Please Have a Look at HJT Log

[simpleton]

I am posting my friend's HijackThis log with the hope that one of you knowledgeable folks can tell me if you see anything that is suspect. She emailed me the log so I hope the format is readable.

My friend reports no real problems with her computer, other than frequent disconnects which her provider (AOL) is presently looking into.

We have run Ad-aware, Spybot Search & Destroy and CWShredder and no malware has been found thus far.

I would very much appreciate any input on her log.

Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 10:10:31 PM, on 11/23/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\wanmpsvc.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Judith\Local Settings\Temp\Temporary Directory 1
for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.msn.co
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program
files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL
Companion\companion.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America
Online 9.0\aoltray.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e555
2fc/msSecAdv.cab?1066229245890
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class)
- http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.642662037
O17 -
HKLM\System\CCS\Services\Tcpip\..\{3FA753E1-59DF-4A15-8120-4760FF2A50B5}: NameServer = 64.12.104.4

[BWMerlin]

Hi, these can be remove, they are optional but recommened

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime

Other than those 2 i carnt c anything wrong, others might have spotted something i missed

[simpleton]

Thank you so much for your reply BWMerlin. I will have her remove those entries. Thank you for taking the time to look through this log. Much appreciated.

[BWMerlin]

No problem, once she has removed them can u get her to post a new log so we can make sure everything is gone.

[simpleton]

Will do!

[simpleton]

As you requested BWMerlin, here is the latest version of my friend's HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 6:56:31 PM, on 11/24/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 9.0\aoltray.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Judith\Local Settings\Temp\Temporary Directory 2
for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.msn.co
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program
files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL
Companion\companion.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America
Online 9.0\aoltray.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e555
2fc/msSecAdv.cab?1066229245890
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class)
- http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.642662037
O17 -
HKLM\System\CCS\Services\Tcpip\..\{3FA753E1-59DF-4A15-8120-4760FF2A50B5}: NameServer = xxx.xxx.xxx.x

I replaced her IP address with x's in this post.

[Pieter_Arntz]

Hi simpleton,

That is a clean log. But if that was her IP you x-ed out, there is something wrong in her network settings.
It should list her DNS servers, which normally belong to the ISP.

Regards,

Pieter

[simpleton]

Hi Pieter,

Thanks very much for looking at the log. Much appreciated.

In all honesty, I can't be sure that was her IP address. All I can say for certain is that the IP address looked familiar. It might just have been in the same range as her IP address and I falsely assumed it was her address.

If it was her IP address, could this explain why she is experiencing frequent disconnects?

I would very much appreciate any further input you could provide and in the mean time, I will get her to run another HijackThis log and find out for sure if that was indeed her IP address. Thank you for catching that!

[Pieter_Arntz]

Hi simpleton,

Both the Quicktime- and the Real-player that BWMerlin pointed out, can contact the internet and could even cause disconnects, if there is some conflict.

The IP address for the name servers should not be able to influence that. At worst she could get a lot of "page not found (404)" errors if these were not filled out as advised by the ISP.

Regards,

Pieter

[simpleton]

Hi Pieter,

As far as I know, she is not getting a lot of "page not found" errors but I will be sure to ask her about this.

I have a feeling that IP address I removed was not her IP address. The more I think about it, the more it doesn't make sense that it would be. I will still confirm this with her though just to try to tackle as much as I can for her at this point.

I will also ask her if the disconnects have ceased after she removed those entries that BWMerlin recommended.

Thanks so much for your input!