Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • This topic is locked This topic is locked
5 replies to this topic

#1 oldsoldier


  • Members
  • 60 posts
  • Location:County Durham, UK
  • Local time:12:34 AM

Posted 16 August 2005 - 03:30 PM

Computer Information:

Specifications - American Megatrends Inc
System Model unknown
BIOS Version - American Megatrends Inc. P1.30

Operating System - Microsoft Windows XP Professional
Version - 5.1.2600
Service Pack - 2.0
Location - C:\Windows
PID - 55274-645-5919031-23575
Hot Fix - KB893803

Memory [RAM]: Capacity - 1 GB

Processor - AMD Athlon [tm] XP 2400+
Speed - 1999 MHz

Local Disk Total Capacity: 76.68 GB
Sum of Hard Disks: [C]
Used: 11.16 GB: Free: 65.51 GB


Security Information

AVG 7.0 Professional.
Ewido Security Suite.
Process Guard.
Windows KB.
Ad-Aware SE Personal.
Spybot S&D
Spyware Blaster.
Spyware Guard.
Port Explorer.
Super Winspy
Registry Mechanic.
Crap Cleaner.



I believe that I have an adaquate security portfolio but recently something called Sgrunt has slipped through the net.

I am seeing a red Sgrunt alarm when I scan with Spybot S&D. Spybot also reveals other ‘problems’. Please see the Spybot search result list below.

After I have scanned with Spybot, I tick each problem for ‘fix and removal’, and when asked if I want to fix the selected problems, I click ‘YES’.

I then receive this script –

>Some problems cannot be fixed because associated files are still in use [memory] They can be fixed after a restart. May Spybot S&D run on next system startup ?<

I click ‘YES’ and eleven problems are fixed. One problem cannot be fixed. It is the Log. Spybot reports, CONGRATRULATIONS, NO IMMEDIATE THREATS’

To make sure that Sgrunt has gone, I immediately scan again with Spybot S&D, and Sgrunt is still there. It appears as soon as the scan starts, within a split second of it starting.

I have run each security programme in Safe Mode. Only Spybot finds something – Sgrunt. The others find nothing. I downloaded and ran Ewido Security Suite because I thought that it might discover and remove Sgrunt, but it didn’t.

Because Spybot gives an ‘all clear’ when it has run after a system restart, and then shouts ‘Sgrunt’ a millisecond after an ordinary scan is started, I’m wondering if Spybot is crying ‘Wolf’. Is Sgrunt really there ?

My computer runs with no apparent discomfort. It is not slow and there are no popups. However, I went into the internet and looked for Sgrunt. The few Sgrunt sites were in the Italian language. I went into one to see what was going on and I got an immediate reply – I was asked why I did not want Sgrunt. There was a space for my email address !! Of course I didn’t bite.

A friend tells me that Sgrunt is suspected of being a dialler.

Is Sgrunt something to cause alarm, or should I put it on the Spybot S&D ignore list ?

Common Dialogs
MS Office 9.0
and - Sgrunt


--- Search result list ---

Common Dialogs: History (3 files) (Registry key, nothing done)

MS Office 9.0: Recently used files (19 files) (Directory, nothing done)
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\


Log: Activity: SchedLgU.Txt (Backup file, nothing done)

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)


Cookie: Cookie (4) (Cookie, nothing done)


Cache: Cache (340) (Cache, nothing done)


Sgrunt: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sgrunt.biz

Sgrunt: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sgrunt.biz

Sgrunt: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sgrunt.biz

Sgrunt: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1659004503-776561741-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sgrunt.biz

Sgrunt: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sgrunt.biz

Yours sincerely,


BC AdBot (Login to Remove)


#2 tg1911


    Lord Spam Magnet

  • Members
  • 19,274 posts
  • Gender:Male
  • Location:SW Louisiana
  • Local time:11:34 PM

Posted 16 August 2005 - 11:46 PM

Possible false positive;

If you have any doubts, post a HJT log to be examined:
Read How to post a HijackThis Log.
Please read, and follow, all directions carefully.

Then, run a log, and post it in the HJT forum, at this link. Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response, because the HJT Team are very busy. Please, be patient, these people are volunteers. They will help you out, as soon as possible.

Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 oldsoldier

  • Topic Starter

  • Members
  • 60 posts
  • Location:County Durham, UK
  • Local time:12:34 AM

Posted 17 August 2005 - 09:17 AM

I set out to post a HijackThisLog and got hopelessly lost.

All went well until the log was copied to the Windows clipboard and then I discovered that I could not reach the >Post your HijackThisLog at Bleeping Computer< link because I had copied the instructions to a New Microsoft Word Document and was working from there. I know now that I should have kept the BC page open.

So, I have the log, somewhere, and I cannot find it.

And I need to send the log to >Post your HijackThisLog at Bleeping Computer< and I do not know how to do it.

Should I start again, or can there be a salvage operation ?

One more question. I had saved the copied Bleeping Computer instructions to a Word document and was working from it to create the log. I realise now that I should have stayed at the Bleeping Computer page. Should all programmes, including security programmes, be switched off when the log is being created ?

I apologise for crass stupidity.


#4 Leurgy


    Voted most likely

  • Members
  • 3,831 posts
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:12:34 AM

Posted 17 August 2005 - 10:46 AM

It really doesn't matter what you have running when you make your log. Just run HiJack This again and click on Do a Scan and Save a log. Copy that log to the clipboard. Open this page at BC and click on New Topic. Paste your log into the New Topic page.

You may want to refer to this thread in your New Topic. Just copy and paste the link below into it.


Edited by Leurgy, 17 August 2005 - 10:47 AM.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool

#5 oldsoldier

  • Topic Starter

  • Members
  • 60 posts
  • Location:County Durham, UK
  • Local time:12:34 AM

Posted 22 August 2005 - 02:10 AM

I posted a HighJackThis log as advised. Yesterday I scanned three times with Spybot and Sgrunt was not there. It has disappeared.

#6 KoanYorel


    Bleepin' Conundrum

  • Members
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:34 AM

Posted 22 August 2005 - 03:09 AM

I am in Pm with this member to sort this out.

Member has not posted an HJT log yet.

Topic is closed for now.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users