I have no idea what any of this means and i would just like to know if all is ok with my machine? I read on here somewhere that i should get hijack this and post a log... so here it is.. lets hope all is ok? I was concerned about a process called system.exe??? not listed here tho.. weird...
Its a fresh Vista Ultimate install so i would be a little upset if something was wrong only a day after it being running...
Thanks for any comments.
Logfile of HijackThis v1.99.1
Scan saved at 10:50:09 AM, on 2007/07/27
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Jason\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itprojects.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{718B9E12-A5FD-41D0-8710-50A16987DBB3}: NameServer = 10.5.11.254
O17 - HKLM\System\CS3\Services\Tcpip\..\{718B9E12-A5FD-41D0-8710-50A16987DBB3}: NameServer = 10.5.11.254
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O20 - Winlogon Notify: klogon - C:\Windows\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
What am I looking at?
Re: What am I looking at?
So there's not really anything wrong with your PC, but your concerned about the system.exe process. Correct?Enc0d3d wrote:I have no idea what any of this means and i would just like to know if all is ok with my machine? I read on here somewhere that i should get hijack this and post a log... so here it is.. lets hope all is ok? I was concerned about a process called system.exe??? not listed here tho.. weird...
Its a fresh Vista Ultimate install so i would be a little upset if something was wrong only a day after it being running...
Thanks for any comments.
[Q8200│Asus mobo│4Gb Kingmax Ram│BFG 8800GT Sli│Corsair 750W PSU│X-Fi Sound│Samsung 22 inch]
I found this info (which also refers to UltraVNC). I think you'll find this usefull (although there's a lot of clutter in the info as well).
I bolded what seems to be more important. I would run a deep virus and spyware scan, with the latest definition files, for infection. Again, maybe someone else has more info on this.system.exe file information
The process VNC server for Win or System or mIRC belongs to the software UltraVNC or system.exe or Microsoft® Windows® Operating System or Windows NETS or stub or mIRC or Windows System Service by UltraVNC or system or Microsoft Corporation (www.microsoft.com) or mIRC Co. Ltd (www.mirc.com).
Description: system.exe is located in the folder C:\Windows. Known file sizes on Windows XP are 10752 bytes (51% of all occurrence), 10753 bytes, 17408 bytes, 11264 bytes, 12288 bytes, 12800 bytes, 11776 bytes, 340992 bytes, 157696 bytes, 1486067 bytes.
There is no file information. The file is not a Windows system file. The program has no visible window. File system.exe is located in the Windows folder, but it is not a Windows core file. The program is a hidden stealth process. It can change the behavior of other programs or manipulate other programs. system.exe is able to manipulate other programs, record inputs. Therefore the technical security rating is 94% dangerous, however also read the users reviews.
If system.exe is located in the folder C:\Windows\System32 then the security rating is 81% dangerous. File size is 226730 bytes (18% of all occurrence), 180736 bytes, 227796 bytes, 180224 bytes, 397312 bytes, 114688 bytes, 156672 bytes, 88064 bytes, 526336 bytes, 30208 bytes, 158044 bytes, 103424 bytes, 218112 bytes, 58888 bytes, 48640 bytes, 119808 bytes, 108542 bytes, 226260 bytes, 62168 bytes, 166495 bytes, 9216 bytes. The program has no file description. system.exe is not a Windows core file. The program is not visible. The file is located in the Windows folder, but it is not a Windows core file. The program is loaded during the Windows boot process (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, C:\Windows\win.ini, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders). The program uses ports to connect to LAN or Internet. system.exe is able to monitor applications, hide itself, record inputs.
If system.exe is located in a subfolder of C:\Windows then the security rating is 85% dangerous. File size is 1930240 bytes (82% of all occurrence), 1789952 bytes, 1790976 bytes, 59356 bytes, 59608 bytes. It is a file without information about the maker of this file. The program has no visible window. system.exe is not a Windows system file. File system.exe is located in the Windows folder, but it is not a Windows core file. The program uses ports to connect to LAN or Internet. system.exe is able to hide itself, monitor applications.
If system.exe is located in a subfolder of C:\Windows\System32\drivers then the security rating is 83% dangerous. File size is 1020416 bytes (29% of all occurrence), 459264 bytes, 335872 bytes, 712400 bytes, 445353 bytes.
If system.exe is located in a subfolder of "C:\Program Files" then the security rating is 64% dangerous. File size is 294912 bytes (50% of all occurrence), 290816 bytes, 307200 bytes, 280202 bytes, 851968 bytes.
If system.exe is located in C:\ then the security rating is 66% dangerous. File size is 82944 bytes (80% of all occurrence), 2048 bytes.
If system.exe is located in a subfolder of C:\Windows\System32 then the security rating is 81% dangerous. File size is 45056 bytes (50% of all occurrence), 414720 bytes, 274432 bytes.
If system.exe is located in the folder C:\Windows\System32\drivers then the security rating is 85% dangerous. File size is 2541056 bytes (50% of all occurrence), 231424 bytes.
If system.exe is located in a subfolder of C:\ then the security rating is 74% dangerous. File size is 784384 bytes. http://www.file.net/process/system.exe.html
[Q8200│Asus mobo│4Gb Kingmax Ram│BFG 8800GT Sli│Corsair 750W PSU│X-Fi Sound│Samsung 22 inch]
Yep, sounds like you have a nasty. What antispyware stuff do you have? And, no, Windows Defender doesn't count. If you have nothing, try Rogueremover. I'm pretty sure it detects and removes this particular malware. Then make sure you keep some antispyware stuff running and current.
