Quick HijackThis Log Query.

Baner86 · Jul 16, 2004

This is my first post on this site and only stumbled on this wonderful resource from my own rudimentary virus detection skills. I read the HijackThis Log post and run AD-Aware etc. but I just wanted to know wether this NET computer is fine.

Logfile of HijackThis v1.98.0
Scan saved at 3:26:27 PM, on 16/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.dodo.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.dodo.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.dodo.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.dodo.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dodo Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A053D6D6-3EC9-4230-963A-6E17A9502BE0}: NameServer = 203.194.27.57 203.194.56.150

From reading the post I am only concerned with the final O17 line as the server IP's are not familiar and do not link to any web sites. However, other people have had exactly the same entries in their log files and I am led to believe that these IP's might be my DoDo ISP's so am afraid to delete the entry. Should I delete that entry, or are there other entries in my log file that are questionable.

chaslang · Jul 16, 2004

Both of those IP's are for
ns4.comindico.com.au = [ 203.194.56.150 ]
Domain Name: comindico.com.au
Last Modified: 16-Apr-2004 00: 40: 43
UTC Registrar ID: R00010-AR
Registrar Name: Melbourne IT Status: OK
Registrant: Comindico Services Pty Limited
Registrant ID: OTHER 093 662 661
Registrant ROID: C1597022-AR
Registrant Contact Name: Comindico Hostmaster
Registrant Email: hostmaster@comindico.com.au
Tech ID: C1597022-AR
Tech Name: Comindico Hostmaster
Tech Email: hostmaster@comindico.com.au
Name Server: ns2.comindico.com.au
Name Server IP: 203.194.27.59
Name Server: ns1.comindico.com.au
Name Server IP: 203.194.27.58
Name Server: ns4.comindico.com.au
Name Server IP: 203.194.56.150
=========

And here is info on home.dodo.com.au

home.dodo.com.au = [ 203.220.32.118 ]
Domain Name: dodo.com.au
Last Modified: 20-Nov-2002 02: 08: 03
UTC Registrar ID: R00010-AR
Registrar Name: Melbourne IT Status: OK
Registrant: DODO INTERNET PTY. LTD.
Registrant ID: OTHER 097636970
Registrant ROID: C0217582-AR
Registrant Contact Name: THE MANAGER
Registrant Email: scott@kbs.net.au
Tech ID: C0217584-AR
Tech Name: Scott Stavretis
Tech Email: scott@kbs.net.au
Name Server: dns1.dodo.com.au
Name Server IP: 203.220.32.121
Name Server: dns2.dodo.com.au
Name Server IP: 203.220.32.122

By the way you log looks okay. But you could consider whether you really need the next item or not:
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

It's a matter of personal preference and do you use it.

Baner86 · Jul 16, 2004

Geezuz!! Chaslang, I dont wanna sound like im kissin ur ass but ur like a god around here. Ive spent a few hours just looking at how much effort u have put in to help people with their problems. I admit that I was pretty sure that my comp was OK but It's always nice to be certain.
How did you get that info on those IP's and on DODO, did you use a program?
I really wanna learn how to fix problems with adware and viruses cos AV software just isnt good enough, though what do you think of those two online scanners, Panda active scan and trend micro?
So,is it safe to remove that last line?

chaslang · Jul 16, 2004

Here is how I found that info: http://samspade.org/t/lookat?a=
Just enter the IP address or a domain name into the box and click Whois.

I'm not positive about what to do with that line. You may want to check to see if there is a rlelationship between your ISP and Comindico.

Those two online scanners are very good but they do not replace a full blown AV package nor a good spyware blocker like SpywareBlaster.

Log in or Sign up

Quick HijackThis Log Query.

Baner86 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Baner86 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Log in or Sign up

Quick HijackThis Log Query.

Baner86 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Baner86 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches