Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

sfg.exe? [RESOLVED]


  • This topic is locked This topic is locked

#1
k0rr

k0rr

    Member

  • Member
  • PipPip
  • 90 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:07:29 PM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LogonUI.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Steam\STEAM.exe
C:\Documents and Settings\k0rr\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://home.microsof...obby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsof...obby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsof...arch/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft...isapi/redir.dll?
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchasst.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sfg] C:\WINDOWS\System32\sfg.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122966107450
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122967105622
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe


O4 - HKLM\..\Run: [sfg] C:\WINDOWS\System32\sfg.exe is the line im targeting
i cant find much about sfg.exe so does anyone have any information about this?
if i look in my system32 folder, theres no sfg.exe either
  • 0

Advertisements


#2
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello and welcome to GeeksToGo. My name is Kat, and I will be helping you.

First of all, can you do something for me? Go to start>control> panel> security center. Click on windows firewall. Then go to the exceptions tab. Let me know whats checked there, please! :tazz: The malware on your system may have made some nasty changes, and I need to be certain if it did or not!
  • 0

#3
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
aol instant messenger
file & printer sharing
peer name resolution protocol (PNRP)
remote assistance
windows peer-to-peer grouping
  • 0

#4
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
OK, that looks ok!! :) Your log actually doesn't show a whole lot wrong, so this may turn out to be a fairly simple fix! :tazz: Good for both of us, eh?

Let's get a Silent Runners log just to be sure nothing else is trying to lurk. I always check the SR log when not much is showing bad in HJT....that's just an FYI as a GeekU student :)

*Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.


Post me a fresh HJT log and the SR log if you will, and we'll get you cleaned up and on the go! :)
  • 0

#5
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
it required me to start windows management instrumentation
i did, but it still gives me the prompt
do i need to restart?
  • 0

#6
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
go ahead and restart, let's see what happens. I've not seen this happen before, so I'm going to ask someone to take a peek right quick.
  • 0

#7
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
alright ive set its startup type to automatic, restarted, checked to see if its started, and it is. yet silent runner still gives me the prompt
here are two screenshots:
http://www.djphotik....iles/k0rr/1.JPG
http://www.djphotik....iles/k0rr/2.JPG
  • 0

#8
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Is there a reason why you have windows management instrumentation set to disabled?? If you don't have it set that way on purpose, just click "ok".
  • 0

#9
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
it was not disabled, it was on manual startup
  • 0

#10
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Go to Start>Run

Type in services.msc

look down the list and make sure that "Event Log" and "remote procedure call (RPC) " are both started. If they are both already started, let me know.

If they weren't, go ahead and start them, then X out of there and try again to run SR.
  • 0

Advertisements


#11
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
yes they both are
  • 0

#12
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Did you try again to run SR and click "Ok" at the WMI box..to see if it will let you run SR?
  • 0

#13
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
well it gives me that prompt in screenshot #2
and then nothing runs
  • 0

#14
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
:tazz: And I'm assuming you did what the prompt told you? But it didn't work? Grrrrr. I have never seen this happen before.

Let's get something else, instead.


Download FindIt's.zip to your desktop: Download Here
  • Create a new folder on your desktop
  • Unzip/extract the files inside that folder you created on your desktop.
  • Open the folder and run FindIt's.bat and wait for notepad to open a text file. It may take awhile so please be patient ...
  • Then post the results here along with a new HJT log by using Add Reply

  • 0

#15
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
how long does the findit scan usually take and what does it scan for?
been scanning for about 5 minutes now
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP