Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

HP Service in msconfig, other potential infections


  • This topic is locked This topic is locked
4 replies to this topic

#1 Guest_PauliusAusra_*

Guest_PauliusAusra_*

  • Guests
  • OFFLINE
  •  

Posted 03 January 2016 - 03:46 AM

Hello,

 

I have done Malwarebytes, Spybot, Bitdefender, Panda Cloud and AdwCleaner, most of them found something, so I would like to make sure everything is clean. Most of the msconfig entries are in Russian (which is the Windows version this computer came with), so I wouldn't say if all is well there but there is HP Service, which name looks general and extra: http://www.bleepingcomputer.com/startups/hpsys.exe-12842.html - I do not know about the exe file, only have a msconfig entry with exact "HP Service" name.

 

As well as FRST logs, I am attaching HijackThis log for a few reasons:

1) there are many O23 entries with Unknown Owner and files missing on them. Should I download the .dll, .exe files and that fixes it?

2) "For some reason, your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this." etc. Might be Bitdefender denying access?

3) I have done manual fixes with HijackThis and now would like to know if it is better to restore them and use other mentioned software to check it and leave everything else (or restore them and then do a FRST scan?). There is a list in the backup section of HijackThis but there is not option to copy it into a log. Most of the entries are those O23 files missing that HijackThis keeps finding and extra services I did not want, so if we fix the current log it should be better.

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 03 January 2016 - 10:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

HiJackThis is no longer supported and not ready for your 64 bit operating system.
The missing files are possibly false positives. Do not remove any of them.

You said you remove some items. If so I would suggest you restore them.
===

Denied access to your Hosts file.
Check this out.
https://support.microsoft.com/en-us/kb/923947
<<<>>>

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2162030584-2005952011-3006005176-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO: No Name -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> No File
Toolbar: HKU\S-1-5-21-2162030584-2005952011-3006005176-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 OATool; \??\C:\Users\836D~1\AppData\Local\Temp\OAToolx64.sys [X]
S3 rtbth; \SystemRoot\System32\drivers\rtbth.sys 
AlternateDataStreams: C:\ProgramData\PACE:2B431299BD566A9A
AlternateDataStreams: C:\Users\Paulius\Desktop\FRST64.exe:BDU
AlternateDataStreams: C:\Users\??? ????????????\PACE:2B431299BD566A9A

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

I did not see any reference to your MSConfig issue.
Lets check this file hpsys.exe

Please run the Farbar Recovery Scan Tool. Enter hpsys.exe in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

Do you have any issues with this computer?

p.s.
Now that you have restore the items from the HijackThis issue please run the Farbar tool and post a fresh FRSt log for my review.

Let me know of any remaining issues.

#3 Guest_PauliusAusra_*

Guest_PauliusAusra_*

  • Guests
  • OFFLINE
  •  

Posted 03 January 2016 - 11:06 PM

Hello,

 

I have restored HijackThis entries. There are three that appears in the backup list after it, all F2 - REG:system.ini: UserInit=userinit.exe fixed at different times. Otherwise, the FRST logs are the ones left.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 04 January 2016 - 11:36 AM

Your logs are clean.

The file hpsys.exe which is not required is not located on your hard disk.
The entry in the MsConfig is just an empty entry. Leave it alone.

====

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 09 January 2016 - 08:46 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users