TechSpot

HiJackThis Log URGENT

By betania
Mar 10, 2008
  1. Hello,

    I did all the steps of the Viruses/Spyware/Malware preliminary removal instructions, and I'm attaching HJT, Combofix and AVG Antispyware logs.

    Can somebody please help me analysing these?!

    Thanks,

    Betania
     

    Attached Files:

  2. kritius

    kritius TS Guru Posts: 2,084

    What specific problems are you facing?
     
  3. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I can't see any issues of concern
    Although I'm not a specialist in the area. I thought I'd let you know, I checked all files in the HJT log.

    Good to see you've got your Startups low too.
     
  4. kritius

    kritius TS Guru Posts: 2,084

    A tip for newcomers on how to get on Kimslands good side!lol:grinthumb
     
  5. betania

    betania TS Rookie Topic Starter Posts: 17

    Hi

    Thanks a lot for your quick reply.
    The thing is that I don't know which files I should fix on the HiJackThis program.
    I'm afraid to delete the wrong files.

    Thanks

    B.
     
  6. betania

    betania TS Rookie Topic Starter Posts: 17

    And what exactly meand to have "Startups low"?

    thanks
     
  7. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I mean, that you do not have lots of things starting with Windows (which is good)

    As for what to disable/remove in HJT, I'll leave for the others to comment.
     
  8. betania

    betania TS Rookie Topic Starter Posts: 17

    oki
    thanks
     
  9. kritius

    kritius TS Guru Posts: 2,084

    You still have not mentioned waht specific problems you are facing.
     
  10. betania

    betania TS Rookie Topic Starter Posts: 17

    Ok.
    When I run the HiJackThis, the program show's me the results, and I don't know which files I should FIX.
    Can you help me?!
     
  11. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    None, but others may still reply
     
  12. kritius

    kritius TS Guru Posts: 2,084

    Hijackthis is not like an antivirus program that only shows you problems, it will show you a list of processes running on your computer which people can then read to analyse what is wrong with a system.

    If you are not experiencing any specific malware problems then you dont need to fix anything and can unistall it.
     
  13. betania

    betania TS Rookie Topic Starter Posts: 17

    I was experiencing malware problems, that's why I run all those programs specified on the Viruses/Spyware/Malware preliminary removal instructions.

    But now I have the logs and posted as requested and I just don't know what to do with them.

    If there's no problem, so thats fine.
    But if there is, I just want to know what to do!

    So can anybody tell me if everything seems OK or NOT?!

    Thanks
     
  14. kritius

    kritius TS Guru Posts: 2,084

    tell me exactly what the specific probelms you were having.
     
  15. betania

    betania TS Rookie Topic Starter Posts: 17

    1. Panda antivirus was constantly finding the same spyware and not able to remove it (W32).
    2. The computer was slow and blocking all the time and recieving error messages from windows vista
    3. everytime I open word I guet an error message: compile error in hiden module: autoexec
    4. acrobat usually also blocks when I try to open some pdf file on a website

    I think thats it
     
  16. kritius

    kritius TS Guru Posts: 2,084

    Do you have an HP computer?

    If you do then this entry should be ok, if you do then Check the C:\Windows\SMINST folder for other files like launcher.exe and Recguard.exe check the Properties sheets of the files. If they're signed by HP, they're OK.

    If not then add this to the list of entries for HJT to fix.
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

    Check for anything in your add/remove programs to do with Begin2Search.

    Boot into safe mode by tapping F8 as soon as the computer starts and when in there show all hidden files, do a search for anything to do with Begin2Search

    Run a system scan with HJT and have it fix this entry,
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.Begin2Search.com/search.html

    Boot into normal mode and rehide your protected files.
     
  17. betania

    betania TS Rookie Topic Starter Posts: 17

    Yes I have a HP!!
    I'll try to do everything you said and be back in a minute!
    Thanks

    B.
     
  18. betania

    betania TS Rookie Topic Starter Posts: 17

    I just fix those two files.
    Here's the log.
    Do you think I need to do anything else?!
    Thanks
    Betania
     
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You need to attach a log that has been ran from normal mode. Your's was run in Safe mode.

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
     
  20. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Oh, both were in Safe mode.
    That's why Startups were mainly non existant !
     
  21. betania

    betania TS Rookie Topic Starter Posts: 17

    Hi again
    I'm downloading the new java now.
    What I should do next?
    Thanks
     
  22. kritius

    kritius TS Guru Posts: 2,084

    A new HJT log from normal mode not safe mode.
     
  23. betania

    betania TS Rookie Topic Starter Posts: 17

    Hi

    Here is the log (sorry the site is not letting me to attach this file!)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:26:48, on 10-03-2008
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16609)
    Boot mode: Safe mode

    Running processes:
    C:\Windows\Explorer.EXE
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\Crusty.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO LOCAL')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIÇO LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Serviço de rede')
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - Gopher Prefix:
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
    O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
    O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
    O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrvx86.exe
    O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
    O23 - Service: Panda PSK service (PskSvcRetail) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PskSvc.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 6831 bytes


    And I'm sending you also the name of the spyware I found one more time running Panda antivirus:

    cookie/onestat.com - cookies.txt[stat.onestat.com/]

    Cookie/Tribalfusion - cookies.txt[.tribalfusion.com/]


    Let me know what to do now!

    Thank very much again

    B.
     
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That log still says safe mode on it.

    Are you booting your computer into safe mode before running the scan with Hijackthis (you should boot normally)

    Also make sure you are clicking Do A System Scan and Save a log not Do a System Scan only
     
  25. betania

    betania TS Rookie Topic Starter Posts: 17

    Yes
    I'm doing everything like you said!

    Booting my computer into normal mode and clicking 'Do A System Scan and Save a log'!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...