Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Analyze Hijack This file

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Analyze Hijack This file

Unread postby dtheall » November 12th, 2007, 8:35 pm

Yesterday I got a Trojan Downloader (downloader-afh) after visiting a recipe website!! Huh and I was only looking for something to make for dinner!! Anyway, McAfee scan found and removed it. I'm a little freaked out and neurotic so I wanted to be sure there are no traces left on my machine. I went to McAfee forum and it was suggested to run Hijack This and have someone analyze it. Can you do that? Can I run Analyze this from Trend Micro ? Wasn't sure what that does. I could not upload my file - it would not accept my file extensions(tried txt, doc, log) thanks. Donna
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:57 PM, on 11/12/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\MSK\mskagent.exe
C:\Program Files\Windows Mail\WinMail.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll (file missing)
O23 - Service: dlcq_device - - C:\Windows\system32\dlcqcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7659 bytes
dtheall
Regular Member
 
Posts: 85
Joined: November 12th, 2007, 7:14 pm
Advertisement
Register to Remove

Re: Analyze Hijack This file

Unread postby beynac » November 15th, 2007, 12:36 pm

Hi.

I'm sorry that you've been kept waiting. I'm looking through your log and will post again shortly.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Analyze Hijack This file

Unread postby beynac » November 15th, 2007, 2:40 pm

Good evening Donna.

Can I run Analyze this from Trend Micro ? Wasn't sure what that does.

I recommend that you don't run this. All it does is give you a report giving some statistics about the lines in your HijackThis (HJT) log. These bear no relation to whether they are good or bad. It just shows whether, or not, a certain line has appeared in a lot of HJT logs. A lot of the lines with high percentages are essential Windows processes!

I would like to have a look at which programs are prevented form starting by msconfig and we'll run an online scan to check that everything is clear.

-----------------------------------------

Open Notepad (Click on Start then Run. Type notepad into the textbox and click OK.) Select the contents of the Quote Box below, right-click and copy it, then paste into Notepad.
@echo off
regedit /a beynac.txt "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg"
notepad beynac.txt
del regfind.bat


Still in Notepad, go to Format (upper menu bar) and untick Word Wrap
Go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: regfind.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

On the Desktop, double-click on regfind.bat. This should open a text file (beynac.txt) on your desktop. Please post the contents of this as a reply to this post.

-----------------------------------------

ESET Online Scanner

Please run the ESET Online Scanner. You must use Internet Explorer to run the scan.
  • Check the box to accept the Terms of Use
  • Click Start
  • When prompted, left-click on the Information Bar which pops up at the top of your browser window
  • Click on Install ActiveX Control
  • A message box will pop up. Click on Install to install the software
  • Click Start
  • Do not check the following boxes
    • remove found threats
    • scan for unwanted applications
  • Click Start
  • When the scan has ended it should show a report giving details of any threats found
  • The report will be saved as C:/Program Files/esetonlinescanner/log.txt
Please post that report as a reply to this thread. You can uninstall the ESET Online Scanner through Control Panel/Add or Remove Programs, if you wish.

----------------------------------------

To summarise: please post the following, as a reply to this thread
  • The contents of beynac.txt
  • The ESET online scan report
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Analyze Hijack This file

Unread postby dtheall » November 17th, 2007, 7:57 am

Hello. thanks for your help. When I run this file regfind.bat it says it cannot find beynac.txt file and do I want to create a new one? I clicked cancel, but wasn't sure if I was supposed to click yed. Sorry this is all very new to me! Donna
dtheall
Regular Member
 
Posts: 85
Joined: November 12th, 2007, 7:14 pm

Re: Analyze Hijack This file

Unread postby dtheall » November 17th, 2007, 7:58 am

I must learn to PREVIEW! I meant click Yes (not yed).
dtheall
Regular Member
 
Posts: 85
Joined: November 12th, 2007, 7:14 pm

Re: Analyze Hijack This file

Unread postby dtheall » November 17th, 2007, 8:31 am

ESET Scanner will not run. Says I need administrator rights which I should have. I guess this is a problem! Can you help?
dtheall
Regular Member
 
Posts: 85
Joined: November 12th, 2007, 7:14 pm

Re: Analyze Hijack This file

Unread postby beynac » November 17th, 2007, 11:48 am

Good afternoon Donna.

Hello. thanks for your help. When I run this file regfind.bat it says it cannot find beynac.txt file and do I want to create a new one? I clicked cancel, but wasn't sure if I was supposed to click yes.

You should have clicked "yes". Sorry, this is my fault. Vista has stronger security and needs an additional step. When you run the batch file you have to right-click on it and then select Run as administrator. I'll repeat the instructions for clarity. The situation with the EST Scanner is similar.

--------------------------------------------------

Open Notepad (Click on Start then Run. Type notepad into the textbox and click OK.) Select the contents of the Quote Box below, right-click and copy it, then paste into Notepad.
@echo off
regedit /a beynac.txt "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg"
notepad beynac.txt
del regfind.bat


Still in Notepad, go to Format (upper menu bar) and untick Word Wrap
Go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: regfind.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

On the Desktop, right-click on regfind.bat, select "Run as administrator". If prompted, allow the creation of beynac.txt. A text file (beynac.txt) should open on your desktop. Please post the contents of this as a reply to this post.

------------------------------------------------

ESET Online Scanner

Please run the ESET Online Scanner. You must use Internet Explorer to run the scan.
  • Right-click on your Internet Explorer icon on your Start Menu
  • Select Run as administrator from the popup context menu
  • Go to http://www.eset.com/onlinescan/
  • Check the box to accept the Terms of Use
  • Click Start
  • When prompted, left-click on the Information Bar which pops up at the top of your browser window
  • Click on Install ActiveX Control
  • A message box will pop up. Click on Install to install the software
  • Click Start
  • Do not check the following boxes
    • remove found threats
    • scan for unwanted applications
  • Click Start
  • When the scan has ended it should show a report giving details of any threats found
  • The report will be saved as C:/Program Files/esetonlinescanner/log.txt
Please post that report as a reply to this thread. Once you have finished, you can uninstall the ESET Online Scanner through Control Panel/Add or Remove Programs, if you wish.

------------------------------------------------

Sorry for the confusion. I'm only just getting used to Vista. :)

Please post:
  • The contents of beynac.txt
  • The ESET Online Scan report
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Analyze Hijack This file

Unread postby dtheall » November 17th, 2007, 4:14 pm

Here is the registry file. I will run the scan and post. thanks! Donna
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Adobe Reader Speed Launcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Apoint"
"hkey"="HKLM"
"command"="C:\\Program Files\\DellTPad\\Apoint.exe"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DellSupport"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DellSupportCenter"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe\" /P DellSupportCenter"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLCQCATS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DLCQCATS"
"hkey"="HKLM"
"command"="rundll32 C:\\Windows\\system32\\spool\\DRIVERS\\W32X86\\3\\DLCQtime.dll,_RunDLLEntry@16"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcqmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dlcqmon.exe"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell Photo AIO Printer 966\\dlcqmon.exe\""
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dscactivate"
"hkey"="HKLM"
"command"="c:\\dell\\dsca.exe 3"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EasyLinkAdvisor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Linksys EasyLink Advisor\\LinksysAgent.exe\" /startup"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ECenter"
"hkey"="HKLM"
"command"="c:\\dell\\E-Center\\EULALauncher.exe"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ehTray.exe"
"hkey"="HKCU"
"command"="C:\\Windows\\ehome\\ehTray.exe"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FaxCenterServer"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell PC Fax\\fm3032.exe\" /s"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Google Desktop Search"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HotKeysCmds"
"hkey"="HKLM"
"command"="C:\\Windows\\system32\\hkcmd.exe"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IgfxTray"
"hkey"="HKLM"
"command"="C:\\Windows\\system32\\igfxtray.exe"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISUSPM Startup"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISUSScheduler"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kernel and Hardware Abstraction Layer"
"hkey"="HKLM"
"command"="KHALMNPR.EXE"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Logitech Hardware Abstraction Layer"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Logitech\\khalshared\\KHALMNPR.EXE\""
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MemoryCardManager"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell Photo AIO Printer 966\\memcard.exe\""
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OEM02Mon.exe"
"hkey"="HKLM"
"command"="C:\\Windows\\OEM02Mon.exe"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCMService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe\""
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Persistence"
"hkey"="HKLM"
"command"="C:\\Windows\\system32\\igfxpers.exe"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Picasa Media Detector"
"hkey"="HKLM"
"command"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Sidebar"
"hkey"="HKCU"
"command"="C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000c
"HOUR"=dword:00000013
"MINUTE"=dword:00000024
"SECOND"=dword:00000037

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SigmatelSysTrayApp"
"hkey"="HKLM"
"command"="C:\\Program Files\\SigmaTel\\C-Major Audio\\WDM\\sttray.exe"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Windows Defender"
"hkey"="HKLM"
"command"="%ProgramFiles%\\Windows Defender\\MSASCui.exe -hide"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WindowsWelcomeCenter"
"hkey"="HKCU"
"command"="rundll32.exe oobefldr.dll,ShowWelcomeCenter"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WMPNSCFG"
"hkey"="HKCU"
"command"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:0000000b
"DAY"=dword:0000000b
"HOUR"=dword:00000010
"MINUTE"=dword:00000000
"SECOND"=dword:00000011
dtheall
Regular Member
 
Posts: 85
Joined: November 12th, 2007, 7:14 pm

Re: Analyze Hijack This file

Unread postby dtheall » November 17th, 2007, 5:10 pm

Ok I ran the scan. Thank you so much for your help - it ran clean! It said No Threats Found.
dtheall
Regular Member
 
Posts: 85
Joined: November 12th, 2007, 7:14 pm

Re: Analyze Hijack This file

Unread postby beynac » November 17th, 2007, 6:00 pm

Hi Donna.

That's great. There's nothing in msconfig which we need to worry about and, as you say, the ESET scan is clean. So it looks as if we are done! :)

If you do not already use it, I suggest that you install SpywareBlaster. This program will:
  • Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
This program blocks these items but does not run in the background. It therefore does not use any resources.

I would also recommend that you have a look at Firetrust SiteHound. This gives warnings when you are about to enter a website that is on their 'block' list. An alternative is McAfee SiteAdvisor. I use SiteHound, but both have a good reputation (N.B. use only one of them, not both).

This article, How to prevent Malware by miekiemoes, gives some very good advice.

Please let me know whether you have any questions.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Analyze Hijack This file

Unread postby dtheall » November 18th, 2007, 9:59 am

Thank you for your advice, time and attention to helping me with my computer woes! It's been very disturbing to know I got infected!!! I have McAfee Security Center, Spybot and now SCANEST. I will get the other programs you mention in your reply. The internet is a very scary place! This forum (and forums like this) restore my faith in the goodness of human beings. As many people as there are out there trying to scam and harm, community forums are examples of the good that can come from the internet. It's just a great way for us to help eachother out. It's Thanksgiving here in the US (not sure where you are) and I was thinking how grateful I am for people like you who are passionate and knowledgeabe about this stuff and willing to share what you know. I am clueless!! But I'm learning, again with your assistance. Well I'm off for now, hope I don't have to come back anytime soon to report a problem, only to browse and learn.
dtheall
Regular Member
 
Posts: 85
Joined: November 12th, 2007, 7:14 pm

Re: Analyze Hijack This file

Unread postby beynac » November 18th, 2007, 2:56 pm

You're welcome. :) Thank you for your kind words.

Happy Thanksgiving!
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Analyze Hijack This file

Unread postby Gary R » November 18th, 2007, 4:06 pm

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 21774
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: Vanilla-krypton and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware