Could you please review my Hijack-This log?

Craig18 · July 2007

I just want to feel comfortable that my computer is clean. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 19:51:26, on 03/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182709046911
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182710875686
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Linkola · July 2007

Hi,

Welcome to icrontic Malware Removal Forum.

I'm checking your log, so please be patient.

As we work together to resolve your problem please read the instructions carefully. You may wish to print them off or copy them into Notepad.
If you have question please don't hesitate to ask
The instructions I give are specific to your current problem and should not be used on other systems.
Post your replies to this thread.

Linkola · July 2007

http://icrontic.com/forum/showthread.php?p=543123&posted=1#post543123

========

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Close ALL open windows
Click Fix Checked
Close HijackThis

=========

Please download Deckard's System Scanner to your Desktop

* Close all applications and windows.
* Double-click on Dss.exe to run it, and follow the prompts.
* The scan may take a minute. When the scan is complete, a text file will open Main.txt and extra.txt

Please post Main.txt and Extra.txt

Craig18 · July 2007

Thanks for your help. Here are the results of the main.txt

Deckard's System Scanner v20070611.50
Run by Paul on 2007-07-03 at 22:21:06
Computer is in Normal Mode.

-- System Restore

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
54: 2007-07-03 21:21:17 UTC - RP137 - Deckard's System Scanner Restore Point
53: 2007-07-02 22:48:49 UTC - RP136 - Installed Belkin Wireless USB Utility
52: 2007-07-02 21:59:34 UTC - RP135 - Configured Belkin Wireless USB Utility
51: 2007-07-02 21:51:58 UTC - RP134 - Removed Google Toolbar for Internet Explorer
50: 2007-07-02 01:30:34 UTC - RP133 - Software Distribution Service 3.0

-- First Restore Point --
1: 2007-06-24 19:29:53 UTC - RP84 - Installed Windows XP KB918899.

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Paul.exe)

Logfile of HijackThis v1.99.1
Scan saved at 22:21:55, on 03/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Documents and Settings\Paul\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Paul.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182709046911
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182710875686
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\)

backup-20070703-221826-123 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
-- File Associations

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 DNINDIS5 (DNINDIS5 NDIS Protocol Driver) - c:\progra~1\belkin\belkin~1.11g\dnindis5.sys (file missing)
S3 RT2500 (Belkin RT2500 Wireless Driver) - c:\windows\system32\drivers\rt2500.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

All services whitelisted.

-- Files created between 2007-06-03 and 2007-07-03

2007-07-03 21:16:17 0 dr-h

C:\Documents and Settings\Paul\Recent
2007-07-03 00:02:17 4212 ---h

C:\WINDOWS\system32\zllictbl.dat
2007-07-03 00:01:55 11264 --a

C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-07-03 00:01:09 0 d

C:\WINDOWS\system32\ZoneLabs
2007-07-03 00:00:07 0 d

C:\WINDOWS\Internet Logs
2007-07-02 23:49:17 0 d

C:\Program Files\Belkin
2007-06-30 23:41:31 0 d

C:\Program Files\CCleaner
2007-06-30 23:35:29 0 d

C:\Program Files\SpywareBlaster
2007-06-30 23:20:13 0 d

C:\Documents and Settings\Paul\Application Data\AVG7
2007-06-30 23:19:39 0 d

C:\Documents and Settings\LocalService\Application Data\AVG7
2007-06-30 22:30:09 0 d

C:\Documents and Settings\All Users\Application Data\Avg7
2007-06-30 21:30:11 0 d

C:\WINDOWS\network diagnostic
2007-06-29 23:52:11 0 d--h

C:\WINDOWS\system32\GroupPolicy
2007-06-26 22:43:39 0 d

C:\WINDOWS\system32\appmgmt
2007-06-26 05:52:17 0 d

C:\WINDOWS\SxsCaPendDel
2007-06-25 10:52:02 20480 --a

C:\WINDOWS\system32\wbload.dll
2007-06-25 10:52:01 36864

n--- C:\WINDOWS\system32\wbsys.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4.x for x86 machines>
2007-06-25 07:43:02 0 d

C:\Program Files\Includes
2007-06-24 23:55:13 0 d

C:\Documents and Settings\LocalService\Start Menu
2007-06-24 23:50:42 0 d

C:\WINDOWS\Prefetch
2007-06-24 22:59:59 0 d

C:\WINDOWS\peernet
2007-06-24 22:59:57 0 d

C:\WINDOWS\provisioning
2007-06-24 22:52:19 0 d

C:\WINDOWS\ServicePackFiles
2007-06-24 22:42:13 0 d

C:\WINDOWS\system32\ReinstallBackups
2007-06-24 22:36:26 0 d

C:\WINDOWS\EHome
2007-06-24 19:30:23 26112 --a

C:\WINDOWS\system32\xpsp1hfm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-06-24 19:27:51 46352 --a

C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:27:50 171280 --a

C:\WINDOWS\system32\jit.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:27:50 139536 --a

C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:27:50 6550 --a

C:\WINDOWS\jautoexp.dat
2007-06-24 19:27:49 313856 --a

C:\WINDOWS\system32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java>
2007-06-24 19:27:42 113 --a

C:\WINDOWS\system32\zonedon.reg
2007-06-24 19:27:42 113 --a

C:\WINDOWS\system32\zonedoff.reg
2007-06-24 19:27:42 171792 --a

C:\WINDOWS\system32\wjview.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:27:41 286992 --a

C:\WINDOWS\system32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:27:41 21264 --a

C:\WINDOWS\system32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:27:40 947472 --a

C:\WINDOWS\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:27:39 154384 --a

C:\WINDOWS\system32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:27:39 172304 --a

C:\WINDOWS\system32\jview.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:27:38 15120 --a

C:\WINDOWS\system32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:27:38 404752 --a

C:\WINDOWS\system32\javart.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:27:37 63248 --a

C:\WINDOWS\system32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:27:37 187152 --a

C:\WINDOWS\system32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:27:36 49424 --a

C:\WINDOWS\system32\clspack.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-24 19:18:43 0 d

C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-06-24 18:38:30 0 d

C:\WINDOWS\system32\PreInstall
2007-06-24 18:38:23 0 d--h

C:\WINDOWS\$hf_mig$
2007-06-24 18:36:22 0 d

C:\WINDOWS\system32\bits
2007-06-24 18:29:53 0 d

C:\WINDOWS\SoftwareDistribution
2007-06-22 05:49:44 0 d

C:\Program Files\Google
2007-06-22 05:09:39 0 d

C:\Documents and Settings\Paul\Application Data\Yahoo!
2007-06-21 15:55:04 0 --a

C:\WINDOWS\nsreg.dat
2007-06-21 15:54:35 0 d

C:\Documents and Settings\Paul\Application Data\Mozilla
2007-06-18 02:54:27 0 d

C:\Documents and Settings\All Users\Application Data\Grisoft
2007-06-18 02:35:22 0 d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-06-18 02:18:47 0 d

C:\Documents and Settings\Paul\Application Data\Comodo
2007-06-18 02:18:46 0 d

C:\Documents and Settings\All Users\Application Data\Comodo
2007-06-10 09:45:34 0 d

C:\Program Files\InstallShield Installation Information
2007-06-10 09:43:33 0 d

C:\Program Files\Common Files\InstallShield
2007-06-03 22:31:42 118784 --a

C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-06-03 21:50:26 0 d--hs---- C:\Documents and Settings\Paul\UserData
2007-06-03 17:04:11 0 d

C:\Documents and Settings\Paul\Application Data\Macromedia
2007-06-03 16:52:40 0 d

C:\Documents and Settings\Paul\Application Data\Google
2007-06-03 16:48:59 0 d

C:\Documents and Settings\All Users\Application Data\Google

-- Find3M Report

2007-06-25 12:42:30 0 d

C:\Program Files\Messenger
2007-06-24 23:00:02 0 d

C:\Program Files\Movie Maker
2007-06-24 22:50:55 0 d

C:\Program Files\Windows NT
2007-06-01 22:01:39 0 d

C:\Program Files\Common Files\ODBC
2007-06-01 22:01:34 0 d

C:\Program Files\Common Files\SpeechEngines
2007-06-01 22:01:00 62 --ahs---- C:\Documents and Settings\Paul\Application Data\desktop.ini
2007-06-01 21:30:29 0 d

C:\Documents and Settings\Paul\Application Data\Identities
2007-06-01 21:20:59 0 d

C:\Program Files\microsoft frontpage
2007-06-01 21:20:15 0 -rahs---- C:\MSDOS.SYS
2007-06-01 21:20:15 0 -rahs---- C:\IO.SYS
2007-06-01 21:20:15 0 --a

C:\CONFIG.SYS
2007-06-01 21:20:15 0 --a

C:\AUTOEXEC.BAT
2007-06-01 21:17:51 0 d

C:\Program Files\Online Services
2007-06-01 21:16:30 0 d

C:\Program Files\Common Files\MSSoap
2007-06-01 21:15:16 21640 --a

C:\WINDOWS\system32\emptyregdb.dat
2007-06-01 21:14:39 0 d--h

C:\Program Files\WindowsUpdate
2007-06-01 21:14:21 0 d

C:\Program Files\MSN Gaming Zone

-- Registry Dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-07-03 at 22:25:23

Craig18 · July 2007

Here are the extra.txt results

Deckard's System Scanner v20070611.50
Extra logfile - please post this as an attachment with your post.

-- System Information

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Mobile AMD Athlon(tm) 4 1600+ Processor
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 351.48 MiB / 122.98 MiB
Pagefile Memory (total/avail): 854.06 MiB / 653.91 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1967.13 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 29.22 GiB free.
D: is CDROM (No Media)

-- Security Center

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.
FW: ZoneAlarm Firewall v7.0.337.000 (Check Point, LTD.)
AV: AVG 7.5.476 v7.5.476 (GRISOFT)
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

-- Environment Variables

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Paul\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CONTROL-4ZHDE12
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Paul
LOGONSERVER=\\CONTROL-4ZHDE12
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 6 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0602
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Paul\LOCALS~1\Temp
TMP=C:\DOCUME~1\Paul\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=CONTROL-4ZHDE12
USERNAME=Paul
USERPROFILE=C:\Documents and Settings\Paul
windir=C:\WINDOWS

-- User Profiles

Paul (admin)

-- Add/Remove Programs

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Belkin Wireless USB Utility --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A6359CCF-215D-43D9-8366-479D231F2A72}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

-- End of Deckard's System Scanner: finished at 2007-07-03 at 22:25:23

Linkola · July 2007

Log looks clean...great job!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  1. Change the Download signed ActiveX controls to Prompt
  2. Change the Download unsigned ActiveX controls to Disable
  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
  4. Change the Installation of desktop items to Prompt
  5. Change the Launching programs and files in an IFRAME to Prompt
  6. Change the Navigate sub-frames across different domains to Prompt
  7. When all these settings have been made, click on the OK button.
  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Craig18 · July 2007

Thanks for your help.

Could you please review my Hijack-This log?

Comments