Author Topic: HijackThis Log Question  (Read 6479 times)

0 Members and 1 Guest are viewing this topic.

Nowherefast

  • Guest
HijackThis Log Question
« on: September 12, 2008, 04:17:54 PM »
Hi, can somebody please explain to me how to read my hijackThis Log....I had the trojan-gen/virtumonde/adware-gen virus detected by avast, used a couple of anti-virus programs to clean them out...they do not appear anymore...please advise....thanks

----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:49 AM, on 9/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltheweb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = By DSLExtreme
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {36CB5B49-B304-467A-9EF8-F38E04F3424E} - C:\WINDOWS\system32\khfCvWMe.dll (file missing)
O2 - BHO: (no name) - {4295E4A1-6447-4CE4-8BB7-4C4FBDAE88A0} - C:\WINDOWS\system32\nnnoPFXP.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://my.juno.com/s/sp?r=al&cf=sp
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1221189996016&h=f62885de7a4eb4c0d842b9e8d8989b8e/&filename=jinstall-6u7-windows-i586-jc.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6340 bytes

---

wyrmrider

  • Guest
Re: HijackThis Log Question
« Reply #1 on: September 12, 2008, 06:39:54 PM »
Hi
I'll take a peek at it but do not FIX anything unless I tell you
First- what AV's and what were the exact detections
there are so many variations on the maladies you mentioned that detailed help is impossible

    We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.

so What firewall? and the one that comes with windows does not count
I see that you are up to date with sp3-- better than most who come in here with problems nice work

Tuesday was patch day
did you run "secunia software inspector" and make sure everything is up to date?

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch

any sites would have you nuke these with HJT I'd like to try and remove them with some anti malware/ antispyware scans as that will get the rest of the files. registry entries and other assorted garbage
If the Anti malware scans do not get them then we can nuke em

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
google the CLSID and see what it is(so we can see if there might be other files or registry enteries

O2 - BHO: (no name) - {36CB5B49-B304-467A-9EF8-F38E04F3424E} - C:\WINDOWS\system32\khfCvWMe.dll (file missing)

    O2 - BHO: (no name) - {4295E4A1-6447-4CE4-8BB7-4C4FBDAE88A0} - C:\WINDOWS\system32\nnnoPFXP.dll (file missing)

google the CLSIDs and see what they are(so we can see if there might be other files or registry entries)

here is a copy of Tech's standard procedure which works very well if followed completely

I'm a little Dyslexic so I am going to spread it out a little and add a few comments

1. Disable System Restore and then reenable it again.

2. Clean your temporary files. Use ATF cleaner or Ccleaner- but post up any relevant AV logs first


3. Schedule a boot time scanning with avast with archive scanning turned on.
rt click on the ball and update>programs
then open avast and schedule boot time scan- reboot and send any hits to chest, do not remove/delete
did you quarantine or send to chest previos AV scans? what was there (ignore cookies)

If avast does not detect it, you can try DrWeb CureIT! instead.
http://www.freedrweb.com/cureit/
(not a bad idea for a second opinion anyway but you said you had already run some other scans)

4. Use SUPERantispyware, 
http://www.superantispyware.com/
update  quarantine post logs

MBAM
http://malwarebytes.org/mbam.php
put a check mark next to any baddies and the click REMOVE CHECKED- a backup will be made

5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.

6. Make a NEW HijackThis log after the above scans to post here

7. Immunize your system with SpywareBlaster or Windows Advanced Care.

8. Check if you have insecure applications with Secunia Software Inspector.
http://secunia.com/software_inspector/

Let's see if we can make those three 02's go away, see if they have any un-found friends,

see ya a little later
take your time, any questions post back
measure twice cut once

Spiritsongs

  • Guest
"Ewido"
« Reply #2 on: September 12, 2008, 08:11:40 PM »
 :)  Hi :

 Your Log indicates you have the obsolete "Ewido" program; would recommend
 you uninstall it from your "Add or Remove Programs" Section of your
 computer . Also Ad-Aware from Lavasoft is no longer a top antiSPYWARE/
 antiTROJAN program; would be wise to uninstall it and use the programs
 mentioned by "wyrmrider" in her #4 .

wyrmrider

  • Guest
Re: HijackThis Log Question
« Reply #3 on: September 12, 2008, 08:23:14 PM »
Hi
if you did run an ad-aware scan and it found anything besides cookies could you post the log
we have to know what we are dealing with



does EWIDO still update???  try it please- I'd like to know
if it does it's a fine scanner, especially if you paid for it (we have replaced using it by MBAM)
however support is going away and it's not readily available by itself (AS AVG ANTI MALWARE) anymore
again- if you ran it and it found anything please post the log

I would not of thought of these two when you mentioned Anti Virus Apps :)

and yes we will most likely replace EWIDO and AD-Aware with later model apps
Let's get the malware removed

Nowherefast

  • Guest
Re: HijackThis Log Question
« Reply #4 on: September 12, 2008, 09:49:01 PM »
Hi, many thanks to the both of you for the quick reply's.  I am at work right now so I am unable to provide you with the necessary data that you requested.

I can answer a few questions though to start off:

My windows firewall was zonealarm but recently got rid of it and went with the regular windows firewall (you had mentioned that this is a no no??)

The things I have ran so far that I can remember were:

Super Anti-spyware - Didn't detect much
Malware Bytes - which caught most of it since I ran this first
Rouge something- which didn't catch anything
ad-aware - which was one of the last ones I ran
edwido - didn't catch anything
spybot search and destroy - didn't catch much

I think I kept the log from malware so I will post that...went through that and deleted some files that I knew were fishy and that I could get to.

I kept rebooting the pc to see if things would arise but avast didn't catch anything...so then I ran hijackthis and it appears I still have a few things out there...I will run the suggested programs when I get home...and thanks again all




Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: HijackThis Log Question
« Reply #5 on: September 12, 2008, 09:54:46 PM »
The Vista firewall has outbound protection disabled by default, when enabled it is rules based and you have to create the rules not particularly easy.

Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: HijackThis Log Question
« Reply #6 on: September 12, 2008, 10:25:54 PM »
One thing about the hjt that is not a virus, some falsely identify it as Agrobot.NL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

is a legitimate entry, not malware.

You have an older, therefore vulnerable, version of Java.

     *Download the latest version of Java Runtime Environment (JRE) here: http://javadl.sun.com /webapps/download/AutoDL?BundleId=23110
    * Click the "Download" button to the right.
    * Check the box that says: "Accept License Agreement".
    * The page will refresh.
    * Click on the link to download Windows Online Installation with or without Multi-language and save to your desktop.
    * Close any programs you may have running - especially your web browser.
    * Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    * Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the icon next to it.
    * Click the Remove or Change/Remove button.
    * Repeat as many times as necessary to remove each Java versions.
    * Reboot your computer once all Java components are removed.
    * Then from your desktop double-click to install the newest version.

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

wyrmrider

  • Guest
Re: HijackThis Log Question
« Reply #7 on: September 13, 2008, 05:09:55 AM »
If you googled the first 02 it is Yahoo Companion BHO
try and remove with add remove programs
or if you have spybot you can use one of the spybot tools
or start>programs> find the uninstaller
If you have already installed then FIX with HJT
If you do not know how to fix with hjt post back
essentially put a check mark next to those items to be removed
but the important part is to close all browser windows including this one
I shut down all programs

 second and third 02 's look malicious
if you have run all the scanners you mentioned I would have thought they would be gone

lets run SDFIX
http://www.bleepingcomputer.com/forums/topic131299.html
post the log

try and do the updated avast boot time scan first, or Dr Web
in other words after any other scanners
then run a new hjt
if those items are there FIX them
post a new log
let me know if they were already gone or if you had to FIX them with HJT

cheers

when you update java uninstall all old versions
then run
javara
old versions are vulnerable
thanks polonus

firewall necessary  thanks DavidR
« Last Edit: September 13, 2008, 05:44:50 AM by wyrmrider »

Nowherefast

  • Guest
Re: HijackThis Log Question
« Reply #8 on: September 13, 2008, 06:43:30 PM »
Hi just ran SDFIX and here is the log...

---

SDFix: Version 1.224
Run by Administrator on Sat 09/13/2008 at 09:28 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found




Folder C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed


Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-13 09:34:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

---

What do you think?....

Will run another Hijackthis log after I update my java...

Nowherefast

  • Guest
Re: HijackThis Log Question
« Reply #9 on: September 13, 2008, 06:54:11 PM »
Here is my latest hijackthis log....

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:12 AM, on 9/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltheweb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = By DSLExtreme
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://my.juno.com/s/sp?r=al&cf=sp
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1221189996016&h=f62885de7a4eb4c0d842b9e8d8989b8e/&filename=jinstall-6u7-windows-i586-jc.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5805 bytes

wyrmrider

  • Guest
Re: HijackThis Log Question
« Reply #10 on: September 13, 2008, 07:20:21 PM »
Before we FIX anything with HJT let's recap
No Rootkit found with SD-FIX  really goo
Verify that you ran the boot time avast scan and no rootkit found
look in avast chest and let me know of any RECENT entries (ignore the system backup files)
WE still do not know  what MBAM, SAS and Spybot found (ignore cookies)
makes it hard to tell where to look next
Did you quarantine (or with MBAM actually REMOVE the hits) or does the log say "no action taken" or "ignored"
double check- people mess up on this all the time and I do not want to guess at your experience level
answer the question about EWIDO in previous post and review other questions

given that it's your computer and you are satisfied with the above

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch

try and remove with add remove programs or Start>Programs >uninstall
then if still there with next HJT fix it

Where did th O2-s go  they did not go away by themselves
did you remove them
Or
did a program get them
if so which one?