Author Topic: Logfile of Trend Micro HijackThis v2.0.2  (Read 12866 times)

0 Members and 1 Guest are viewing this topic.

sham1313

  • Guest
Logfile of Trend Micro HijackThis v2.0.2
« on: June 26, 2009, 04:52:58 PM »
Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch

;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.aolcdn.com;*.quicken.com;<local>;*.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
I just did a HJ and I am almost sure the 2 above I can delete but i am not sure at all about the ones below. i just remember on some times when i have been help with HJ that I deleted a couple of the ones that had no file and no names in it. how wrong or right am I?
Sharon


O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - (no file)


O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - (no file)
;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.aolcdn.com;*.quicken.com;<local>;*.local

End of file - 8769 bytes

Spiritsongs

  • Guest
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #1 on: June 26, 2009, 07:52:52 PM »
 :)  Hi :

 The "fact" that a HijackThis log entry has "no file" and/or "no name" does NOT
 mean it should be "deleted", but further "research" should be done . For
 example, a Google "Search" of "5C255C8A-E604-49b4-9D64-90988571CECB"
 shows "Location: %ProgramFiles%\Windows Live\Messenger" which means it is
 part of the Windows Live Messenger program . For HijackThis log "02" Entries,
 it is recommended to use www.systemlookup.com as part of the Research
 "process" .

sham1313

  • Guest
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #2 on: June 26, 2009, 09:41:27 PM »
I do understand in away and would be willing to do research, but really not sure what to look for and what would be the next step. i think i would be looking for some thing that would tell me if the file should be kept or deleted.
thanks Sharon

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #3 on: June 26, 2009, 09:56:09 PM »
Hi sham1313,

I checked the orphaned entries and qwave,dll and see no suspicious entries there,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

sham1313

  • Guest
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #4 on: June 26, 2009, 10:14:01 PM »
you say  the orphaned entries and qwave,dll is that the name of the no name file?  i am glad there is no suspicious entries there.  i will still do some reading and see if i can understand any of it. should i delete any of the ones i posted from the scan?
thanks Sharon

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #5 on: June 26, 2009, 10:53:41 PM »
Hi sham1312.

As always google is your best friend here. An example from your posting, just give in the CLSID of the entry like: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} and then check what information you get on the B.H.O. Orphaned means you might have deleted it and an empty remnant is there, if it is secure you can either choose to restore the original Browser Helper Object, actually it is a dll module for which the dll is not there anymore or if you have no need of it further tag it in HJT and fix it giving an enter.
So I got the info here:
http://www.systemlookup.com/CLSID/39866-LinkScannerIE_dll_avgssie_dll.html

Do this with all the other entries and you can make up a calculated guess what you have there.
Malware fighting is also teaching users/victims to fish for themselves so they can have a meal everyday, not just giving them a fish once,

Stay safe and secure online, is the wish and command of,

polonus (malware fighter)
« Last Edit: June 26, 2009, 10:56:04 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

sham1313

  • Guest
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #6 on: June 26, 2009, 11:42:23 PM »
can these be deleted? should i post the full log
Sharon

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch

Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.aolcdn.com;*.quicken.com;<local>;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

sham1313

  • Guest
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #7 on: June 26, 2009, 11:45:30 PM »
i wished i would have red the above before i posted the last post and i well save your last post to help me. thanks Sharon

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #8 on: June 27, 2009, 12:20:42 AM »
Hi Sharon,

You could do this and fix these, another manual routine to remove NetZero. if you have the software there is to follow the following 12 steps:

Please follow the below steps to uninstall NetZero software from your
computer:

1. Click on the Windows "Start" button, point to "Settings" and
select "Control Panel."
2. Double-click on the "Add/Remove Programs" icon.
3. Click once on "NetZero" to highlight it and click on the
"Add/Remove" button.
4. Click "OK" then "OK" again and close the "Control Panel."
5. Click on the Windows "Start" button, point to "Programs" and
select "Windows Explorer."
6. Double-click the "Program Files" folder in the left-side window.
7. If you see a "NetZero" folder, highlight it and press the
"Delete" key on your keyboard to remove it.

NOTE: If a "NetZero" folder does not exist, you can skip to step 12.

8. Close Windows Explorer.
9. Double-click the "My Computer" icon on your desktop.
10. Double-click the "Dial-Up Networking" icon.
11. Click once on the "NetZero" icon to highlight it and press the
"Delete" key on your keyboard to remove it.
12. Restart the computer.

This will uninstall NetZero software from your computer.

polonus

Did you find this information helpfull?


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

sham1313

  • Guest
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #9 on: June 27, 2009, 12:36:24 AM »
       netzero use to be my ISP. now I have att. netzero is and has been unstalled four a few weeks. and the removal tool use as well. with help from here and unstalling all the way in safe mode. i have bluelight email address and they send me netzero ads from time to time. i also had trouble getting rid of nortin witch the computer came with and i did use there removal tool also. plus a lot more other troubles in this same kind of way that is going on now. i hope i have not confused you..

           the above is what i had went thew and was pertty sure i could put a checkmark by and let HJ delete it. i need to re read your last post a few times to see how much of it i can understand.
thanks for your help. Sharon

sham1313

  • Guest
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #10 on: June 27, 2009, 12:41:51 AM »
i thought you should know it would not unstall the normal way. i had to do it in safemode. sense the netzero i have in the hj is just from the ads that bluelight send me. that is why i thought it would be ok just to delete them.
thanks Sharon

Spiritsongs

  • Guest
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #11 on: June 27, 2009, 04:34:25 AM »
 :)  Hi :

 In order to determine IF certain portions of a HijackThis log should be "fixed"
 ( what HijackThis generally would be considered "Deleted" ), the entire Log
 should be Posted so all Items can be viewed in context .
 Years ago, when I switched ISPs, I did a Windows "Search" and based on its
 Findings, I "deleted" ( right-clicked on the Entry ) all that the 'search" found.
 In my case, that was AOL, so I did a Windows "Search" using "AOL" and later
 "America Online" and "deleted" all "Items" found"; in your case, it MAY mean
 doing a Windows "Search" using the terms "Netzero" and later "bluelight" and
 right-clicking on all "Items" found !?

 A "Begineer's Guide" on interpreting a HijackThis log can be found at
 www.bleepingcomputer.com/tutorials/tutorial42.html .

 To go further, you would enroll in a "Malware Removal Course" and
 "Malware University" would be my Choice .

spg SCOTT

  • Guest
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #12 on: June 27, 2009, 10:53:49 AM »
A "Begineer's Guide" on interpreting a HijackThis log can be found at
 www.bleepingcomputer.com/tutorials/tutorial42.html .


Thanks for the link Spiritsongs, will be an interesting read :)

-Scott-

sham1313

  • Guest
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #13 on: June 27, 2009, 04:44:25 PM »
      when i 1st posted  i did not think any thing was wrong with the log. i just thought that because i no longer used netzero and use there removal tool. got a lot of help from this forum.and beelpingcomputer,com.when it was over my computer got a good bill of health. i just thought sense the 3 lines of the log had to deal with netzero had to do with just the advertisements bluelight sends from time to time. one person here maybe more said not to worry about it. every thing was OK. once again i am confused. but i will do another HJ and post it. it will take a few min.
Sharon

:)  Hi :

 In order to determine IF certain portions of a HijackThis log should be "fixed"
 ( what HijackThis generally would be considered "Deleted" ), the entire Log
 should be Posted so all Items can be viewed in context .
 Years ago, when I switched ISPs, I did a Windows "Search" and based on its
 Findings, I "deleted" ( right-clicked on the Entry ) all that the 'search" found.
 In my case, that was AOL, so I did a Windows "Search" using "AOL" and later
 "America Online" and "deleted" all "Items" found"; in your case, it MAY mean
 doing a Windows "Search" using the terms "Netzero" and later "bluelight" and
 right-clicking on all "Items" found !?

 A "Begineer's Guide" on interpreting a HijackThis log can be found at
 www.bleepingcomputer.com/tutorials/tutorial42.html .

 To go further, you would enroll in a "Malware Removal Course" and
 "Malware University" would be my Choice .

sham1313

  • Guest
Re: Logfile of Trend Micro HijackThis v2.0.2
« Reply #14 on: June 27, 2009, 04:44:52 PM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:50 AM, on 6/27/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TechTracker\VersionTracker Pro\VersionTrackerPro.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.44.66;64.136.52.66;64.136.52.70;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.aolcdn.com;*.quicken.com;<local>;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VersionTrackerPro.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: *.mybluelight.com
O15 - Trusted Zone: *.mybluelight.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9cb4226c992a0) (gupdate1c9cb4226c992a0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - (no file)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8423 bytes