HijackThis Log

[kristof007]

Logfile of HijackThis v1.99.1
Scan saved at 1:46:55 AM, on 8/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\system32\ZONELABS\vsmon.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Microsoft Hardware\Keyboard\type32.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\Program Files\Mozilla Firefox\firefox.exe
H:\Kristof\Program Installers\HijackThis.exe

O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - F:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: (no name) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-781cd0e19f00} - f:\program files\steganos internet anonym pro 7\siapro7iep.dll
O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [IntelliType] "F:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Setup experation] F:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [C-Media Speaker Configuration] \Setup.exe /SPEAKER
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Download All by FlashGet - F:\PROGRA~1\FLASHGET\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda...86/client/wuweb_site.cab?1122716224062
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...l.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} -
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O20 - Winlogon Notify: WB - F:\Program Files\AlienGUIse\fastload.dll
O21 - SSODL: IntegrityChecker - {A8C9330E-B745-4EA2-9B1D-8155E1F52F18} - F:\WINDOWS\System32\mstepsnd.dll
O21 - SSODL: IntegrityMonitor - {5E499B4E-AC2F-425F-A929-6EB04D92FB49} - F:\WINDOWS\System32\mspb2bin.rom
O21 - SSODL: MSSQLMonitor - {CE6C143D-E354-4690-A67C-59C8E9C8D160} - F:\WINDOWS\System32\wpdmroxy.dll
O21 - SSODL: MSTskMgr32 - {05345F46-C9C3-4B19-A5E8-46B4EC580691} - F:\WINDOWS\System32\adptmcpl.dll
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZONELABS\vsmon.exe

 

[Slikkster]

Nothing really jumps out at me. Looks like you have redundant spyware checking going on. Fastget is a download manager, I believe. The "Wildtangent" thing is sometimes considered spyware, but it may also be necessary to play your online Flash games. I'm sure your spyware detectors would have flagged it if they thought it was something that needed to be deleted.

Are you actually having problems, or were you just curious to see if your system was clean?

 

[boomerang]

You can copy and paste your results both here and here for an instant analysis.

I did, and you have some problems.

 

[kristof007]

I have one problem. When windows starts up it says a program cannot start because it can't find a .dll file. I believe what happened what that the program was spyware but it didn't get cleaned from registry. Once the computer starts though and I click OK to that message it's all good.

@boomerang: Wow I checked them out and those sites are awesome. Is there anyway you can update their database. Steganos is an Internet Anonymizer is actually a legit program. But whatever happens thanks for the help!

 

[kristof007]

Paste THIS my friends. All clean. Thanks for the help! The latter of the two helped out a lot. I can recommend HijackThis.de to everybody!

Logfile of HijackThis v1.99.1
Scan saved at 10:47:54 AM, on 8/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\system32\ZONELABS\vsmon.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Microsoft Hardware\Keyboard\type32.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\AIM\aim.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\WINDOWS\System32\wuauclt.exe
H:\Kristof\Program Installers\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - F:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [IntelliType] "F:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [C-Media Speaker Configuration] \Setup.exe /SPEAKER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Download All by FlashGet - F:\PROGRA~1\FLASHGET\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda...86/client/wuweb_site.cab?1122716224062
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...l.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZONELABS\vsmon.exe

 

[Medea]

FWIW, it's my understanding that it's preferable to have HijackThis installed in its own directory on the root directory where your OS is located - in your case, on your F drive. Just make a directory, e.g.: F:\HFT, put the zipped file there and unzip it to the same directory. I don't know if this really makes a difference, but just passing it on...

 

[kristof007]

All right thanks. What does FWIW mean ?

 

[Rookie]

FWIW = For what it's worth

 

[kristof007]

Thank you!

 

[Medea]

BTW, welcome to AnandTech! Also, there's a typo in my post. Should be: "Just make a directory, e.g.: F:\HJT" (short for HijackThis). However, you can name the directory whatever you prefer.

Anyway, glad HijackThis.de was able to help you out. Castlecops is another forum where there's a separate section for HijackThis logs. You can post your log, and someone from the site with expertise in HijackThis will analyze your log for you and post his analysis of your log along with instructions for what you need to do.

 

[kristof007]

Thank you for the welcome. I've been around anandtech for a while I just haven't stumbled across the great community in the forums yet. I feel very much at home thanks to cool guys like yourself!

I think the HijackThis log is fine now since I've corrected everything I wanted. Some stuff gets restored however even after I turn system restore off. They are the empty keys so I don't really care but it's rather curious! Here they are

O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - (no file)
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} -
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} -

Any ideas?

 

[Slikkster]

This is why you can't just trust anything outright. You need to do your own investigating. If you google just the numbers within the brackets of these reappearing entries, you'll see they refer to:

SnagIt
Spyware Doctor (or some similiar)
WS_FTP
And some program you downloaded from MadOnion, probably a benchmark program.

So, it's always a good idea to not take anything these helper applications like hijackthis.de or help2go say without doublechecking yourself.
Hijackthis is a "dumb" program, meaning it doesn't make any evaluations of what it finds. It just shows you what's there. It's up to you to research what needs to be deleted.

By the way, you also deleted references to your Avast antivirus program (because it said "no file".) So, you now have no email scanner component and no web scanner component. I would think about reinstalling Avast so everything's up to speed. (Note your original log for entries from "Avil Software"

 

[kristof007]

Wow. The wisdom of a true anandtecher. Thanks. I will take my log over to the guys @ castlecops and get an opinion there and reinstall avast. Get back to you when I have done anything and see how my log is. By the way I don't use the e-mail scanner at all cause I use hotmail on the web. Do I still need those 2 features?

 

[Slikkster]

I don't know what the "Web" service component is of Avast, and if you don't use the email scanner, no, you don't need it. But I would prefer to toggle it off in software, vs a registry setting, which is what Hijackthis did. That's why I would reinstall it on top of itself, just to make sure it has all the proper settings in place. Then, if you don't want that feature to run, turn it off in Avast itself.

Short of doing that, you can go into Avast and try toggling ON the email scanner and the Web scanner, and see if it says it's ON. This may replace the registry settings. Then, just turn them off again.

You can use Hotmail via Outlook Express, if you've had the account long enough. New users don't have that capability, I believe. So, I use Outlook Express at home for Hotmail, and the web-based version when I'm away from home. If you use OE, you'd want the email scanner in place. If you only use the web-based version, it's a non issue because Hotmail's web interface scans all attachments.

 

[kristof007]

I use the website to check my hotmail. True it's a few extra steps but outlook is very sluggish for me and I just don't like it much. Hotmail on the web works and it's fine for that. I will reinstall avast sooner then later and turn off the e-mail and web scanner. Get back to you when I am done with it so we can see what hijackthis says about it.