Greetings, I was hoping you professionals could review my HJT log and let me know what you think. Thanks in advance: Logfile of HijackThis v1.99.1 Scan saved at 4:00:33 PM, on 2/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\ASUS\Probe\AsusProb.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\HandSpring\Hotsync.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Chris\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Exif Launcher.lnk = ? O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\HandSpring\Hotsync.exe O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1114887927984 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
Did you take your log in a Safe Mode? (If you did, please post a new log and this time take it in a normal mode) Your log is clean, but to ensure that it also is clean in the future get a firewall and install it. These are good firewalls: ZoneAlarm --> www.zonelabs.com Kerio--> http://www.sunbelt-software.com/Kerio.cfm Outpost-> http://www.agnitum.com Do you have Kaspersky antivirus software? Move Hijack to a folder C:\HJT Disable Microsoft Antispyware before fixing. Open HijackThis and fix these entries: (Do a system scan only, check all entries, press Fix checked) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = These are unnecessary processes, fix what you don't need (with HijackThis): (these slower your machine) O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\HandSpring\Hotsync.exe Enable Microsoft Antispyware.
Thanks for the reply. I took this log in NORMAL mode. In terms of firewall, windows firewall is running, and I hvae a router with its own firewall as well. I believe my router also came with ZoneAlarm for the comp, should I install that one? Yes I do have Kaspersky Antivirus. Why should I move my HJT to that folder? I'm just curious. ALso those entries you say are not needed and should be fixed, I have read that some are needed for example AdobeGammaloader, isn't that required for something to run properly on your computer? Thanks for your response and advice thought.
You should install ZoneAlarm. It's better than windows' wall. Go here and download the latest version of ZoneAlarm. --> http://www.zonelabs.com You have to disable windows wall when you have installed ZoneAlarm. HijackThis should always be installed in an own folder. Otherwise it may not be able to do backups. And those processes aren't any system processes. I have checked them for you, you can choose what to fix. But If you need it, don't fix it. For example that gammaloader is usually needed by some graphics professionals who want their monitor calibrated. Most home users will not need it.
Ah ok I understand. Thanks for the insight. Zonealarm was included on my router CD but does that website offer it for free? If that's the case I'll get the latest version of it from there? Thanks again.
Also, one more question. What exactly is the point of having 2 firewalls for example Windows and the routers built in firewall, or in your suggestion, Zonealarm for windows and the routers again. Thanks
With a hardware and software firewall both installed, you'll get better security than with only hardware or software firewall installed. You also get better inbound protection. You can set rules for induvidual programs and if for example some malware program is trying to connect to the internet, ZoneAlarm will alert you and you can decide whether to let it to connect or not. But the windows firewall is not recommended. The ZoneAlarm Free is a free firewall. Internet Security or Pro versions are not. You should download ZoneAlarm Free from the following link beacause you propably have an old version on your cd. http://download.zonelabs.com/bin/free/1038_zl/zlsSetup_61_737_000_en.exe
Ok, I am trying out Zonealarm as we speak. Is it normal for the program screen to be showing a consistent growing number of blocked inbound intrusions??? It's like a timer continuing to count upwards. Is this normal?
Go to the Alerts & Logs section in ZoneAlarm. What is the type of alerts? Is it firewall or program. If program, then what is the name of that program?
That number seems to be holding steady now at 359. I have a huge number of hits from one of my Torrent programs, I guess it's normal?! On the overview page it says 0 of them are high rated. I also see a few 'svchost.exe' on the PROGRAM list, not sure what this is.
This svchost.exe is a system process. Have you set rules for your Torrent program? You can set those in Program Control section of ZA. If you have blocked its connections and you are using it, the ZA will create those alerts.
Thanks for the info. Yes I have set rules for the programs, since ZA install, any program that I would start that would normally access the internet, ZA would prompt me telling me it was trying to access and whether or not I wanted to allow it, so I selected yes to the programs that I know (like my Torrent program), is this what you mean by setting those programs? The Torrent program for example is working fine. Still wondering about the blocked intrusions. Since install yesterday it says I now have 840 blocked intrustions with about 40 of them being highrated. When I refer to the Alerts&Logs it appears that the ones with High labelled on them are normal programs like Microsoft Antispyware, Spybot S&D, etc, etc. I'm assuming this is normal? I mean aside from this, the computer is running fine, internet activity is fast, Torrents are downloading, etc. Thanks again for the info
Yes, that is what I ment with those rules. I think that it is normal and by the way, those are all BLOCKED... I myself have some high rated entries in my log from normal programs...
