Is this a clean HJT log ?

[parachutestx]

I get paranoid sometimes so.....


Logfile of HijackThis v1.98.2
Scan saved at 2:34:06 PM, on 12/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Documents and Settings\user\Desktop\Programs\HijackThis19802.exe

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

[Staind]

Briefly looking over it, it looks pretty clean.

[lee16]

Depends on how clean you want it, there is no malware in there if that's what you wanted to know, however:

These are not needed to load at start-up, but they are not harmful, but fixing them will improve pc boot up time:

o4 - hklm\..\run: [coolswitch] c:\windows\system32\taskswitch.exe
o4 - hklm\..\run: [powermenu] "%systemroot%\system32\powermenu.exe" -hideself on
o4 - hklm\..\run: [winampagent] c:\program files\winamp\winampa.exe
o4 - hkcu\..\run: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
o4 - global startup: america online 7.0 tray icon.lnk = c:\program files\america online 7.0\aoltray.exe

--lee

[Lisandro]

Why don't you use Eddy's HJT Analyzer?  
http://212.204.166.18/download/hjt10.003.exe

[parachutestx]

if I press fix these wont be perminately deleted right?

[lee16]

Hijackthis usualy creates backups of what you 'fix'

if you want them back simply open hijackthis, click config then go to backups, then choose what you want to restore (see below).

--lee

[parachutestx]

do have one question though.

whats this ?
O17 - HKLM\System\CCS\Services\Tcpip\..\{87CC4FA1-CD45-44BD-8078-21E0F44E5DB1}: NameServer = 205.188.146.146

[inthewildteam]

do have one question though.

whats this ?
O17 - HKLM\System\CCS\Services\Tcpip\..\{87CC4FA1-CD45-44BD-8078-21E0F44E5DB1}: NameServer = 205.188.146.146

AOL

[parachutestx]

Is AOL a potential comp killer cause I have 7.0 on mine and it works fine.

My mom has Windows 98 and tryed to install 9.0 optimized and it wrecked her system and it had to be reloaded....

[SUSZANNAH]

Hi don't know if this is any help, but I tried AOL 9 when I was running 98 caused me mega problems, had to have pc reformatted and installed Win ME now 9 works like a charm  

[CharleyO]

*

If you do nothing else, turn off Messenger. This is not the IM program. It is an open back door for popups and possible malware intrusion.

*

[Eddy]

See the HijackThis section at http://212.204.166.18/
(also have a look at the malware removal section)

[parachutestx]

CharleyO

What do you mean this isnt related to the messanger ? I went ahead and removed them with HJT but what exactly are they ?

and here's a new log

Logfile of HijackThis v1.98.2
Scan saved at 2:12:24 PM, on 12/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Winamp\Winamp.exe
C:\Documents and Settings\user\Desktop\Programs\HijackThis19802.exe

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

[CharleyO]

*

Sorry for the delay in a reply. Messenger was originally for use on intranets ... or local nets as if you have one or more computers connected at home. It was so that intranet administrators could send messages from one computer (or a mainframe with work stations connected) to another. But hackers, malware writers, and pop-up users learnt how to use this to get into individual computers.

To find out if this is active on your computer, go to My Computer and double click on Add/Remove. Now click on the Windows Setup tab and scroll down the list to System Tools. Double click on System Tools to open it's box. Scroll down the list to the bottom where you will find either WinPopup or Messenger ... depending on your OS. If the checkbox to the left is checkmarked, click the checkbox once to remove the checkmark. This will disable the service and close an open back door.

The above has nothing to do with Instant Message programs which are a completely different set of programs.

*

[whocares]

CharleyO,


huh ?  

What does this have to do with what you see in the HJT-Log ?

I'd say the above entries:
C:\Program Files\Messenger\msmsgs.exe
--> http://sysinfo.org/startuplist.php?submit=&filter=msmsgs.exe
&
[msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
are indeed for instant messaging

What you mean, can maybe fixed the way you state on XP, but imho it's based on:
C:\WINNT\System32\services.exe (w2k) or
\svchost.exe -k netsvcs (on XP):

Some (german) screenshots
http://www.trojaner-info.de/nachrichtendienst/index.html