Help with hijakthis log

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Your ShowNew files are not showing anything, so please follow the fixes here
ShowNew.


Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Attach the new ShowNew log after doing the patch (delete the first, do the patch and then run the utility again.)

 

Right click on start / explore and scroll to that folder ( C:\Program Files\HJT\NEW FOLDER (2) and list all the files that are in there.

 

When you double click the ShowNew.bat, does it open the notepad with the results that are different from what you have posted or just the same?

 

You really should now have ShowNew running from a subfolder of the HijackThis folder. And a more appropiate name should have been used rather than NEW FOLDER (2) . I don't think this should stop it from running properly however improperly named folders with characters that are illegal at a DOS level can cause problems. To make it easier for you to do my next steps, I suggest you create C:\MGTools as suggested on the download pages. Then extract all files from BOTH GetRunKey and ShowNew into this C:\MGTools folder. Delete all other old folders like the NEW FOLDER (2) you may have. After doing the above, continue with the below:

Click Start, Run, and enter cmd and click OK. This will open up a command prompt window. In the command prompt window enter the below commands:
cd c:\MGTools
shownew

Did you get any error messages when you ran shownew?


Also note that per the READ & RUN ME, you should not be running Spybot's Teatimer.


Now Disable Spybot's TeaTimer

• Run Spybot and click Mode
• Select Advanced Mode.
• Then click Tools and select Resident.
• Now in the right window pane, uncheck TeaTimer.
• Also while this is open, in the left column now select IE Tweaks
• and then in the right pane make sure all the Miscellaneous locks are unchecked.
• Now quit Spybot!

Also uninstall the Sunbelt CounterSpy trial since we are finished with it now!

Now Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

I'm not sure what the below free registry fixer is, but I don't like the looks of it. Unless you know that it really something reputable and useful, I would fix this line too and then continue on to fix the other lines.
O4 - HKLM\..\Run: [EducationCenter] "C:\Program Files\Free Registry Fixer\educate.exe"

O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O16 - DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} (Java Plug-in 1.3.1_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.5.0) -

After clicking Fix, exit HJT.

Now reboot in normal mode

Now attach the below a new HJT log

Is the only reason you have come here for help the problem with running Housecall? This is probably not a malware problem, but see if you can run it now after doing all of the above.

 

Okay extract GetRunKey.zip into the same MGTools folder and attach a new log from it now. Was it just the move to MGTools that solved your problem or did it only get resolved after doing the other steps too? You do need to complete the other steps I gave you too and then attacht the new HJT log that I requested.

Also is that Free Registry Fixer that I asked about part of Student Learning Resources for Callister, 6e?

 

You did not uninstall CounterSpy as requested in message # 11. Please uninstall it now before continuing on to my next steps.

Run this Disable/Remove Windows Messenger to remove Windows Messenger.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (file missing)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
After clicking Fix, exit HJT.

Now reboot in normal mode

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now! Things should be even a little faster then when you posted message number 10.

 

You needed to try it after doing the fixes since we removed a bunch of old files related to Housecall. This may or may not have helped. Don't try it yet though. We have more to cleanup. Also I have a question about what exactly are you running. Are you trying to run TrendMicro's OnlineScan or are you trying to run Trend System Cleaner (also called TSC). They are two different things and I saw signs of both on your PC.


Before trying anymore scans, first do the below. These steps will remove some malware and some additional old files from Housecall and from TSC.

Make sure to do all steps in the order given.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3

Make sure you reboot after uninstalling the above!

Now let's remove a bunch of folders pretending to be files that are from a W32.Sality.U infection.
Right click Start and select Explore. Navigate to the below folders and delete them.
C:\WINDOWS\logo1_.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\system32\vcmgcd32.dll

Now navigate to the below files from Trend Micro and delete them
C:\WINDOWS\BPMNT.dll
C:\WINDOWS\hcextoutput.dll
C:\WINDOWS\PATCH.EXE
C:\WINDOWS\TMUPDATE.DLL
C:\WINDOWS\tsc.exe
C:\WINDOWS\system32\drivers\tmcomm.sys



After reboot please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

Now you can try to run TrendMicro's Online scan again. If it does not work, you may have a software conflict or an active x setting that it does not like (read the notes here: http://www.trendmicro.com/hc_intro/default.asp )

Make sure that Symantec AV or your firewall are not blocking it too.

 

Did you look at the info in the link I gave! It gives the below:

You should also try running Housecall from a FireFox browser and see what happens.

Your logs are clean now! Any problems you are having now are typical of some kind of settings or other software conflict. These are not malware problems.

 

That is not for Trend Micro's Housecall. That is for calling TSC (Trend System Cleaner) which we also often use here on Majorgeeks.

 

Okay but it is still not Housecall which was all I was pointing out.

 

Nope! If you are not running the online scanner (which you are not) then it is not the same thing. The online scanner does not create a folder. It just adds some active x components to your downloaded program files folder and runs them thru your browser while online.

 

Yes it runs an on demand scan and has definitions that can be updated. It just is not the online scan.

However it is not a substitute for an antivirus program. It is only an on demand scanner.

 

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!