Help: is my Hijackthis log clean ?

Discussion in 'adware, spyware & hijack cleaning' started by colshandy, Jul 2, 2004.

Thread Status:
Not open for further replies.
  1. colshandy

    colshandy Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    8
    Guys
    I have had a problem regarding a virus which is proving difficult to remove.

    Due to limited PC/Internet knowledge, I previously failed to update Windows and Norton antivirus (which I have now done!) so a friend thinks my registry may be affected.

    Having followed instructions on a Lavasoft site (running spybot search and destroy, adaware, hijack this) I have now ran off the Hijack log and wondered if anyone out there can tell me if my log is clean?

    Here goes, thanks in advance:

    Logfile of HijackThis v1.97.7
    Scan saved at 00:03:18, on 02/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\wuamgrd.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Documents and Settings\Colin Atkinson\Desktop\HiJack This\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.pureseeker.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
    Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
    Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} -
    C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
    Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update
    Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media
    Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
    SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\System32\LVComS.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
    Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
    Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
    Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Microsoft Update Machine] wuamgrd.exe
    O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] wuamgrd.exe
    O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
    /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr
    SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe
    /startup
    O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
    O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program
    Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
    present
    O8 - Extra context menu item: Send Image to Photo Library -
    file://C:\Documents and Settings\Colin Atkinson\Application
    Data\MGI\PhotoSuite4\Temp\MGI00000.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
    http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-9490133
    8C922/wmv9VCM.CAB
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi colshandy,


    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.pureseeker.com

    O4 - HKLM\..\Run: [Microsoft Update Machine] wuamgrd.exe
    O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] wuamgrd.exe
    O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe

    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe
    /startup
    O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
    O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
    present

    Then reboot into safe mode and delete:
    C:\WINDOWS\System32\wuamgrd.exe
    C:\WINDOWS\System32\scrgrd.exe

    Regards,

    Pieter
     
  3. colshandy

    colshandy Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    8
    Pieter,

    Thanks for you help. I followed the instructions, however when I ran hijackthis the following did not display:

    R0 - HKCU...etc
    C:\WINDOWS\etc
    C:\WINDOWS\etc

    I checked the rest. When I rebooted The files:
    C:\WINDOWS\SYSTEM32\wuamgrd.exe and
    C:\WINDOWS\SYSTEM32\scrgrd.exe

    did not appear to be there so I could not delete.

    Here is the resultant HijackThis report, does is look okay? Thanks again. Colin.

    Logfile of HijackThis v1.97.7
    Scan saved at 20:09:33, on 02/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\wuamgrd.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Colin Atkinson\Desktop\HiJack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\System32\LVComS.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Microsoft Update Machine] wuamgrd.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] wuamgrd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\Colin Atkinson\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
     
Thread Status:
Not open for further replies.