0

I have ran my HijackThis log through the program that helps you and when I delete the things it suggests I temporarily am able to edit the registry but even when doing all the fixes I could find within the registry, I am still unable to access folder options. Also after a few minutes at the most, the things I have deleted through HijackThis will start to return and my computer will once again tell that the administrator (me) has disabled regsitry edit.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:15 PM, on 6/3/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Windows\SysWOW64\explorer.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Gates\AppData\Local\Temp\winamp.exe
C:\Users\Gates\AppData\Local\Temp\svchost.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: C:\Windows\SysWow64\yhafd78auhd.dll - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\Windows\SysWow64\yhafd78auhd.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\Users\Gates\AppData\Local\Temp\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to AVI Converter... - C:\Program Files (x86)\MP3 Player Utilities 5.09\AVIConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://namiki.fukushima-iri.go.jp/kxhcm10.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{050CBDAE-75BF-40FE-8BFB-2C0B6E9D1AF0}: NameServer = 65.32.5.111,65.32.5.112
O17 - HKLM\System\CS1\Services\Tcpip\..\{050CBDAE-75BF-40FE-8BFB-2C0B6E9D1AF0}: NameServer = 65.32.5.111,65.32.5.112
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\Windows\SysWow64\yhafd78auhd.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - Unknown owner - C:\Windows\system32\STacSV64.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7231 bytes

2
Contributors
3
Replies
4
Views
8 Years
Discussion Span
Last Post by jholland1964
0

program that helps you and when I delete the things it suggests I temporarily am able to edit the registry but even when doing all the fixes I could find within the registry, I am still unable to access folder options. Also after a few minutes at the most, the things I have deleted through HijackThis will start to return

First of all HiJackThis is never to be considered a Fixer program. Secondly it is not fully compatible with Vista 64bit systems so many times the logs are not fully accurate. HJT is basically used to scan the computer to see what may be installed, what may be running at start up via start up programs and services and what, if any, malware may be on the computer. Where are you getting the informations that "suggests" what should be removed? The KEY word is "suggests" that never means SHOULD, it is merely a suggestion that the entry should be investigated. Some things that Look Bad may NOT be bad.
Editing the registry without FULL knowledge on what it is you are editing is NEVER advised. I certainly HOPE you made backups of the registry before randomly going in there and editing.
The glaring thing showing to me in this odd looking HJT log is you are not running an anti-virus program nor a firewall. The easiest way to become infected. You are running multiple files from Temp folders. You have missing files throughout the log. Where are they now?
Take a look at all those listings in Services...with file missing notations. Those are all key files and would normally be seen in running processes, do you see them there? Now I don't have any idea if this is because you have removed these key files and that is why they don't show in running processes OR if the fact this is a Vista 64bit system and the log is inaccurate.
Where is the VERY FIRST HJT log that you ran BEFORE you began all these "fixes"? That would be the log to post.
Why do you believe you have a virus? How would you know without an anti-virus program to scan with or without anti-spy programs?

0

That is the very first one as well as the current one, any thing I have deleted since then has returned as I have only been deleting whatever it is that the true root of the problem is causing and will continue to cause regardless of how many times I delete it.

and by suggest I mean it said "this is malicious content, delete it" in so many words

I got this information from http://www.hijackthis.de/

I think you are under the impression I just checked boxes at random and hoped for the best.

as to how I know I have a virus, I can realize when background proccesses are running that are not usual, I know that typically a trojan can cause one to unable to regedit and may also cause trouble when trying to access folder options and in turn view hidden folders. Given I have common symptoms I expect a virus of some sort.


also yes this is a 64 bit vista ultimate system, I didn't just cherry pick which parts of the log I would show you.

0

I think you are under the impression I just checked boxes at random and hoped for the best.

No that is not what I think. I think you used the analyzer which is meant for reference ONLY so that entries questioned there can be researched. I say again HiJackThis is NOT a fixer program. It is ONLY a scanner program.
Here is the warning given concerning HiJackThis in the tutorial on how to use the program:

Warning

HijackThis should only be used if your browser or computer is still having problems after running Spybot or another Spyware/Hijacker remover. HijackThis is an advanced tool, and therefore requires advanced knowledge about Windows and operating systems in general. If you delete items that it shows, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself. You should also attempt to clean the Spyware/Hijacker/Trojan with all other methods before using HijackThis. If you allow HijackThis to remove entries before another removal tool scans your computer, the files from the Hijacker/Spyware will still be left on your computer and future removal tools will not be able to find them.

Did you follow ALL of the instructions given here BEFORE running HiJackThis? This is the sticky at the very top of this forum.
Read me before posting a request for assistance
If so I would like to see the logs from the MBA-M program and the ESET online Scanner. If you have not completed those steps then please do so now and post back with those two logs. Of course DO NOT use the Deckard's Scanner but continue through the sticky. Beginning with the ATF-Cleaner and continuing on to the end. Then and only then should HJT be run. But as I stated earlier it is not fully compatible with Vista 64bit systems so many times the logs are not fully accurate.
I don't know where you get the idea I said you "cherry picked which parts of the log". I could easily see it was a Vista 64bit system, that is why I told you logs from HJT on a Vista 64bit system will not always be accurate.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.