I get paranoid sometimes so… :

Logfile of HijackThis v1.98.2
Scan saved at 2:34:06 PM, on 12/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Documents and Settings\user\Desktop\Programs\HijackThis19802.exe

O4 - HKLM..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM..\Run: [PowerMenu] “%systemroot%\system32\powermenu.exe” -hideself on
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

Briefly looking over it, it looks pretty clean.

Depends on how clean you want it, there is no malware in there if that’s what you wanted to know, however:

These are not needed to load at start-up, but they are not harmful, but fixing them will improve pc boot up time:

o4 - hklm..\run: [coolswitch] c:\windows\system32\taskswitch.exe
o4 - hklm..\run: [powermenu] “%systemroot%\system32\powermenu.exe” -hideself on
o4 - hklm..\run: [winampagent] c:\program files\winamp\winampa.exe
o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background
o4 - global startup: america online 7.0 tray icon.lnk = c:\program files\america online 7.0\aoltray.exe

–lee

Why don’t you use Eddy’s HJT Analyzer? 8)
http://212.204.166.18/download/hjt10.003.exe

if I press fix these wont be perminately deleted right?

Hijackthis usualy creates backups of what you ‘fix’

if you want them back simply open hijackthis, click config then go to backups, then choose what you want to restore (see below).

–lee

do have one question though.

whats this ?
O17 - HKLM\System\CCS\Services\Tcpip..{87CC4FA1-CD45-44BD-8078-21E0F44E5DB1}: NameServer = 205.188.146.146

AOL

Is AOL a potential comp killer cause I have 7.0 on mine and it works fine.

My mom has Windows 98 and tryed to install 9.0 optimized and it wrecked her system and it had to be reloaded…

Hi don’t know if this is any help, but I tried AOL 9 when I was running 98 caused me mega problems, had to have pc reformatted and installed Win ME now 9 works like a charm

If you do nothing else, turn off Messenger. This is not the IM program. It is an open back door for popups and possible malware intrusion.

See the HijackThis section at http://212.204.166.18/
(also have a look at the malware removal section)

CharleyO

What do you mean this isnt related to the messanger ? I went ahead and removed them with HJT but what exactly are they ?

and here’s a new log

Logfile of HijackThis v1.98.2
Scan saved at 2:12:24 PM, on 12/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Winamp\Winamp.exe
C:\Documents and Settings\user\Desktop\Programs\HijackThis19802.exe

O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

Sorry for the delay in a reply. Messenger was originally for use on intranets … or local nets as if you have one or more computers connected at home. It was so that intranet administrators could send messages from one computer (or a mainframe with work stations connected) to another. But hackers, malware writers, and pop-up users learnt how to use this to get into individual computers.

To find out if this is active on your computer, go to My Computer and double click on Add/Remove. Now click on the Windows Setup tab and scroll down the list to System Tools. Double click on System Tools to open it’s box. Scroll down the list to the bottom where you will find either WinPopup or Messenger … depending on your OS. If the checkbox to the left is checkmarked, click the checkbox once to remove the checkmark. This will disable the service and close an open back door.

The above has nothing to do with Instant Message programs which are a completely different set of programs.

CharleyO,

huh ? ???

What does this have to do with what you see in the HJT-Log ?

I’d say the above entries:
C:\Program Files\Messenger\msmsgs.exe
→ http://sysinfo.org/startuplist.php?submit=&filter=msmsgs.exe
&
[msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background
are indeed for instant messaging

What you mean, can maybe fixed the way you state on XP, but imho it’s based on:
C:\WINNT\System32\services.exe (w2k) or
\svchost.exe -k netsvcs (on XP):

Some (german) screenshots
http://www.trojaner-info.de/nachrichtendienst/index.html

???

There is messenger and MSN messenger. Two different things.

Yeah but still those HJT-Log-entries in "C:\Program Files" are not the messaging Service, right ??
???

Or what differences are there in XP ?
Don’t Intranet/“LAN”-Messages (like Charley described initially) look like this in XP ?
http://www.trojaner-info.de/nachrichtendienst/bilder/nachricht.jpg

???

Well, I thought I clearly said this is not an IM program. ???

What I was giving was information that many over look when facing intrusions. The general user has no idea about WinPopup and Messenger service.

MSN Messenger is an IM program and is completely different.

Ok Charley,

I mistakenly assumed your advice was somehow connected to the HJT-Log

But imho the malware-intrusion via MessageService is rather related to the old pebcak-problem

Ok this may have been stated but those Program links in the log are related to Windows Messanger which is Ess the same as MSN Messanger. Its used as part of the MSN internet explorer service.