Here goes:

Logfile of HijackThis v1.99.1
Scan saved at 7:30:52 AM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CoolMon\CoolMon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAV.EXE
C:\Program Files\SensorsViewPro21\sviewpro.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.ca/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: CoolMon.lnk = C:\Program Files\CoolMon\CoolMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141265351607
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AE27AD2-9CE7-486E-867B-E29FF3E603E2}: NameServer = 142.161.130.155 142.161.2.155
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I think I can safely delete:

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)


Any suggestions? I rarely use messenger, but dont want to screw up for when i do need it. I am kind of learning how to read logs, and these items seem like they can go.

thanks!

Hi Lordoftheweb

Don't trust (File Missing) entries in Hijack This unless its a 02 or 03 entry, 09 entries in the log shows custom buttons/menu items and there is many different registry values that can link the CLSID to the file that handles it and Hijack This does miss some of them, the 023 lines can display file missing if the path has /service in the command so its best to check them in detail or ignore them (unless they are malware related).

With the lines you picked:

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

These are buttons/menu items that have been created so removing them will not speed up the pc but it will not damage the programs either, I'd say add them to the ignore list of Hijack This but if you never use the Research button or Windows Messenger button or menu item then you could fix the lines and keep the backups incase you want to restore them anytime but they are fine to ignore as they are just buttons or menu items and not causing any problems ,


O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

This is added by MSN Messenger and the file will not be missing, Its a small bug in Hijack This so should be ignored or added to the ignore list.


O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

This is added by SpySweeper and it is likely that this file is missing, If you have removed SpySweeper it can be fixed.

Hope that helps

Thanks Andy. I am trying to learn the hijack logs, and am VERY poor at it. Ive managed to keep things pretty clean in my comp for awhile though!

Your assistance is appreciated!

Hi Lordoftheweb

Here's a couple of Hijack This tutorials and research sites to help you with logs.

Merijn's (Hijack This author) Tutorial

Acsell's Hijack This Tutorial


CastleCops

With CastleCops, the menu on the left (the Top Right of the screen also has a drop down menu) displays search engines for different area's of Hijack This. It has databases for 02, 03, 04, 09, 10, 16, 18, 20, 21, 22 & 23 entries so it can make reading a log alot easier.

AnswersThatWork has a great database of genuine running processes.

Google will also help you if you want to check a file or hijack this entry, Just add the dll name or the exe name and there is a good chance you will know exactly what it is within a few seconds, If google brings back no results then it maybe malware related so its worth checking the files at a scan site like Jotti's or VirusTotal or right click the file and check the properties for company info', If your trying to find info on a group of words on Google then try putting them in " quotes " so the search engine knows only to find the matching set of words.

Regards

Andy