Thread: HijackThis Output; What to remove? [Merged: 1]
View Single Post
Old 2004-12-21, 06:15   Link #2
NightWish
…Nothing More
*Administrator
 
 
Join Date: Mar 2003
Age: 44
I suggest you first run an ad-ware removal tool and scan your system with up-to-date anti-virus software. Most of this information I found by searching (ever used google?). Though it does take some prior knowledge to make sense of what you find when you search, a lot of it is just common sense. Really not that hard.

Anything loaded/run/running from a "Temp" location is likely to be dodgy unless you are installing something; even more so when it is in one of the system "Run" keys too. Anything with random characters in the name or key is also likley to be dodgy.
Quote:
C:\WINDOWS\System32\scpni11.exe
C:\documents and settings\sa\local settings\temp\XvdtBKvM.exe
C:\documents and settings\sa\local settings\temp\Uct.exe
C:\WINDOWS\System32\dp-him.exe
O4 - HKCU\..\Run: [Zwv3RgH5W] scpni11.exe
O4 - HKLM\..\Run: [XvdtBKvM] C:\documents and settings\sa\local settings\temp\XvdtBKvM.exe
O4 - HKLM\..\Run: [Uct] C:\documents and settings\sa\local settings\temp\Uct.exe
O4 - HKLM\..\Run: [G] C:\windows\temp\G.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\SA\Local Settings\Temp\AGAm.dll
I have no idea what to do with this information, having not used "HijackThis" before:
Quote:
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com
O1 - Hosts: 3466709097 your.com
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
Can be a Trojan but can also be a legit Microsoft process; check its properties.
Probably legit stuff, but only run them if you use the product and really need their services.
Quote:
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
(Winamp; Pointless utility I don't run it myself ... should it be running from the "E" drive though?)
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
(AT&T Harware update; Keep if you use AT&T hardware... modem?)
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
(Adobe; I guess if you use their Creative Studio products...)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
(Microsoft; Yet another pointless utility)
PS. Slightly more meaningful thread titles are a good thing
Last edited by NightWish; 2004-12-21 at 06:39. Reason: Update... after more searching...
NightWish is offline   Reply With Quote