Learning about HJT... Guidance needed... Log posted

​

I am trying to learn a little about HJT and how it works. At the same time, I would like to make sure my work PC is clean. The HJT log is posted below. I have highlighted the items *I* think might be useless or harmful. Would someone take a look and let me know your opinions? Please don't take a lot of time to research things -- just a quick once over to make sure I am seeing things correctly. THANKS!

Items in BLUE are those *I* think I can safely get rid of. (remember, I'm learning )
Items in RED are those I think might be harmful.
Items in ORANGE are the ones I'm clueless about. ???

Please tell me if I'm wrong about any or all of these!​

Logfile of HijackThis v1.97.7
Scan saved at 11:45:38 AM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Gateway\GSM\BIN\iids.exe
C:\Program Files\Gateway\GSM\BIN\ssm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Intel\Alert on LAN\Proxy\Providers\asfpprov.exe
C:\Program Files\Intel\Alert on LAN\Proxy\Aolnsrvr.exe
C:\Program Files\Gateway\GSM\Bin\asfproxy.exe
C:\Program Files\Gateway\GSM\BIN\lsmsnmpsrv.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\mHotkey.exe
C:\WINNT\CNYHKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\ZDelete\POPUPK~1.EXE
C:\Program Files\GFI\SELM 5\selm_mon.exe
C:\Program Files\Gateway\GSM\Bin\USM.exe
C:\PROGRA~1\Webshots\WebshotsTray.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotbot.com/default.asp?query=&ps=&loc=searchbox&tab=web&provKey=Google&prov=Google
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [CNYHKey] CNYHKey.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Active@ PopUp Killer] C:\PROGRA~1\ZDelete\POPUPK~1.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: LANguard S.E.L.M. Status Monitor.lnk = C:\Program Files\GFI\SELM 5\selm_mon.exe
O4 - Global Startup: USM.lnk = C:\Program Files\Gateway\GSM\Bin\USM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: ZDelete Auto-Cleaner (HKCU)
O16 - DPF: {341A4436-877A-11D5-96F0-0050DA205576} (LDCM_TL Control) - http://localhost:6787/Objects/LDCM_TL.cab
O16 - DPF: {94A19999-DD02-48C1-A9EC-4959CA2EA669} (1) - http://localhost:6787/objects/lsmax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

THANKS again for your guidance!

 

HijackThis tutorial

Hi CharlieJ, here's a link to a HijackThis tutorial that might be of some help to you. HJ Tutorial .

As to your log, wait for some expert advice from others on the BBS, but from what I see you have highlited I think you are on the right track.

 

These days with so many Hijackthis logs being posted, a search for specific files turns up so many pages of logs that it's hard to find anything.

My solution has been to run a google search using -hijackthis -hjt and then the term I want. Seems to usually weed out most of the junk.

For instance, -hijackthis -HJT igfxtray.exe and the first listing is This One that gives a quick review of igfxtray.exe and a similar result for hkcmd.exe.

The two 016 DPF entries wouldn't search up for me which is usually a sign of a baddie.

Try a few of the others and see what turns up. You have red-flagged at least one entry that is a normal part of a standard windows component.

 

Process Library has saved me some time tracking down what is what, and if it is legit, or not.

Johanna

 

The 03 is part of Internet Explorer.
I would get rid of this.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotbot.com/default.asp?q...gle&prov=Google
If you want Google, set it to http://www.google.com
When I go to that link, and due to my IEspyads.reg file merged into my registry, that site comes up as Unknown Zone [Mixed], meaning that there is a site connected in that link that is in my Restricted Zone. I didn't look at the Source Code to see what it is.

Now these I believe are related to each other, but I could be wrong.

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\mqsvc.exe
O16 - DPF: {341A4436-877A-11D5-96F0-0050DA205576} (LDCM_TL Control) - http://localhost:6787/Objects/LDCM_TL.cab
O16 - DPF: {94A19999-DD02-48C1-A9EC-4959CA2EA669} (1) - http://localhost:6787/objects/lsmax.cab
The localhost should be your computer, and the :6787 is a port on your computer. You are running a SQL server, this is not my area, but do know the running processes are connected.
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
This file being registered is also a part of it, you could remove this line. Once a file is registered into the registry, it is there. No need to keep hammering it in.

About the Gateway entries, I believe they have some sort of remote assistance with their 'support' techs, apart from XP's remote assistance.

 

The O6 line may be an issue-see this tutorial

http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

 

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Hi cghost. Would you please explain why you think this item might be a problem?

 

I think Noah's answer in this thread is an excellent answer to your question.
http://www.windowsbbs.com/showthread.php?t=32237

The thread originator asked for a learning experience.
charliej
"I am trying to learn a little about HJT and how it works. "
"Please don't take a lot of time to research things -- just a quick once over to make sure I am seeing things correctly. "

I believe the tutorial I posted said basically the question Noah asked in the other thread he answered.

For future logs, (and his current one), I thought that charlie should be aware that the O6 lines can come from either good guys or bad guys and he should determine which one is applicable.

 

Thanks cghost. I'm in sorta the same condition as CharlieJ - trying to get a feel for this stuff.

My question was exactly that - I didn't know why and wanted to. I have the same 06 entry but thought mine came from Spybot restrictions I selected. I was mainly wondering, based on your warning, if that specific entry could have another cause and if the cause might indicate a problem.

 

The 06 entry really is a broad statement about the Values in the registry. Any Dword Value with a Value Data of 1 placed in the following Key will trigger HJT.
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\
Control Panel
It doesn't matter how it got there, either manually or with Spybot, HJT just shows the presence. I created a DWord Value with "Gibberish" as it's name, gave it a Value Data of 1, and HJT picked it up as a 06.
Note: Do not try this at home.

 

http://www.wilderssecurity.com/showthread.php?t=17397

I happened on this yesterday, it shows spybot and spyblaster settings that will cause that to happen. I dont know if the newer versions of adaware have the ability to do this too.