Hijackthis Log

I'm currently using Sygate Personal Firewall, Microsoft Anti-spyware, AVG Free Edition, Spybot S&D, a long with the Spybot SD Teatimer which blocks all IE bad pages, AD-Aware SE Personal and also protect myself with spyware blaster. If not running in the background I scan my computer about every week with all those programs to prevent any malware from going into my system. I also use Mozilla the majority of the time, but if using MSN, looking at emails, IE pops up when looking, or other programs like that. I'm just wondering if someone could take a look at my hijackthis log and see if my computer's running alright, and just to see if I can rid anything from it.

Logfile of HijackThis v1.99.1
Scan saved at 1:26:08 AM, on 11/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-ca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-ca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-ca10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-ca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-ca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-ca10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119374732843
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Thanks for your time, and if I've sent this post to the wrong part of the board, i'm sorry. This is my first post, and just signed up today.

-Justin

hi justin,

you have posted in the correct area

What you describe seems to be the default behavior of Microsoft software. By default MSN messenger and Outlook etc will try and use IE to open up webpages. Hence links clicked from within these apps will result in IE starting up. I will go through your log later today and get post back if i find anything amiss. please have patience with us, for we do not always get a chnace to reply straight away.

Have you enabled the mozilla feature which sets it as your default browser ?

cheers

Yes I have. I've made Mozilla my default browser, the box is checked in Mozilla. And, I also went though, Control Panel>Add and Remove>Set Programs Access and Defaults, in which it took me a while to figure that out, since I've done it before, but I forgot where the setting was. hahaha.

Hi again justin,

i went over your log as best i could. I cannot see any clear traces of malware on your system. However you should fix the following entry in Hijackthis.


Fix this entry if you did not activate the 'Lock homepage from changes' option in some kind of anti-spyware tool. (but i strongly believe you must have from the list of programs you run to check for malware )


you may fix the following entries as well but this is optional.. not really a concern


I'm still new to this, so please keep checking this thread regularily over the next week, just in case a more experianced user (like Tom myboy) see something i have missed.

To help disable Internet Explorer you can try the following

One way to remove the ability to browse with IE is to use XP's set program access and defaults utility. Since you have already done this, i'm just posting this for any other users who may happen across this thread and like to know about this.
1. Click on the Start button
2. Click on set program access and defaults
3. Select the Custom pull down list
4. Deselect the enable access to this program checkbox for Internet Explorer
5. Click ok

The second way is to add a bogus proxy server to IE's Internet Settings. Follow these steps:
1. In IE, go to Tools>>Internet Options.
2. On the Connections tab, click the LAN Settings button.
3. In the resulting dialog box, select the following check box in the Proxy Server section: Use a Proxy Server For Your LAN (These Settings Will Not Apply To Dial-up Or VPN Connections).
4. Enter 0.0.0.0 in the Address text box.
5. Enter 80 in the Port text box, and click OK.

Please post back and let me know if you have other symptoms on your pc that might make you suspect malware.

MSN Messenger is hardcoded to use IE for opening mail, but links should open in your choice fo brwoser if its the default as set by the program access and defaults that OneMSBI states above.

Thank you, oneMSBi, and Linux Penguin. I've done what you've told me to do. I've set up teh proxy server as well, and it obviously didn't go to my email, haha. But, that's ok. I'll just switch the setting back over and not use a bogus proxy server.

From finding which logs to fix, is there a website to find out? I know some are just common knowledge on knowing which programs and which things to fix. As I did fix a couple before posting that log.

Thanks for your help, and I do plan to use this community a lot since, it has a lot of computer related topics in which i'm interested in. I've always been interested in security, and malware issues since that's the breaking point in which people can hack, if there's any malicous code or virii in the computer.

Thanks again,
Justin

hello again justin,

In general Hijackthis is not a tool meant for the inexperianced user. It is not reccomended that normal users fix entries in their own logs, but however since at the end of the day it is your computer, you may do as you please .. just understand that Hijackthis shows many legitimate entries as well as bad ones.

Knowing what to detect and fix and learning how to do so requires patience and practise. There are online classrooms which do offer such training (its free).. but you have to apply and state a reason for you wanting to learn such information. As a newbie in training, i can honestly say there is a lot more to malware removal than I originaly thought. While there are websites with guides and explanation on hiajckthis, this is not a route i reccomend for those interested in dealing effectively with spyware/adware/virii/worms/trojans. Hijackthis is only the tip/ start point of infection clean-ups. The true extent of the Malware fight is quite mind bogling.

Personally i would reccomend an online classroom, for those who really want to learn and help the internet community at large. This was the route i was shown and i have absolutly no complains.

Welcome to the community.. there are a lot of smart people all across devshed, and i never stop learning form this place. Its fun too

Thanks for the welcome, about the online classrooms... Where can I find a specified classroom within spyware /adware /virii /worms /trojans training? I'm willing to learn more, and would like to induldge myself into these concepts as these issues are esclading as more people are introduced to the internet, and more problems are occuring more often. Security, it's a useful thing to know about, and a lot of people don't take the factors into common use. I'm always learning new things, and I do want to learn more.

--Justin

hey Justin,

good to see your enthusiasm. Mind you that these classrooms are not only about educating people on the effects and cleanups of malware, but also to train people to a level where at, they can in turn help others. If you do get trained at such classrooms please attempt to stay on and help out at their forums and here.
Check your private messages... i have contacted you via the private message system here on devshed. If you do not know how to check your messages, please click the link labeled "usercp" on the brown bar just below the Forum Title of this page.

As you do not seem to have any problems as of now, i will wait for a couple of days before i close this thread, just incase any other users see something i have missed in your log

Thanks for the info, and I will go look at my messages, as i didn't know you sent any

-- Justin

thats ok ... i sent the message just before i posted up there