Help dissecting hijackthis log

Topic

New Reply

I need help understand the hijackthis log the program generated. Any taker????

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:50 AM, on 2/8/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:Windowssystem32taskeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Program FilesTrend MicroInternet SecurityUfSeAgnt.exe
C:WindowsSystem32rundll32.exe
C:Program FilesTrend MicroTrendSecureRemoteFileLockFLMain.exe
C:Program FilesTrend MicroInternet SecurityTMAS_OETMAS_OEMon.exe
C:Program FilesTrend MicroInternet SecurityUfNavi.exe
C:Program FilesTrend MicroTrendSecureTSCFCommander.exe
C:Program FilesTrend MicroTrendSecureTSCFPlatformCOMSvr.exe
C:Program FilesNovatel WirelessSprintSprint PCS Connection ManagerOSCM3.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O1 – Hosts: ::1 localhost
O2 – BHO: AcroIEHelperStub – {18DF081C-E8AD-4283-A596-FA578C2EBDC3} – C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 – BHO: SSVHelper Class – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:Program FilesJavajre1.6.0_07binssv.dll (file missing)
O2 – BHO: TransactionProtector BHO – {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} – C:Program FilesTrend MicroTrendSecureTransactionProtectorTSToolbar.dll
O3 – Toolbar: Transaction Protector – {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} – C:Program FilesTrend MicroTrendSecureTransactionProtectorTSToolbar.dll
O4 – HKLM..Run: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
O4 – HKLM..Run: [UfSeAgnt.exe] “C:Program FilesTrend MicroInternet SecurityUfSeAgnt.exe”
O4 – HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:Windowssystem32NvCpl.dll,NvStartup
O4 – HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:Windowssystem32NvMcTray.dll,NvTaskbarInit
O4 – HKCU..Run: [OE] “C:Program FilesTrend MicroInternet SecurityTMAS_OETMAS_OEMon.exe”
O4 – HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 – HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 – HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 – HKUSS-1-5-21-4157789089-609659471-3603122966-1000..Run: [Sidebar] C:Program FilesWindows Sidebarsidebar.exe /autoRun (User ‘Vince’)
O13 – Gopher Prefix:
O17 – HKLMSystemCCSServicesTcpip..{D5BDF84B-90F5-4FB4-BBA5-7077B990672E}: NameServer = 68.28.146.92 68.28.154.92
O23 – Service: iPod Service – Apple Inc. – C:Program FilesiPodbiniPodService.exe
O23 – Service: NVIDIA Display Driver Service (nvsvc) – NVIDIA Corporation – C:Windowssystem32nvvsvc.exe
O23 – Service: OSCM Utility Service – Sprint Spectrum, L.L.C – C:Program FilesNovatel WirelessSprintSprint PCS Connection ManagerOSCMUtilityService.exe
O23 – Service: Trend Micro Central Control Component (SfCtlCom) – Trend Micro Inc. – C:Program FilesTrend MicroInternet SecuritySfCtlCom.exe
O23 – Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) – Trend Micro Inc. – C:Program FilesTrend MicroBMTMBMSRV.exe
O23 – Service: Trend Micro Personal Firewall (TmPfw) – Trend Micro Inc. – C:PROGRA~1TRENDM~1INTERN~1TmPfw.exe
O23 – Service: Trend Micro Proxy Service (tmproxy) – Trend Micro Inc. – C:Program FilesTrend MicroInternet SecurityTmProxy.exe

—
End of file – 4335 bytes

Reply | Quote

Replies

Woody’s Lounge is not the best forum for getting a HijackThis log analyzed. Try posting your log to one of the sites listed in this post.

StuartR

Reply | Quote

You did not have a successful uninstall of Trend Micro. Some of the TM services are still running. It would appear on first glance that the TM firewall,Change Prevention and proxy service being active is your major issue.You could reinstall TM and try another uninstall attempt. If that failed I would at this point manually remove everything.Boot into Safe Mode and shut off all the TM services if any are running then delete all remaining folders in Program FilesTrend Micro, Common FilesTrend Micro, hidden in Docs and Settings in Application Data as well as Local SettingsApplication Data. Now remove the offending entries in the Registry by deleting the related Trend Micro Keys. Then reboot and run Ccleaner.You will probably need to go back for more Registry cleaning as some of the keys will not delete without changing ownership/permissions. You will also possibly need to run the Windows Installer Clean-up utility. At that point run SFC/scannow and CHKDSK while enjoying a couple of beers.

Reply | Quote