|
Another HJT log for review, plz!
|
|
|
LR25
Junior Member
|
24. February 2006 @ 13:06 |
Link to this message
|
Greetings,
I was hoping you professionals could review my HJT log and let me know what you think. Thanks in advance:
Logfile of HijackThis v1.99.1
Scan saved at 4:00:33 PM, on 2/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HandSpring\Hotsync.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\HandSpring\Hotsync.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x8...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicr...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
|
|
Advertisement
|
 |
|
|
Senior Member
|
25. February 2006 @ 01:21 |
Link to this message
|
Did you take your log in a Safe Mode? (If you did, please post a new log and this time take it in a normal mode)
Your log is clean, but to ensure that it also is clean in the future get a firewall and install it.
These are good firewalls:
ZoneAlarm --> www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com
Do you have Kaspersky antivirus software?
Move Hijack to a folder C:\HJT
Disable Microsoft Antispyware before fixing.
Open HijackThis and fix these entries: (Do a system scan only, check all entries, press Fix checked)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
These are unnecessary processes, fix what you don't need (with HijackThis): (these slower your machine)
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\HandSpring\Hotsync.exe
Enable Microsoft Antispyware.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 25. February 2006 @ 02:06
|
|
LR25
Junior Member
|
25. February 2006 @ 08:00 |
Link to this message
|
|
Thanks for the reply. I took this log in NORMAL mode. In terms of firewall, windows firewall is running, and I hvae a router with its own firewall as well. I believe my router also came with ZoneAlarm for the comp, should I install that one? Yes I do have Kaspersky Antivirus. Why should I move my HJT to that folder? I'm just curious. ALso those entries you say are not needed and should be fixed, I have read that some are needed for example AdobeGammaloader, isn't that required for something to run properly on your computer? Thanks for your response and advice thought.
|
Senior Member
|
25. February 2006 @ 08:30 |
Link to this message
|
You should install ZoneAlarm. It's better than windows' wall.
Go here and download the latest version of ZoneAlarm.
--> http://www.zonelabs.com
You have to disable windows wall when you have installed ZoneAlarm.
HijackThis should always be installed in an own folder.
Otherwise it may not be able to do backups.
And those processes aren't any system processes. I have checked them for you, you can choose what to fix. But If you need it, don't fix it.
For example that gammaloader is usually needed by some graphics professionals who want their monitor calibrated. Most home users will not need it.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 25. February 2006 @ 08:30
|
|
LR25
Junior Member
|
25. February 2006 @ 09:23 |
Link to this message
|
|
Ah ok I understand. Thanks for the insight. Zonealarm was included on my router CD but does that website offer it for free? If that's the case I'll get the latest version of it from there? Thanks again.
This message has been edited since posting. Last time this message was edited on 25. February 2006 @ 09:23
|
|
LR25
Junior Member
|
25. February 2006 @ 09:26 |
Link to this message
|
|
Also, one more question. What exactly is the point of having 2 firewalls for example Windows and the routers built in firewall, or in your suggestion, Zonealarm for windows and the routers again.
Thanks
|
Senior Member
|
25. February 2006 @ 21:47 |
Link to this message
|
With a hardware and software firewall both installed, you'll get better security than with only hardware or software firewall installed. You also get better inbound protection. You can set rules for induvidual programs and if for example some malware program is trying to connect to the internet, ZoneAlarm will alert you and you can decide whether to let it to connect or not.
But the windows firewall is not recommended.
The ZoneAlarm Free is a free firewall. :) Internet Security or Pro versions are not.
You should download ZoneAlarm Free from the following link beacause you propably have an old version on your cd.
http://download.zonelabs.com/bin/free/1038_zl/zlsSetup_61_737_000...
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 25. February 2006 @ 21:48
|
|
LR25
Junior Member
|
25. February 2006 @ 23:54 |
Link to this message
|
|
Ok, I am trying out Zonealarm as we speak. Is it normal for the program screen to be showing a consistent growing number of blocked inbound intrusions??? It's like a timer continuing to count upwards. Is this normal?
|
Senior Member
|
26. February 2006 @ 00:15 |
Link to this message
|
|
Go to the Alerts & Logs section in ZoneAlarm. What is the type of alerts? Is it firewall or program. If program, then what is the name of that program?
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
LR25
Junior Member
|
26. February 2006 @ 00:18 |
Link to this message
|
|
I have both FIREWALL and PROGRAM in the lists
|
|
LR25
Junior Member
|
26. February 2006 @ 00:22 |
Link to this message
|
|
That number seems to be holding steady now at 359. I have a huge number of hits from one of my Torrent programs, I guess it's normal?! On the overview page it says 0 of them are high rated. I also see a few 'svchost.exe' on the PROGRAM list, not sure what this is.
|
Senior Member
|
26. February 2006 @ 00:32 |
Link to this message
|
|
This svchost.exe is a system process. Have you set rules for your Torrent program? You can set those in Program Control section of ZA.
If you have blocked its connections and you are using it, the ZA will create those alerts.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 26. February 2006 @ 00:33
|
|
LR25
Junior Member
|
26. February 2006 @ 12:52 |
Link to this message
|
Thanks for the info. Yes I have set rules for the programs, since ZA install, any program that I would start that would normally access the internet, ZA would prompt me telling me it was trying to access and whether or not I wanted to allow it, so I selected yes to the programs that I know (like my Torrent program), is this what you mean by setting those programs? The Torrent program for example is working fine. Still wondering about the blocked intrusions. Since install yesterday it says I now have 840 blocked intrustions with about 40 of them being highrated. When I refer to the Alerts&Logs it appears that the ones with High labelled on them are normal programs like Microsoft Antispyware, Spybot S&D, etc, etc. I'm assuming this is normal? I mean aside from this, the computer is running fine, internet activity is fast, Torrents are downloading, etc.
Thanks again for the info
|
|
Advertisement
|
|
|
Senior Member
|
27. February 2006 @ 03:56 |
Link to this message
|
|
Yes, that is what I ment with those rules. I think that it is normal and by the way, those are all BLOCKED... I myself have some high rated entries in my log from normal programs... :)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
