Forum Articles
  Welcome back Join CF
You are here You are here: Home | Forum | Check my Hijackthis log?

You are currently viewing our boards as a guest which gives you limited access to view most of the discussions, articles and other free features. By joining our Virgin Media community you will have full access to all discussions, be able to view and post threads, communicate privately with other members (PM), respond to polls, upload your own images/photos, and access many other special features. Registration is fast, simple and absolutely free so please join our community today.


Welcome to Cable Forum
Go Back   Cable Forum > Computers & IT > Security & Virus Discussion
Reload this Page Check my Hijackthis log?
Register FAQ Community Calendar

Check my Hijackthis log?
Reply
 
Thread Tools
Old 14-02-2010, 17:09   #1
chrisjones
Inactive
 
Join Date: Dec 2005
Location: Knaresborough UK
Age: 45
Services: 100mb BB TiVo 500gb TV L Phone - Evening / Weekends
Posts: 833
chrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud of
Send a message via AIM to chrisjones Send a message via MSN to chrisjones Send a message via Yahoo to chrisjones
Check my Hijackthis log?
Hi,
Can someone take a nosey at my Hijackthis log? Was online earlier and randomly my laptop became infected with one of these frigging 'antivirus' type trojans. I think ive removed everything, but I wanted someone with a bit more know-how to take a look if thats ok?

I installed Microsoft Security Essentials, ran super-antispyware, ccleaner and malwarebytes that cleared out a few nastys, but I found that neither antispyware nor malwarebytes would update following the installation of MSE. I was getting firewall type errors. Is this genuine or could it be 'leftovers' from the infection?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:59:23, on 14/02/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Acer\Empowering Technology\eDSMSNfix.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\CHRISJ~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/yco...//uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bytomic.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/yco...//uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eDSMSNfix] C:\Acer\Empowering Technology\eDSMSNfix.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

--
End of file - 7036 bytes
chrisjones is offline   Reply With Quote
Advertisement
Old 14-02-2010, 17:50   #2
Raistlin
Inactive
 
Join Date: Feb 2004
Location: There's no place like 127.0.0.1
Services: Depends on the person and the price they're offering
Posts: 12,384
Raistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered stars
Raistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered stars
Re: Check my Hijackthis log?
Usual caveats apply, this is only my opinion etc, anything you do as a result of this advice you do of your own volition, I won't be held responsible for your system getting fracked up.....and so on.....

You might want to fix the following, which are entries that don't appear to be needed any more:

Code:
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
Otherwise everything looks fine.
Raistlin is offline   Reply With Quote
Old 14-02-2010, 18:22   #3
Jon T
cf.mega poster
 
Join Date: Jun 2003
Location: Mansfield, Notts
Age: 46
Services: Virgin Media Telephone and 100Mb broadband, Sky Q
Posts: 1,994
Jon T has reached the bronze age
Jon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze ageJon T has reached the bronze age
Re: Check my Hijackthis log?
Quote:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5555
Looks a bit odd to me.

Maybe why you can't update anything?

---------- Post added at 17:22 ---------- Previous post was at 17:15 ----------

Once you've got rid of the above entry, reset your browser's proxy settings to not use one(clear all checkboxes on proxy configuration page).
Jon T is offline   Reply With Quote
Old 14-02-2010, 18:25   #4
Aragorn
Inactive
 
Aragorn's Avatar
 
Join Date: Apr 2004
Location: Minas Tirith, Gondor
Age: 60
Posts: 3,458
Aragorn has a nice shiny star
Aragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny star
Re: Check my Hijackthis log?
Indeed - looks like you need to fix that ProxyServer entry.
Aragorn is offline   Reply With Quote
Old 14-02-2010, 18:25   #5
Raistlin
Inactive
 
Join Date: Feb 2004
Location: There's no place like 127.0.0.1
Services: Depends on the person and the price they're offering
Posts: 12,384
Raistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered stars
Raistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered starsRaistlin is seeing silvered stars
Re: Check my Hijackthis log?
Good spot Jon, I didn't notice that. Looks like whatever infected the OP was running some sort of local proxy and redirecting all traffic through that - nicely spotted
Raistlin is offline   Reply With Quote
Old 14-02-2010, 18:28   #6
Aragorn
Inactive
 
Aragorn's Avatar
 
Join Date: Apr 2004
Location: Minas Tirith, Gondor
Age: 60
Posts: 3,458
Aragorn has a nice shiny star
Aragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny starAragorn has a nice shiny star
Re: Check my Hijackthis log?
If you have an HJT log, you can always go to http://www.hijackthis.de/ for an automated analysis. Although, that didn't pick up the proxy.
Aragorn is offline   Reply With Quote
Old 14-02-2010, 18:59   #7
chrisjones
Inactive
 
Join Date: Dec 2005
Location: Knaresborough UK
Age: 45
Services: 100mb BB TiVo 500gb TV L Phone - Evening / Weekends
Posts: 833
chrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud of
Send a message via AIM to chrisjones Send a message via MSN to chrisjones Send a message via Yahoo to chrisjones
Re: Check my Hijackthis log?
Quote:
Originally Posted by Rob M View Post
Good spot Jon, I didn't notice that. Looks like whatever infected the OP was running some sort of local proxy and redirecting all traffic through that - nicely spotted
Thanks everyone! I guess the proxy settings would stop the AV/AS progs from updating thus preventing me from running an uptodate sweep! What's the best way to remove that entry, can it be done via firefox settings?

Thanks a lot.
chrisjones is offline   Reply With Quote
Old 14-02-2010, 20:07   #8
Dai
Inactive
 
Join Date: Dec 2006
Location: Lincoln UK
Age: 77
Services: 50Mb, TV & Phone
Posts: 3,673
Dai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronze
Dai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronzeDai is cast in bronze
Send a message via MSN to Dai
Re: Check my Hijackthis log?
Quote:
Originally Posted by chrisjones View Post
Thanks everyone! I guess the proxy settings would stop the AV/AS progs from updating thus preventing me from running an uptodate sweep! What's the best way to remove that entry, can it be done via firefox settings?

Thanks a lot.
see here..

http://www.bleepingcomputer.com/viru...antivirus-live

there's a section on clearing the proxy setting hijack in IE. Probably worth checking the Tools/Options/Advanced/Network tab in Firefox to make sure no proxy is set.
Dai is offline   Reply With Quote
Old 14-02-2010, 21:05   #9
chrisjones
Inactive
 
Join Date: Dec 2005
Location: Knaresborough UK
Age: 45
Services: 100mb BB TiVo 500gb TV L Phone - Evening / Weekends
Posts: 833
chrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud of
Send a message via AIM to chrisjones Send a message via MSN to chrisjones Send a message via Yahoo to chrisjones
Re: Check my Hijackthis log?
Thanks
chrisjones is offline   Reply With Quote
Old 14-02-2010, 21:23   #10
martyh
Guest
 
Location: newcastle upon tyne
Services: Sky Q silver bundle Sky Q 2TB box Sky Q mini box Sky fibre unlimited Sky Talk evenings and week
Posts: n/a
Re: Check my Hijackthis log?
Quote:
Originally Posted by chrisjones View Post
Thanks

which one was it that got you ,i ask beacause i got hammered on tuesday by "microsoft anti virus 2010 pro" and had to re-install my os to fully clean my system
  Reply With Quote
Old 15-02-2010, 09:07   #11
chrisjones
Inactive
 
Join Date: Dec 2005
Location: Knaresborough UK
Age: 45
Services: 100mb BB TiVo 500gb TV L Phone - Evening / Weekends
Posts: 833
chrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud ofchrisjones has much to be proud of
Send a message via AIM to chrisjones Send a message via MSN to chrisjones Send a message via Yahoo to chrisjones
Re: Check my Hijackthis log?
Quote:
Originally Posted by martyh View Post
which one was it that got you ,i ask beacause i got hammered on tuesday by "microsoft anti virus 2010 pro" and had to re-install my os to fully clean my system
TBH I don't actually know. I saw the 'antivirus' pop up and immediately re-booted in safe mode to run virus checks.
chrisjones is offline   Reply With Quote
Old 15-02-2010, 12:00   #12
zing_deleted
Guest
 
Posts: n/a
Re: Check my Hijackthis log?
I had one yesterday on a laptop with XP Antispyware 2010 its the same as a number of others but it totally screwed up a lot of system settings but only in the Admin User. Getting rid of the nasty was easy used a LiveCd with shell access and just deleted it but the User was just a mess created a new user scanned and copied files over deleted old user and the system was clear.

These things can seem to be a mare sometimes to get shot of but you just need to find the correct file names/reg entries and locations. I use Malwarebytes forum as a good starting point
  Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 02:35.

Contact Us - Service Status - Cable Forum - Archive - Privacy Statement - Terms of Service - Top

Server: osmium.zmnt.uk
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2025, vBulletin Solutions Inc.
All Posts and Content are © Cable Forum
Copyright © 2025 Cable Forum Hosted On Hetzner Cloud