Tech Support banner

Status
Not open for further replies.
1 - 7 of 7 Posts

·
Registered
Joined
·
14 Posts
Discussion Starter #1
Hi Tech Support Forum. Could you please help me out with this?

I have a process in my task manager which has appeared recently and iknowprocess.com says that's it's called systemout.exe and that it's harmful adware or spyware and it should be removed. I've tried my usual scans, spybot, adaware, NOD, Avgas but they don't pick anything up. I've also tried them in safe mode but still nothing. Here's my Hijackthis log. Thankyou!!!

Logfile of HijackThis v1.99.1
Scan saved at 3:26:19 PM, on 20/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\tim\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Re: Strange process in task manager

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

That process doesn't appear in the Running Processes section of the HijackThis log. Perhaps you can capture a screenshot of your task manager showing the process?

I need more information before continuing, please.

---------------------------------------------------------------------------------------------

You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version.

Next, download HijackThis to your desktop

Alternate link

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Do not post that log, instead, do this next:

---------------------------------------------------------------------------------------------


Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
---------------------------------------------------------------------------------------------
 

·
Registered
Joined
·
14 Posts
Discussion Starter #3
Re: Strange process in task manager

Thanks tetonbob! Here's what you asked for.


Deckard's System Scanner v20071014.68
Run by tim on 2007-10-25 11:06:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
40: 2007-10-25 02:06:34 UTC - RP308 - Deckard's System Scanner Restore Point
39: 2007-10-23 11:33:38 UTC - RP307 - System Checkpoint
38: 2007-10-20 03:24:17 UTC - RP306 - System Checkpoint
37: 2007-10-18 23:02:45 UTC - RP305 - System Checkpoint
36: 2007-10-16 13:18:13 UTC - RP304 - System Checkpoint


-- First Restore Point --
1: 2007-07-28 10:37:52 UTC - RP269 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as tim.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:51 AM, on 25/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\tim\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\tim.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\tim\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe

--
End of file - 2589 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AMON - c:\windows\system32\drivers\amon.sys <Not Verified; Eset; NOD32 Antivirus System>
R2 Audsub3 - c:\windows\system32\drivers\audsub3.sys <Not Verified; NEC; Software Support Driver for Windows NT/2K>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 Nsynas32 - c:\windows\system32\drivers\nsynas32.sys <Not Verified; Syncrosoft Hard- und Software GmbH; Internet Protection Hardware Driver>
R3 LUA2TX (BUFFALO LUA2-TX Fast Ethernet Adapter) - c:\windows\system32\drivers\lua2tx.sys <Not Verified; MELCO INC; BUFFALO LUA2-TX>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 AWINDIS5 (AWINDIS5 Protocol Driver) - c:\windows\system32\awindis5.sys <Not Verified; AMBIT Microsystems Corporation.; AMBIT WinDis32 Protocol Driver for Windows>
S3 DCamUSBUVT (UCAM-E130 series) - c:\windows\system32\drivers\usbsmi.sys (file missing)
S3 ESSIDSET - c:\windows\system32\essidset.sys <Not Verified; MELCO INC.; Client Manager>
S3 ma763006 (M-Audio Transit USB) - c:\windows\system32\drivers\ma763006.sys (file missing)
S3 MADFU006 - c:\windows\system32\drivers\madfu006.sys (file missing)
S3 MEI006E - c:\windows\system32\drivers\mei006e.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; MEI006E Device Driver>
S3 melcbpt (MELCO Card Bus Patch Driver) - c:\windows\system32\drivers\melcbpt.sys <Not Verified; BUFFALO INC.; BUFFALO IFC Series>
S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\windows\system32\nsndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); NetStumbler>
S3 US122 (US122 Driver) - c:\windows\system32\drivers\us122.sys <Not Verified; Frontier Design Group, LLC; TASCAM US-122>
S3 US122DL (US122 Firmware Downloader) - c:\windows\system32\drivers\us122dl.sys <Not Verified; Frontier Design Group; TASCAM US-122>
S3 Us122WdmService (US122 Wdm Audio) - c:\windows\system32\drivers\us122wdm.sys <Not Verified; Frontier Design Group, LLC; TASCAM US-122>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 SDPASVC (SDPAUMS server service) - c:\windows\system32\sdpasvc.exe -service <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >

S4 ptssvc - c:\program files\kodak\kodak picture transfer software\ptssvc.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-09-25 and 2007-10-25 -----------------------------

2007-10-20 15:24:31 0 dr-h----- C:\Documents and Settings\tim\Recent
2007-10-20 14:55:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-02 21:47:25 0 d-------- C:\Program Files\MSXML 6.0
2007-10-02 02:04:15 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-10-02 02:04:13 60273 --a------ C:\WINDOWS\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >
2007-10-02 02:04:09 0 d-------- C:\Program Files\ffdshow
2007-10-02 01:49:22 0 d-------- C:\Program Files\MSBuild
2007-10-02 01:33:41 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-10-02 01:31:04 0 d-------- C:\Program Files\Reference Assemblies
2007-10-01 01:42:42 0 d-------- C:\WINDOWS\system32\URTTemp
2007-10-01 01:40:27 0 d-------- C:\Program Files\AviSynth 2.5
2007-09-30 19:21:20 0 d-------- C:\Documents and Settings\tim\Application Data\GetRightToGo
2007-09-30 15:19:48 0 d-------- C:\Program Files\7-Zip


-- Find3M Report ---------------------------------------------------------------

2007-10-25 10:28:29 0 d-------- C:\Documents and Settings\tim\Application Data\Skype
2007-10-24 22:06:41 0 d-------- C:\Documents and Settings\tim\Application Data\uTorrent
2007-10-05 00:27:55 0 d-------- C:\Program Files\SpywareBlaster
2007-10-03 00:01:23 0 d-------- C:\Documents and Settings\tim\Application Data\dvdcss
2007-09-20 05:10:56 349184 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2007-09-16 20:13:26 0 d-------- C:\Program Files\MSN Messenger
2007-09-12 01:03:06 0 d-------- C:\Program Files\Common Files
2007-09-12 01:02:39 0 d-------- C:\Documents and Settings\tim\Application Data\Adobe
2007-09-12 00:42:49 0 d-------- C:\Program Files\wav-mp3converter
2007-09-11 10:50:44 0 d-------- C:\Documents and Settings\tim\Application Data\Opera
2007-09-11 10:17:28 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-29 01:21:21 0 d-------- C:\Program Files\CCleaner
2007-08-22 00:03:22 8139 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [15/04/2006 05:19 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 11:56 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [17/08/2007 03:45 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AS00_WPN511]
C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASRInst_V]
C:\WINDOWS\system32\regsvr32.exe "C:\Program Files\Common Files\Panasonic\PSL_DMOG726Dec.dll" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"helpsvc"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2007-10-25 11:10:01 ------------
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Re: Strange process in task manager

Hi timeth -

I'm still not seeing any sign of the process you've reported, and there appears to be no malware in your logs. Is systemout.exe still indicated in your Task Manager?

Can you capture a screenshot of the Task Manager and post it, please?

In Windows a screenshot of the entire monitor, complete with taskbar, can be copied to the system clipboard by pressing the Print screen key (normally located in the top row on the right-hand side of the keyboard)..

You can then paste the clipboard into a program like MS Paint to save it as an image file or paste it directly into a document.
  1. Press the Print screen key
  2. Click the "Start" button (normally located in the bottom left of your screen).
  3. Click "Run" & type "mspaint" (without quotes) & click the "OK" button.
  4. Wait while the application "Paint" opens. Once it is open, proceed to the next step.
  5. Click the "Edit" menu and select "Paste".
  6. Click the "File" menu and select "Save As...". A dialog box will appear.
  7. In the "File name" field, enter a name of your choice.
  8. Click the "Save as type" drop-down and select "JPEG (*.JPG;*.JPEG;*.JPE*;.JFIF)".
  9. Click the "Save" button.
Attach it in your next reply, please.

To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and
  2. Click Upload.
 

·
Registered
Joined
·
14 Posts
Discussion Starter #5
Re: Strange process in task manager

Hi tetonbob, I hope I haven't wasted your time. In the task manager, the process is just listed as System, but when I click on it through using the iknowprocess program, it opens up the iknowprocess website saying that it's called systemout.exe. Also, in the iknowprocess window, there's no directory path listed next to it while all the other processes have one, I thought that may be a bit strange. I have attached screen shots of the task manager and iknowprocess windows. Thanks.
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Re: Strange process in task manager

The process known as System is a critical Windows process.

iknowprocess is giving you bad information there. I can guarantee you I'm not infected.

I've installed the program, and had it examine my system. I get the same info when I use the program's right-click > info selection.

Personally, I'm not impressed with that tool. It does not know what several of my running processes are.

System is also present in my Task Manager, and when using Process Explorer, a better tool in my view.

Everyone should have such a process in the Task Manager.

It's required for your machine. Please do not attempt to remove it.
 

·
Registered
Joined
·
14 Posts
Discussion Starter #7
Re: Strange process in task manager

Ok, thankyou very much for your time and help Tetonbob! I'll get process explorer instead. Next time I'll make sure to do a bit more checking before I start posting. Thanks. Thread resolved.
 
1 - 7 of 7 Posts
Status
Not open for further replies.
Top