXP\StyleXP.exe - Hide

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=c:\windows\system32\explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\???~2.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\FlashGet\jccatch.dll - {A5366673- E8CA-11D3-9CD9-0090271D075B}
(no name) - C:\Program Files\NetTransport 2

\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

CSBHO - C:\Program Files\Comet\Bin\csbho.dll - {D14D6793- 9B65-11D3-80B6-00500487BDBA}
(no name) - C:\WINDOWS\System32\amcis.dll - {EBBFE27C- BDF0-11D2-BBE5-00609419F467}

--------------------------------------------------

Enumerating Task Scheduler jobs:

{4534B56E-F714-49B9-88A4-D17155F5955B}_STAR_jerry.job
{46D2E58E-800F-4BBB-BB13-D4CE56B927C3}_DEFAULT_Edward Lam.job

{62B48773-03CE-46CE-8F2E-22F1B0B12599} _STAR_Administrator.job
{C3AFBAA2-85BF-4A33-BC10-A01A14E9AC41}_STAR_HomeUsers.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_DEFAULT_Edward Lam.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}

Click to expand...

_STAR_Administrator.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_STAR_HomeUsers.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_STAR_jerry.job

--------------------------------------------------

Enumerating Download Program Files:

[CS15Cursor Class]
InProcServer32 = C:\Program Files\Comet\Bin\cscore.dll
CODEBASE = http://files.cometsystems.com/cometcursor/comet.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info
..apple.com/bonnie/us/win/QuickTimeInstaller.exe

[WTHoster Class]
InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WTHOSTCTL.DLL
CODEBASE = http://install.wildtangent.com/bgn/partners/shockwave/menin
blackII/install.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32 \macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,322 bytes
Report generated in 0.032 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

.

sgopus · May 27, 2004

-----Original Message-----
I've just got hijackthis and let me post the log here:

=================================
Logfile of HijackThis v1.97.7

log snipped

You need to do the following, enable your firewall, or get
a better one than XP contains, zonealarm (do this first)
is good and free. install and configure it, for no notices
lots of this stuff is just normal traffic, and the
firewall doing it's job, no need to get notified.

get adaware download it update it, then scan your machine.
get cwshredder, do the same download update scan, get
spywareblaster, this will stop some of these
hijacker/helper programs from installing.

Jerry McMorran · May 28, 2004

Thanks for your help

sgopus said:
log snipped

You need to do the following, enable your firewall, or get
a better one than XP contains, zonealarm (do this first)
is good and free. install and configure it, for no notices
lots of this stuff is just normal traffic, and the
firewall doing it's job, no need to get notified.

get adaware download it update it, then scan your machine.
get cwshredder, do the same download update scan, get
spywareblaster, this will stop some of these
hijacker/helper programs from installing.

Strange explorer.exe Found	7	May 31, 2004
explorer.exe Help	2	May 28, 2004
explorer.exe is not loading sometimes when windows boot	1	May 31, 2007
Windows XP SP2 Explorer.exe Locks Up	9	May 29, 2007
Explorer.exe replaced	8	Jan 25, 2006
Explorer.exe replaced on boot	2	Nov 28, 2005
explorer.exe occasionally does not load	4	Dec 20, 2007
Explorer.exe fails to load properly	1	Feb 1, 2008

Two Instances of explorer.exe Found!!!

Jerry McMorran

Jerry McMorran

Jerry McMorran

Jerry McMorran

Jerry McMorran

Jerry McMorran

sgopus

Jerry McMorran

NobodyMan

sgopus

sgopus

sgopus

Jerry McMorran

Ask a Question

Similar Threads