Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help on what to delete in hijackthis


  • This topic is locked This topic is locked
3 replies to this topic

#1 branch

branch

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 AM

Posted 02 May 2012 - 07:17 PM

I performed a system scan with a saved log file on HijackThis.com. Within this log file, which running processes do I delete? I've noticed some with number entries, such as 01, 02, 03, etc. at the beginning of certain files. Do these files have unregistered addresses? I just need to know which files are legitimately certified within my hard drive. I had my computer cleaned and reinstalled with Windows XP (service pack 3) about 3 weeks ago. It was also installed with AVG, but this anti-virus program has a nasty toolbar and secure search application that controls your browser settings. After this computer clean-up, I just wanted to return my previous homepage with Google and reinstall all my other applications. It should be noted that I use Utorrent and Frostwire applications. Exceptions were made to allow these applications within my firewall and anti-virus program. I only experience problems when I added Utorrent a month ago with the older version of Frostwire (used without problems). Utorrent is used for movies and the latter for music. These programs are used with caution, but I can not help to think there was a conflict with both. I never experienced a problem with using only one application. The AVG program is new for me as well. I've used AVAST in the past. I reported high memory usage within Windows's Explorer before trying to change over to Google after the clean-up. I never had problems so quickly within my registry or with my default settings on my hard drive. I deleted AVG and it's add-ons, but there was a registry problem with application missing on the AVG secure search. Malware Bytes was used to fix this rundll problem (kmzkybj.dll). I know this is a lot of information, but I need to know where to find the trojan hijacker and adware within the log file stated above in HijackThis.com. Since, I can not show my log file on this forum, I need advice. My System Restore and Search functions do not work in Windows. My USB device will not connect in Itunes. My Adobe Flash Player will not install. PLEASE HELP!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,403 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 AM

Posted 02 May 2012 - 08:25 PM

Please post the HJT log here in your other topic.
http://www.bleepingcomputer.com/forums/topic452260.html/page__p__2686386#entry2686386


Please read thos from our quietman7

IMPORTANT NOTE: HijackThis is an advanced enumerator (similar in some respects to a registry editor) that is used to display certain areas of the Windows registry where the majority of malware reside. HijackThis will scan these areas of your system and then create a log to help diagnose the presence of undetected malware in known hiding places. However, since HijackThis only scans certain areas of your system/registry, a log may not always show all the malware on your system and other investigative tools need to be used. Most of the log entries are required to run a computer and removing essential ones can potentially cause serious damage such as loss of Internet connectivity or problems with your operating system which could preventing it from starting. Using HijackThis requires advanced knowledge about the Windows Operating System and relies on trained experts to interpret the log entries and investigate them in order to determine what needs to be fixed.

And just because you "fixed" something with HijackThis, that does not mean you have a clean system. There are specific files and folders which must be deleted afterwards. HijackThis does not delete them. Futher, removing entries in HijackThis before the problem is properly identified can make the malware undetectable to other detection and removal tools. Full system scanning tools like SUPERAntispywre, Malwarebytes' Anti-Malware, Spybot S&D and SpySweeper will remove the registry entries as well as the related files which results in a more complete removal process. HijackThis this should only be used to clean up the entries left behind, after you have properly removed the malware.

Since HijackThis is a powerful tool that requires advanced knowledge about the Operating System and can cause system damage if incorrect instructions are given, only designated trained experts are allowed to help people with using HijackThis. If you do not have advanced knowledge about computers or training in the use of this tool, you should NOT fix anything using HijackThis without consulting a expert as to what to fix.

With that said, there are tutorials available for advanced users which will help you understand more clearly about the use of HijackThis and what it does.[list]
[*]BC's HijackThis Tutorial & Guide
[*]Understanding and Interpreting HijackThis Entries - Part 1: R0 to N4
[*]Understanding and Interpreting HijackThis Entries - Part 2: O1-O9
[*]Understanding and Interpreting HijackThis Entries - Part 3: O10-O23
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 branch

branch
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 AM

Posted 14 May 2012 - 01:17 AM

The log file requested is copied and pasted below. I'm sorry for the delay. I was burnt out and frustrated with the problem. Your reply will be appreciated. I will read the tutorial on HJT. Usually, my registry under LOCAL MACHINE, is the location of these malicious adware programs. I'm extremely tenacious in fixing this problem, yet I'm aware such programs can hide under Windows. I've never used HIJACK THIS, but pick up things quickly. I replied to another member, NASDAQ, as well on this matter. DDS. txt and checkup.txt. files were sent to him. Hopefully gentlemen, you can point me in the right direction. Thank you.


Scan saved at 5:30:33 PM, on 5/2/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/chrome/eula.html?hl=en&brand=CHFX&utm_campaign=en&utm_source=en-oa-na-us-bk-bng&utm_medium=oa&installdataindex=homepagepromo
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
R3 - URLSearchHook: uTorrentControl2 Toolbar - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files\uTorrentControl2\prxtbuTor.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: uTorrentControl2 - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files\uTorrentControl2\prxtbuTor.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O3 - Toolbar: FrostWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
O3 - Toolbar: uTorrentControl2 Toolbar - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files\uTorrentControl2\prxtbuTor.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [] A
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=TlVIRDQtWUg5UEUtTzNQNEUtUVJERUstR0RKWjctVk9YVUw"&"inst=NzctMTI0NTk5NjA3MS1TVDEyRkFQUCsxLUREVCswLUVVTEErMQ"&"prod=55"&"ver=2012.0.1809"&"mid=15c2d5dabb8747d0904fd15d643bfac2-2404027c94af33b94b09ca06f24ae5ce12944c59
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Update] rundll32.exe "C:\Documents and Settings\User\Application Data\AVG Secure Search\AVG Secure Search\kmzkybj.dll",DllRegisterServer (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Update] rundll32.exe "C:\Documents and Settings\User\Application Data\AVG Secure Search\AVG Secure Search\kmzkybj.dll",DllRegisterServer (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Update] rundll32.exe "C:\Documents and Settings\User\Application Data\AVG Secure Search\AVG Secure Search\kmzkybj.dll",DllRegisterServer (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Update] rundll32.exe "C:\Documents and Settings\User\Application Data\AVG Secure Search\AVG Secure Search\kmzkybj.dll",DllRegisterServer (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: NETGEAR WNA1100 Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: JumpStart Wi-Fi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: vToolbarUpdater10.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
O23 - Service: WSWNA1100 - Unknown owner - C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe

--
End of file - 8498 bytes

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,403 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 AM

Posted 14 May 2012 - 01:18 PM

You have a malware topic here
http://www.bleepingcomputer.com/forums/topic452260.html/page__p__2686386#entry2686386

Post your HJT Log there if they need it.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users