TechSpot

HiJackThis log, what to remove?

By rogue12
May 4, 2008
  1. Hi, this is a hijackthis log from a freinds pc

    Question is what can be removed (unnecessary stuff/entries) and if its clean of infections.

    Oh and also he seems to have random popups of windows installer trying to install something and this happens to when he first logs on.

    Thanks for any assistance.
     

    Attached Files:

  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    What are the pop ups from (browser, security program, windows)?

    You aren't running Firewall Software. Please download and install one of these first!

    Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
    Comodo
    Kerio
    Online Armor
    Zonealarm



    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
     
  3. rogue12

    rogue12 TS Member Topic Starter Posts: 47

    heres the log-

    and popups are from windows, windows installer pops up saying preparing installer progress bar fills up then it exits, it does this randomly not matter what your doing on the pc and also everytime you first log in it pops up. it also doesnt say what its trying to install.

    Malwarebytes' Anti-Malware 1.11
    Database version: 717

    Scan type: Full Scan (C:\|E:\|)
    Objects scanned: 128687
    Time elapsed: 58 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\System Volume Information\_restore{A90DF42E-E911-4876-BF8A-1A6AA3956B31}\RP213\A0040089.exe (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, I don't see much else in the way of infections, one more scan then we can clean out some startups and add some security.


    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  5. rogue12

    rogue12 TS Member Topic Starter Posts: 47

    here it is-
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Nothing in that log in the way of infections.

    Windows installer should tell you what it is trying to install.

    Also the firewall should tell you when the program tries to connect or access files/registry
     
  7. rogue12

    rogue12 TS Member Topic Starter Posts: 47

    ok, what about these startups to remove? and i noticed in the hijackthis log that msiexec.exe is running which i know is Windows Installer process, should that be running if your not installing anything?

    thanks.
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Go to start -> control panel -> administrative tools -> services

    Go Check the service "Windows Installer" it should be set to Manual. (you can stop it now if it's running) Right click it then click properties to change startup type to manual from automatic

    -----------------------------------------------------------------------------
    You can stop any of these that you want

    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

    -------------------------------------------------------------------------------------------

    In spybot you can click Advanced Mode -> Tools -> System Startup

    It will give you options to check/uncheck startups if you want to do it this way
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...