Author Topic: Is the Hijackthis section still active?  (Read 5160 times)

Offline Purgatory

  • Member
  • Posts: 262
Is the Hijackthis section still active?
« on: September 08, 2011, 10:39:47 AM »
It is a long time since this facility was used, and I wonder if it is permissable for me to send through an analysis from my wifes PC later in the day?

Many thanks
Purgatory
Intel Dualcore - Win 7 32 bit

Offline musicman

  • Member
  • Posts: 11
Re: Is the Hijackthis section still active?
« Reply #1 on: September 08, 2011, 11:52:48 AM »
Hi Purgatory

Should still be OK.

Personally, I haven't posted in this forum for quite a long time ( I use other HJT sites) but someone here should be able to help you out.

Before that download, install and carry out FULL system scans of the troubled computer with these two free programs ....

http://www.malwarebytes.org/products/malwarebytes_free

http://www.superantispyware.com/

Let them remove anything they identify as definitely bad.

Then reboot, run HJT and post the log with a brief description of any remaining problem(s).

Good luck.


MM

Offline Willabong

  • Member
  • Posts: 1118
    • Childrens Illustrated Ebooks
Re: Is the Hijackthis section still active?
« Reply #2 on: September 08, 2011, 12:36:41 PM »
Yes! It is still active Purgatory.
Childrens Illustrated Ebooks

http://www.bluebottleexchange.com

Offline Purgatory

  • Member
  • Posts: 262
Re: Is the Hijackthis section still active?
« Reply #3 on: September 08, 2011, 02:33:35 PM »
Thanks guys
wifes computer generally slowing down is the problem. Malwarebytes + super anti-spyware have been used. So if someone would kindly look at this list, I would be grateful - here goes

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:52:40, on 08/09/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Eazy-Ware\ezSched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [EazyScheduler] C:\Program Files\Eazy-Ware\ezSched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2000478354-1275210071-1417001333-1005\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262992372750
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

--
End of file - 7578 bytes

Any help you can give will be appreciated  :thumbs
Purgatory
Intel Dualcore - Win 7 32 bit

Offline musicman

  • Member
  • Posts: 11
Re: Is the Hijackthis section still active?
« Reply #4 on: September 08, 2011, 05:38:43 PM »
Nothing obvious there that would slow it down, as such.

Just scan again with HJT, put tick marks against these entries ...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


...and use HJT's "fix" button to get rid of them. You don't need them.


Slowness in computers is often a drag to resolve.

Check all programs running in the background, at startup etc. to see what they are and if they are really necessary or desired.

You have to be something of a detective but I guess you know that already!

This may help....

http://www.computerhope.com/issues/ch000179.htm

All the best.



Offline Willabong

  • Member
  • Posts: 1118
    • Childrens Illustrated Ebooks
Re: Is the Hijackthis section still active?
« Reply #5 on: September 08, 2011, 10:12:52 PM »
I would remove this entry:

O4 - HKLM\..\Run: [EazyScheduler] C:\Program Files\Eazy-Ware\ezSched.exe

But first find the program that goes with it in:   

C:\Program Files\Eazy-Ware\ezSched.exe

and uninstall it, then remove the first entry if it is still in evidence.


Also check with your wife regarding this entry (see if she recognizes "advpack.dll"):

O4 - HKUS\S-1-5-21-2000478354-1275210071-1417001333-1005\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'UpdatusUser')

Edit:  Thanks to "musicman" for checking:  You can leave this one alone!
Childrens Illustrated Ebooks

http://www.bluebottleexchange.com

Offline musicman

  • Member
  • Posts: 11
Re: Is the Hijackthis section still active?
« Reply #6 on: September 09, 2011, 09:42:04 AM »
I would remove this entry:

O4 - HKLM\..\Run: [EazyScheduler] C:\Program Files\Eazy-Ware\ezSched.exe

But first find the program that goes with it in:   

C:\Program Files\Eazy-Ware\ezSched.exe

and uninstall it, then remove the first entry if it is still in evidence.
I though this was part of Express assist, the sync/backup program.......

http://ajsystems.com/expressassist/ea.html

Not harmful, as such, but I guess it could slow things down a bit if it loads automatically on boot up for instance.

If the program is to be kept maybe make sure it only loads when required.


Also check with your wife regarding this entry (see if she recognizes "advpack.dll"):

O4 - HKUS\S-1-5-21-2000478354-1275210071-1417001333-1005\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'UpdatusUser')

It could be addware? If she does not know what it relates to, then remove it.
I would not advise removing this.

It's a legit Windows dll system file, very common in HJT logs and, unless others know differently, I believe it's safe .....

http://www.processlibrary.com/directory/files/advpack/19231/


Out of interest, I think advpack & nlite together seem to show when new users are set up and then go after the process is finished.

Have new users been set up on that computer? If you ran HJT again now does that entry still appear?


Offline Willabong

  • Member
  • Posts: 1118
    • Childrens Illustrated Ebooks
Re: Is the Hijackthis section still active?
« Reply #7 on: September 09, 2011, 12:19:25 PM »
You are right about the first process in my list, but it's purpose is to create backups of various file items in a number of programs. It is a non essential process and can be removed or if you wish set to manual.
It is known to slow down Windows in certain circumstances.

The other process is unknown to me? But is flagged as suspect on some HJL sites?
Childrens Illustrated Ebooks

http://www.bluebottleexchange.com

Offline musicman

  • Member
  • Posts: 11
Re: Is the Hijackthis section still active?
« Reply #8 on: September 09, 2011, 12:30:06 PM »
The other process is unknown to me? But is flagged as suspect on some HJL sites?
Y'know what? I think that's only because they don't know what it is and can't find out.  :wink

Offline Purgatory

  • Member
  • Posts: 262
Re: Is the Hijackthis section still active? - Problem Solved
« Reply #9 on: September 14, 2011, 07:51:25 PM »
Hi Guys
sorry for the delay in getting back to you all. Thanks for your input - carefully sifted through this and did the necessary as I saw fit. NO real improvement however :( :(

I use her PC occasionally - and got very frustrated at the delay in the typing appearing in the various boxes after typing had ceased. Goggle was a horrendous example :(
I was determined to find the answer, and to cut a long sorry short, I found that the culprit was the Trusteer Rapport program (recommended to her by the bank). With this removed (and all the registry entries) - her PC has regained it's missing vigour :smiley :smiley
Quite a chase on this one - but worth the end result!
Cheers
Purgatory
Intel Dualcore - Win 7 32 bit

Offline Willabong

  • Member
  • Posts: 1118
    • Childrens Illustrated Ebooks
Re: Is the Hijackthis section still active?
« Reply #10 on: September 14, 2011, 09:40:04 PM »
I think both myself and musiman knew it was nothing from your HiJack list, the entries we advised removal of, were not likely to have caused the problems you mentioned, they are just unnecessary junk, but harmless.
Childrens Illustrated Ebooks

http://www.bluebottleexchange.com

Offline Nick Peers

  • Administrator
  • Member
  • *
  • Posts: 1014
    • nickpeers.com
Re: Is the Hijackthis section still active?
« Reply #11 on: September 20, 2011, 10:18:24 AM »
Thanks for sharing, Purgatory. I've heard bad things about Rapport, and it brought my mum's laptop to its knees when my father felt compelled by the constant prompts by his bank to install it. I notice the Co-operative is now urging me to download this every time I log in. Suffice to say I'm not playing ball!
Freelance writer