HijackThis 2.02

[TonyKlein]

Well, as I said, there isn't really a good reason to hold on to the previous one...

 

Changelog:

 

[v2.00.0]

* AnalyzeThis added for log file statistics

* Recognizes Windows Vista and IE7

* Fixed a few bugs in the O23 method

* Fixed a bug in the O22 method (SharedTaskScheduler)

* Did a few tweaks on the log format

* Fixed and improved ADS Spy

* Improved Itty Bitty Procman (processes are frozen before they are killed)

* Added listing of O4 autoruns from other users

* Added listing of the Policies Run items in O4 method, used by SmitFraud trojan

* Added /silentautolog parameter for system admins

* Added /deleteonreboot [file] parameter for system admins

* Added O24 - ActiveX Desktop Components enumeration

* Added Enhanced Security Confirguration (ESC) Zones to O15 Trusted Sites check

[hazelnut]

Strange thing is on the installer when you look at properties it says file version 1.0.0.1 yet when you open the program it says version 2.0.2.

[TonyKlein]

Strange thing is on the installer when you look at properties it says file version 1.0.0.1 yet when you open the program it says version 2.0.2.

 

It could simply be that, whereas the program itself is now at v2.0.2, it really IS version 1.0.0.1 of their installer...

[hazelnut]

Thanks Tony for that info.

[TonyKlein]

You're very welcome, Hazel.

[DJpailo]

So what improvements have they made, in laymens terms. It just seems the same as when it was owned by Merijn.

[TonyKlein]

So what improvements have they made, in laymens terms. It just seems the same as when it was owned by Merijn.

 

Well, look at the changelog I posted. This is certainly not a dramatic re-write, but it fixes a couple of bugs, one of which failed to properly enumerate the contents of a startup location used by recent malware.

 

It also adds a few new startup locations that had been requested for quite a while.

 

The result of this is that a log run with the new version of HijackThis simply gives a more complete and correct picture of the operating system in question, allowing analysts to help you better.

[slowday444]

Two questions: Without any evidence of malware present, there is not a need for this, correct? Secondly, out of curiosity, what forum would you all recommend for posting a log?

[TonyKlein]

Two questions: Without any evidence of malware present, there is not a need for this, correct?

 

HijackThis being a diagnostic tool, posting a log and having it analyzed is an excellent way to find out whether there IS something that needs to be looked at more closely.

 

Secondly, out of curiosity, what forum would you all recommend for posting a log?

 

No need to look further than this very place; we have some first rate analysts right here.

 

A couple of other forums that offer expert help:

 

http://www.bleepingcomputer.com/forums/index.php?

http://www.techsupportforum.com/

http://forums.tomcoyote.org/index.php?

http://forums.spybot.info/index.php

 

(Just four out of many, of course...)

[slowday444]

So here is my file! Well that didn't work, so do I post a screenshot?

[JDPower]

So here is my file! Well that didn't work, so do I post a screenshot?

Just copy and paste

[slowday444]

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Comodo\Firewall\CPF.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\PROGRA~1\Comodo\CBOClean\BOC424.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\HDD Thermometer\HDD Thermometer.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Comodo\Firewall\cmdagent.exe

C:\Program Files\Weather Pulse\weatherpulse.exe

C:\WINDOWS\System32\GEARSec.exe

C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\Program Files\KeirNet\K9\K9.exe

C:\Program Files\MemInfo\meminfo.exe

C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\PopTray\PopTray.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Spyware Doctor\svcntaux.exe

C:\Program Files\Spyware Doctor\swdsvc.exe

C:\Program Files\Spyware Doctor\SDTrayApp.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINDOWS\System32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?rs=1

F3 - REG:win.ini: load=

F3 - REG:win.ini: run=

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: IE7pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - (no file)

O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)

O3 - Toolbar: (no name) - {64634180-B0EA-48B6-82B7-9620D33362C1} - (no file)

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [bOC-424] C:\PROGRA~1\Comodo\CBOClean\BOC424.exe

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKLM\..\Run: [sDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"

O4 - HKCU\..\Run: [RSD_HDDThermo] "C:\Program Files\HDD Thermometer\HDD Thermometer.exe"

O4 - HKCU\..\Run: [Weather Pulse] "C:\Program Files\Weather Pulse\weatherpulse.exe"

O4 - HKCU\..\Run: [tinySpell] C:\Program Files\tinySpell\tinyspell.exe

O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe

O4 - Startup: MemInfo.lnk = C:\Program Files\MemInfo\meminfo.exe

O4 - Startup: PopTray.lnk = C:\Program Files\PopTray\PopTray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll

O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll

O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll

O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files\XstreamRadio 3.02\RadioHelper.dll

O9 - Extra 'Tools' menuitem: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files\XstreamRadio 3.02\RadioHelper.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://www.driveragent.com/files/driveragent.cab

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

--

End of file - 9023 bytes

[TonyKlein]

Well, you certainly have no shortage of security software... in fact it definitely amounts to overkill and can only cause conflicts

 

Alongside Nod32 and BOClean you certainly do NOT need both AVGAntiSpyware and SpySweeper as WELL as Windows Defender and Spyware Doctor running residently...

 

At the very least you need to make a choice between SpySweeper, AVG AS and Spyware Doctor. I suggest picking either SS or AVG. Feel free to keep the others, but use them ONLY to scan on demand.

 

Do you in fact still have Symantec software installed, and if so what exactly? This because there are a couple of Symantec services still present, and if you no longer have that software, you want to get rid of those.

 

Other than that it's a pretty clean log. I'd just check and have HijackThis fix the following lines in order to get rid of a couple of orphaned or empty registry keys/values:

 

F3 - REG:win.ini: load=

F3 - REG:win.ini: run=

 

O2 - BHO: (no name) - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - (no file)

O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)

O3 - Toolbar: (no name) - {64634180-B0EA-48B6-82B7-9620D33362C1} - (no file)

[slowday444]

Well, you certainly have no shortage of security software... in fact it definitely amounts to overkill and can only cause conflicts

 

Alongside Nod32 and BOClean you certainly do NOT need both AVGAntiSpyware and SpySweeper as WELL as Windows Defender and Spyware Doctor running residently...

 

At the very least you need to make a choice between SpySweeper, AVG AS and Spyware Doctor. I suggest picking either SS or AVG. Feel free to keep the others, but use them ONLY to scan on demand.

 

Do you in fact still have Symantec software installed, and if so what exactly? This because there are a couple of Symantec services still present, and if you no longer have that software, you want to get rid of those.

 

Other than that it's a pretty clean log. I'd just check and have HijackThis fix the following lines in order to get rid of a couple of orphaned or empty registry keys/values:

 

F3 - REG:win.ini: load=

F3 - REG:win.ini: run=

 

O2 - BHO: (no name) - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - (no file)

O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)

O3 - Toolbar: (no name) - {64634180-B0EA-48B6-82B7-9620D33362C1} - (no file)

Thank you TK! lol, here is the story on the anti-spywares: I have license from work for SD and actually just turn it on periodically to update. I was not going to renew SS but when SD v5 came out there were a ton of problems so I renewed. AVG A-S two minute memory scan returns leaked RAM. Can't explain it but it does it. WD likes to create restore points, kind of like it watching out for me! Last but not least, I back up with Ghost10. Thank You again!

[TonyKlein]

Alrighty then...

 

If you have no more Symantec software installed you also want to fix the following lines:

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe