Is My HJT Logfile Too Clean?

I have a question about my HijackThis log. Is it supposed to be this clean or am I doing something wrong? I have a few items in the ignore list that relate to ‘ieSpell’ and my start page.

I have deleted one of these from the ignore list to do a scan and give me a logfile. Otherwise I get ‘No Suspicious Items Found!’ and cannot get a logfile of running processes.

Here is the log;

Logfile of HijackThis v1.97.7
Scan saved at 7:14:18 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\zstatus.exe
C:\Program Files\HijackThis\HijackThis.exe

O9 - Extra button: ieSpell (HKLM)

I am able to define every item in the log and feel like I have my computer as clean as I can get it. The only item you might not recognize is the ‘zstatus.exe’ which relates to my laser printer.

I should point out that when I first ran HijackThis I did delete a few items. None of these were a real threat in my opinion but they were unnecessary.

When I notice the long logfiles that are posted for review, it makes me wonder if I am getting everything that I am supposed to get.

Daniel

 

Probably just means you are real clean. But to make sure, load something you know will show up in the log and then run it again. The google toolbar is good if you don't have it already. Puts in a good few entries and all are easy to recognize.

 

Newt

I have tried this on a few items and they do show up. Maybe my computer is just extra clean because I do not run a lot of the things that most people are running.

I just wanted to be sure I was not overlooking something.

Thanks

Daniel

 

Do you still have the backups of what you fixed? Click the config tab, then backup and restore. Take evreything out of the ignore list. Run another scan and post it. Something is not right. HJT identifies run keys, BHO's toolbars, DPF's and IE keys, etc. Your computer would not be running and online without some of those things.

 

Dave

I cleared the ignore list and restored everything in the backup file.

Here is the new logfile.

Logfile of HijackThis v1.97.7
Scan saved at 11:17:26 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38093.491712963
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

The only things in my ignore list were the first two items about local page and the ieSpell items. All the rest were in the backup file.

Daniel

 

Well that looks better. Still no run keys though. Looking at your system specs in signature, I would expect quite a few. Have you been to msconfig and unchecked everything there on the startup tab or something? Maybe even into services and shut some of those down? Look in services, start>run, type services.msc, at what is running. Check the registry at both HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ under all run and run- keys. Anything there? Does the processes tab of task manager show processes that are not in your log?

The two R0 entries are the only ones you need to fix at this point.

 

Dave

If I delete the two R0 items my start page goes to msn.com which I do not want. I have it set for blank.

I do not have anything starting in the startup list in msconfig. I start programs if needed. There are only three items in the startup list.

I have set services.msc to the recommended settings from Black Viper.

I do not believe there is anything in Task manager that is not in the log. Some of them are running under other processes.

Is there some reason to leave these items in here that I had deleted, when it had no ill effect on my computer?

Thanks for your help.

Daniel

 

Well, no. It just makes those thing unavailable. Take the 02 BHO entry for example. If you clicked a link to view a page that was in pdf format, you would not be able to view it in the web page without that helper object. You would probably get prompted to install Acrobat Reader or a 'sorry, Acrobat reader encountered a problem and needs to close' message. The 016's will be installed again when needed. Won't hurt anything removing them, but wouldn't hurt to leave them either. The 08's, most anyone can live without since those options are available with right click, but again not hurting anything. I have never seen a log that small, and an XP machine with that little running, but hey, if it works for you..........

The one thing I would expect to see running, and am always concerned when I don't, is Anti-Virus software. Do you not have any? Or is that one of those apps you only start when you want to use it? And a firewall?

 

Dave

Thanks for explaining these things for me. I will leave them in as suggested.

About a firewall, I am using XPs firewall only and have found it has worked for me so far. Is there a good reason to have something else? I have read so much in these forums about anti-virus programs causing people so much trouble that I decided to try to get along with the XP firewall alone. It has protected me completely so far. I should point out that I refuse to open an attachment to an email unless I am very sure it is OK.

Thanks again

Daniel

 

Daniel
If you would like to, send one of us those backups so we can see if youve acidently fixed something you shouldnt have. place them all in a folder then zip it up, , send a pm to me or Dave and include your email address,


PS I do not see XPs firewall as it would show in the log
Regards

 

Lonny

All of the items that were in my backup I restored before the last logfile. At this time my backup is clean. I also had deleted everything in my ignore list so the previous logfile is complete.

I do not understand why the XP firewall is not in the list as I do have it activated. I also checked my Task Manager and I do not see it there. Should it be there?

Maybe I have missed something to have the firewall running. In the dialup connection I am using now it is checked to protect this computer from the Internet. Any suggestions?

Daniel

 

doesnt appear to be running
ALG.exe More info

You might consider setting it to manual then installing
a free anti virus and firewall

eTrust EZ Armor Security Suite,free for one Year: anti virus firewall combo
http://www.my-etrust.com/microsoft/index.cfm?

 

I agree you really need AV running.

Attachments are an obvious way to get bit but you can also have baddies embedded in some emails that don't show as attachments because they aren't. Infected web pages aren't unheard of and with them, all you have to do is browse to the page.

I know some folks have occasional trouble with AV programs but the number is small and based on the comparative risks of AV vs. no AV, I'd suggest you load one real soon.

 

ICF is "bundled" under svchost.exe - will not show as a seperate entry.

This thread http://www.windowsbbs.com/showthread.php?t=31080, pretty much covers the pos and cons of using ICF alone.

Regards - Charles

 

Good catch Charles. I missed that one.

Dan - you can see all that is running within the svchost wrappers if you wish.
start~run~cmd
tasklist /svc

Here is the info from my XP-pro PC - a partial list of the results of tasklist /svc

Code:

Image Name                   PID Services                                     
========================= ====== =============================================
                                    
services.exe                 684 Eventlog, PlugPlay                           
lsass.exe                    696 PolicyAgent, ProtectedStorage, SamSs         
svchost.exe                  860 RpcSs                                        
svchost.exe                  940 AudioSrv, Browser, CryptSvc, Dhcp, dmserver, 
                                 ERSvc, EventSystem, helpsvc, lanmanserver,   
                                 lanmanworkstation, Netman, Nla, RasMan,      
                                 Schedule, seclogon, SENS, ShellHWDetection,  
                                 TapiSrv, TermService, Themes, TrkWks,        
                                 uploadmgr, W32Time, winmgmt, wuauserv, WZCSVC
svchost.exe                 1076 Dnscache                                     
svchost.exe                 1088 Alerter, LmHosts, RemoteRegistry, SSDPSRV,   
                                 WebClient                                    
spoolsv.exe                 1316 Spooler 

 

Newt,

I can't do this. The message is "tasklist is not recognized as a internal or external command....... "

Is this one of the Pro only commands?

Regards - Charles

 

Charles - I don't know. I assumed it was an XP utility since I know 2K does not have it although the XP version will run.

From reading This and This I don't see them specifying one OS version or the other but there is quite a bit of domain sniffing ability in the utility so maybe it does in home like it does in 2K and runs with limited functionality if you simply get the .exe from a Pro system.

 

Newt,

Found the MS Doc on tasklist: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/tasklist.mspx

It's heading is XP Professional; while I can't find anything excluding Home, I would say that this isn't availible in Home.

Regards - Charles

 

I do have alg.exe running in Task Manager but I had forgotten that the ICF is in it.

Regarding running an AV program, what is considered the best free one available?

Daniel

 

Is My HJT

Newt: I have XP Home and could not run the svc host. You have XP PRO.??

Joe R.