Item in system configuration utility lacks information (???)

[johnhurley3]

I notice that one item has a tick but no other information....
Hmmmmmm!
Does anything look wrong here:-


Logfile of HijackThis v1.99.1
Scan saved at 21:45:37, on 21/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-
B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat
\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:
\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no
file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-
D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:
\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /
Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT
\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT
\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT
\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software
Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /
STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs
\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Post Image to Blog -
res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image -
res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack -
res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack -
res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-
AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C}
- C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar
\ENCSBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-
B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-
Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-
B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-
Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file
missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class)
- http://cyimg5.cyworld.nate.com/ImageUpload/CyImageUpload2.cab
O16 - DPF: {10B69FAD-B2F1-4DB0-BBEC-81DCC529F957} (BTWWebClient
Control) - http://download.banktown.com/kbstarActiveX/BTW-sToolkit.cab
O16 - DPF: {155571EC-5A3C-4E5F-A00D-DC243A83023B} (FDiImgUpload
Control ?R?"?g???[??) - https://www.fdinet.fujifilm.co.jp/fdinet/activex/FDiImgUpload.cab
O16 - DPF: {2029F1D2-90E4-49EF-9824-F666D238BFF6} (NHNComicViewer
Class) - http://jr.naver.com/comic/book/viewer/NHNComicViewer.cab
O16 - DPF: {24A04430-81DA-467A-BE87-774DFAECBBF6} (UlalaPhoto Control)
- http://cyimg8.cyworld.nate.com/storyRoom/CyImageResizeCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
Tool) - http://by129fd.bay129.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar)
- http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class)
- http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab
O16 - DPF: {6F06A005-C6F0-4913-A480-BCBC51D5E10B} (AxUOU Class) -
http://uwin.ulsan.ac.kr/Portal/DownLoad/AxUOU(2.0.0.4).cab
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler
Class) - http://emailimg.sktelecom.com/inimas/autocontroll/IniMasPlugin.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0
Client Control) - http://img.kbstar.com/xecure/xw_install_v7050.cab
O16 - DPF: {916465E2-F906-4A14-9A91-261BA17CA6A1} (Actstop Control) -
http://stop.co.kr/program/install/actstop.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login
Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) -
http://update.nprotect.net/nprotect/module/npx.cab
O16 - DPF: {D885750C-6002-460E-A162-713400FB1FD4} (CActiveXFileCtrl
Control) - http://www.goalibaba.com/setup/CActiveXFileCtrl.cab
O16 - DPF: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} (Kdfense9 Control) -
http://kings.cachenet.com/kdfx218/kbstar/kdfense9.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) -
http://www.hmall.com/initech/plugin/INISafeWeb50.cab
O16 - DPF: {FDC8D26C-8772-4877-8FD3-86D552F0B43C} (SearchWIObj Class)
- http://file.searchspy.co.kr/control/SearchPackWebInstaller.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:
\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:
\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
- C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS
\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS
\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.
- C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:
\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google
\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver
\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:
\Program Files\iPod\bin\iPodService.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS
\System32\PAStiSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks a lot
John

 

[VanguardLH]

johnhurley3 wrote ...

I notice that one item has a tick but no other information....

Are you talking about 'msconfig'? If so, under WHICH tab does the
checkbox appear with no string after it? Even if the command string
is blank, it should still list the location. WHERE is the location
for the blank item? That would tell you where to look, like a
registry entry under a Run key that is blank and can be deleted.

 

[johnhurley3]

johnhurley3 wrote ...


Are you talking about 'msconfig'? If so, under WHICH tab does the
checkbox appear with no string after it? Even if the command string
is blank, it should still list the location. WHERE is the location
for the blank item? That would tell you where to look, like a
registry entry under a Run key that is blank and can be deleted.

Msconfig
HKLM/Software/Microsoft/windows/current

 

[johnhurley3]

Msconfig
Start ups

HKLM/Software/Microsoft/windows/current Thanks






Msconfig
HKLM/Software/Microsoft/windows/current

 

[Nightowl]

Msconfig
HKLM/Software/Microsoft/windows/current

That's not the complete address, John. It should be "CurrentVersion" and
something more after that, likely "\Run".

In msconfig, put your cursor at the top over the divider between the
"Command" column and the next, then double-click. This should resize the
column so you can see the whole command.

Also, *please* don't post HijackThis logs here. There are special forums
for that; look in the documents that came with the program for a list.

 

[johnhurley3]

(e-mail address removed) wrote on Sat, 22 Sep 2007:

Thanks Nightowl it is run and the file is ctfmon it is in the windows
32 folder.
The original problem is that the time was changing (even in bios with
a new battery).. That was affecting zone alarm and AVG so I wondered
if it was a ruse used by a trojan.
John