HJT Log

Forceape · April 29, 2005

About every week or so i use the computers in the public libary, and i was just wondering really were they safe :D

so i managed to do a Hijackthis log of one of the PC's, here's the log.

Logfile of HijackThis v1.99.1

Scan saved at 11:07:15, on 29/04/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\Explorer[Caution: ExecutableFile]

C:\SxpInst\sxplog32[Caution: ExecutableFile]

C:\PROGRA~1\CA\ETRUST~1\realmon[Caution: ExecutableFile]

C:\WINDOWS\System32\ctfmon[Caution: ExecutableFile]

C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

C:\Program Files\Internet Explorer\iexplore[Caution: ExecutableFile]

C:\Program Files\Internet Explorer\IEXPLORE[Caution: ExecutableFile]

C:\Documents and Settings\NEW54042\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis[Caution: ExecutableFile]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Croydon Libraries

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit[Caution: ExecutableFile]

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray[Caution: ExecutableFile]

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd[Caution: ExecutableFile]

O4 - HKLM\..\Run: [sxplog] C:\SxpInst\sxpstub[Caution: ExecutableFile]

O4 - HKLM\..\Run: [sDJobCheck] triggusr[Caution: ExecutableFile]

O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon[Caution: ExecutableFile] -s

O4 - HKLM\..\Run: [CA-AMAgent] C:\Program Files\CA\Unicenter Asset Management\Agents\amagent[Caution: ExecutableFile]

O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32[Caution: ExecutableFile]

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync[Caution: ExecutableFile] /logon

O4 - HKCU\..\Run: [ctfmon[Caution: ExecutableFile]] C:\WINDOWS\System32\ctfmon[Caution: ExecutableFile]

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL[Caution: ExecutableFile]/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS[Caution: ExecutableFile]

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS[Caution: ExecutableFile]

O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13f81ffc7fe ... xIE601.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PALIB.COM

O17 - HKLM\Software\..\Telephony: DomainName = PALIB.COM

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PALIB.COM

O20 - AppInit_DLLs: RCEnumDD.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB[Caution: ExecutableFile]

O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam[Caution: ExecutableFile]

O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt[Caution: ExecutableFile]

O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd[Caution: ExecutableFile]

O23 - Service: DM Primer (DMPrimer) - Unknown owner - C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer[Caution: ExecutableFile]" -DMPRIMER_SERVICE_: (file missing)

O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc[Caution: ExecutableFile]

O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT[Caution: ExecutableFile]

O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask[Caution: ExecutableFile]

O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT[Caution: ExecutableFile]

O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32[Caution: ExecutableFile]

O23 - Service: Unicenter Remote Control Host (rcHost) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Remote Control\rcHost[Caution: ExecutableFile]

O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV[Caution: ExecutableFile]

O23 - Service: Support.com Repair Service - Support.com, Inc. - C:\Program Files\Support.com\bin\tgsrvc[Caution: ExecutableFile]

Vape · April 29, 2005

Well... it needs to be updated to service pack 2, and probably a bunch of other windows updates which are extremely important. It doesn't have a firewall but that's probably not much of a problem since there'll be a hardware firewall installed for the whole system. It's odd that there's barely any system processes, I don't know why that is :-?

But as far as I can tell there's no keyloggers or anything on there at the time you made the log, but of course someone could just slip in a floppy disk and copy some files over and start logging - that's why public computers are very dangerous.

zonda · April 29, 2005

maybe he can't see the processes if not on admin account? That doesn't make sence to me because I can see processes even when at school \ library unless it is restricted somehow?

Maybe because windows is being shared by a bunch of computers? I have no clue.... maybe he edited it :wink: :wink:

Anyways, the odds of the person who would put a keylogger on a library computer playing runescape would be slim, the odds of a person putting a keylogger on one of the hundreds of computers a library has is slim... and the odds that your on that computer are slim.

In any case, most librarys don't allow you to save to any drives, and also have a form of 'clean slate' which will delete anything on the drives that was not protected. For instance, it will say "don't delete internet explorer and solitare" but anything else on that drive would be delete on start up :wink:

Forceape · May 1, 2005

Cheers Guys! Nahh i didn't edit it, but when it was scanning a few messeges came up saying some stuff like your not an admin or something :roll:

Sign In

HJT Log

Recommended Posts

Forceape

Link to comment

Share on other sites

Vape

Link to comment

Share on other sites

zonda

Link to comment

Share on other sites

Forceape

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Browse

Activity

Important Information