Please Have a Look at HJT Log

Discussion in 'adware, spyware & hijack cleaning' started by simpleton, Nov 23, 2003.

Thread Status:
Not open for further replies.
  1. simpleton

    simpleton Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    25
    Location:
    Canada
    I am posting my friend's HijackThis log with the hope that one of you knowledgeable folks can tell me if you see anything that is suspect. She emailed me the log so I hope the format is readable.

    My friend reports no real problems with her computer, other than frequent disconnects which her provider (AOL) is presently looking into.

    We have run Ad-aware, Spybot Search & Destroy and CWShredder and no malware has been found thus far.

    I would very much appreciate any input on her log.

    Thanks in advance. :)

    Logfile of HijackThis v1.97.7
    Scan saved at 10:10:31 PM, on 11/23/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\WINDOWS\wanmpsvc.exe
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\Documents and Settings\Judith\Local Settings\Temp\Temporary Directory 1
    for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://www.msn.co
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.sony.com/vaiopeople
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.sony.com/vaiopeople
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
    Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program
    files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
    SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
    -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL
    Companion\companion.exe
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America
    Online 9.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
    http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e555
    2fc/msSecAdv.cab?1066229245890
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class)
    - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.642662037
    O17 -
    HKLM\System\CCS\Services\Tcpip\..\{3FA753E1-59DF-4A15-8120-4760FF2A50B5}: NameServer = 64.12.104.4
     
  2. BWMerlin

    BWMerlin Registered Member

    Joined:
    Aug 11, 2003
    Posts:
    71
    Hi, these can be remove, they are optional but recommened

    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
    SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
    -atboottime

    Other than those 2 i carnt c anything wrong, others might have spotted something i missed
     
  3. simpleton

    simpleton Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    25
    Location:
    Canada
    Thank you so much for your reply BWMerlin. I will have her remove those entries. Thank you for taking the time to look through this log. Much appreciated. :)
     
  4. BWMerlin

    BWMerlin Registered Member

    Joined:
    Aug 11, 2003
    Posts:
    71
    No problem, once she has removed them can u get her to post a new log so we can make sure everything is gone.
     
  5. simpleton

    simpleton Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    25
    Location:
    Canada
    Will do! :)
     
  6. simpleton

    simpleton Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    25
    Location:
    Canada
    As you requested BWMerlin, here is the latest version of my friend's HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:56:31 PM, on 11/24/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\Documents and Settings\Judith\Local Settings\Temp\Temporary Directory 2
    for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://www.msn.co
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.sony.com/vaiopeople
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.sony.com/vaiopeople
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
    Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program
    files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL
    Companion\companion.exe
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America
    Online 9.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
    http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e555
    2fc/msSecAdv.cab?1066229245890
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class)
    - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.642662037
    O17 -
    HKLM\System\CCS\Services\Tcpip\..\{3FA753E1-59DF-4A15-8120-4760FF2A50B5}: NameServer = xxx.xxx.xxx.x

    I replaced her IP address with x's in this post.
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi simpleton,

    That is a clean log. But if that was her IP you x-ed out, there is something wrong in her network settings. ;)
    It should list her DNS servers, which normally belong to the ISP.

    Regards,

    Pieter
     
  8. simpleton

    simpleton Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    25
    Location:
    Canada
    Hi Pieter,

    Thanks very much for looking at the log. Much appreciated.

    In all honesty, I can't be sure that was her IP address. All I can say for certain is that the IP address looked familiar. It might just have been in the same range as her IP address and I falsely assumed it was her address.

    If it was her IP address, could this explain why she is experiencing frequent disconnects?

    I would very much appreciate any further input you could provide and in the mean time, I will get her to run another HijackThis log and find out for sure if that was indeed her IP address. Thank you for catching that! :)
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi simpleton,

    Both the Quicktime- and the Real-player that BWMerlin pointed out, can contact the internet and could even cause disconnects, if there is some conflict.

    The IP address for the name servers should not be able to influence that. At worst she could get a lot of "page not found (404)" errors if these were not filled out as advised by the ISP.

    Regards,

    Pieter
     
  10. simpleton

    simpleton Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    25
    Location:
    Canada
    Hi Pieter,

    As far as I know, she is not getting a lot of "page not found" errors but I will be sure to ask her about this.

    I have a feeling that IP address I removed was not her IP address. The more I think about it, the more it doesn't make sense that it would be. I will still confirm this with her though just to try to tackle as much as I can for her at this point.

    I will also ask her if the disconnects have ceased after she removed those entries that BWMerlin recommended.

    Thanks so much for your input! :)
     
Thread Status:
Not open for further replies.