# SOLVEDHiJackThis

#### Spook72

Just wondering if someone could take a quick look at this for me and tell me if anything looks strange or dangerous...Thankyou.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:19:25 PM, on 5/07/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16618)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SDP] C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2188940191-227149509-1583447952-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.freerealms.com
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AppleChargerSrv - Unknown owner - C:\Windows\system32\AppleChargerSrv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Futuremark SystemInfo Service - Futuremark Corporation - C:\Program Files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @C:\Program Files (x86)\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files (x86)\Nero\Update\NASvc.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Smart TimeLock Service (Smart TimeLock) - Gigabyte Technology CO., LTD. - C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 10340 bytes

#### TrainableMan

##### ^ The World's First ^
Moderator
Biggest concern, I notice that some windows files are missing which isn't good. Open an administrator command prompt and run "sfc /scannow" to see if it repairs ALG, LSASS, FXSSVC, etc. If not then I would boot up to a W7 installation disk and on the installation screen run "startup repair" in the lower left corner.

Then I would disable that FileFrog update checker so it doesn't run all the time because it is wasting system resources. Instead run it once a month or so manually. I personally would do the same with NVIDIA Update Core\ComUpdatus.exe but check your resources and if it isn't a CPU hog decide for yourself. AdobeARM is the same - always running checking for Adobe updates; take the responsibility to check for Adobe updates once a month and disable this automated clutter. The Java Updater jusched.exe, the Flash player updater FlashPlayerUpdateService.exe, GoogleUpdate.exe, GoogleUpdaterService.exe - same deal.

You have Java installed which is a security risk but you need it for many websites so what can ya do :/

Unless you use the Google toolbar it is best to uninstall it. Toolbars slow down your browser so only keep the ones you use or are are used by your anti-virus software to protect you.

Do you even have anti-virus software running? Because you really should.

#### Spook72

Ran sfc/scannow.....windows found no integrity violations. I will go through all the updaters and sus out what I can thanks Train you are a machine mate.

#### Spook72

Oh and I use MSE and Malwarebytes Anti Malware is this what you are refering to? I also uninstalled toolbars.

#### TrainableMan

##### ^ The World's First ^
Moderator
Yes MSE and MBAM are good. I guess HijackThis just doesn't show them in its' logs.

As for the toolbars, they are fine to have if you use them but often products slip in their toolbars and they slow down your browser with no benefit to you. Some can even spam you with ads or worse, spy on you (Article) so it is best to only keep ones you know and use.

Even though you ran SFC I'm still a bit concerned about all those missing networking programs. Did you have a chance to boot up to a W7 Installation DVD and run "startup repair" (lower left on the installation screen)? If you don't have a W7 Install DVD I do encourage you to burn one. You can find the W7 SP1 ISOs >>HERE<<; get the version and bit-size that matches your install and then burn them with software that understands what an ISO is, like IMGBurn. Of course you seem to be connecting to the internet just fine, even with them missing, so I don't know exactly what to think; that's why I suggest the system repair ... it won't hurt you and it just might help.

#### lonewolfmage

Hijack this Log

Greetings~
Its been a while since I have posted here but I figured I'd give this one a shot.

I copy/pasted the HJT Log into an analyzer .. (actually multiple and came up with the same results each time )

Follow this link http://www.hijackthis.co/log/90873 ( it is a SAFE link I have used it many times when analyzing HJT logs)

It will ADVISE what you can select in the HJT scan to remove/disable.. I would follow MOST of the suggestions. If you have any questions I'd be more than happy to help.

The 3rd item from the top is referring to Internet Explorer. You have the most updated version so no worries there.

You want to start at the R1 entry and work you way down the list.

The NVidia stuff ( I have an NVidia card and I DO use the NVidia software to do updates and have NEVER had a problem with it) is quite safe... its better than getting the updates from Microsoft.

UPDATE YOUR NVIDIA SOFTWARE BEFORE doing ANYTHING with HJT

Since I don't know what driver or software verision you have I would HIGHLY suggest you go to www.nvidia.com and use their update and scanner tool on their site to update to the latest software .. NOTE when you get the software to a CUSTOM/CLEAN install of the software. This can be some within the Nvidia software/download itself.

As far as TOOLBARS .. I do have to agree with TM they can be a pain in the A\$\$ you really DON'T need them.. EVEN IF and inclusive of ( and I will disagree with TM here ..) they have to do with your A/V software.. they are unnecessary and will bog down your browser.

I will also agree with TM on MSE and MBAM with ONE STIPULATION..... don't have them both running at the same time .. they WILL (meaning can) conflict with each other .. Use MBAM as a "secondary" (on demand) scanner. Meaning, run MBAM when you think you need to .

Well I think I covered everything there .. if you have any other questions or want another analysis of a second scan AFTER you get things done .. ill be happy to help

Best of luck .
~LoneWolf

#### TrainableMan

##### ^ The World's First ^
Moderator
Note: If you disable some A/V toolbars I think you may take away their ability to scan for malicious webpage scripts on each page you access.

As for MBAM, yeah don't activate the free trial, just use it as a passive scanner so it doesn't conflict with MSE's active scanning.

I notice Lonewolf's analysis tool isn't concerned at all about the missing networking files so that must be fairly normal. Like I said your networking seems to be working because you're accessing the internet so that's good.

Last edited:

#### lonewolfmage

Hello ~

TM you said: Note: If you disable A/V toolbars you take away their ability to scan for maliscious webpage scripts on each page you access.

YES I WILL agree there .. BUT .. ( there is ALWAYS THAT ) That also depends on the A/V software... SOME do add that tool bar to "help" to "try" to block site and such .. (McAfee and Norton come to mind ) I use Avast (free version) and have not had TOO much of a problem with malicious site. ( I did have one or 2 "squeak through" but nothing TOO MAJOR)

You also said :

I notice Lonewolf's analysis tool isn't concerned at all about the missing networking files so that must be fairly normal. Like I said your networking seems to be working because you're accessing the internet so that's good.

It a case of "if it ain't broke .. don't try to fix it"

HJT doesn't necessarily look for things that are "incorrect" as far as drivers or missing files.. it looks for "hijacks" ( as I'm sure you know )

When using it you DO have to be QUITE CAREFUL as to what you tell it to fix.

Personal note to TM : no offense meant and I was in NO WAY trying to downgrade your advice

#### TrainableMan

##### ^ The World's First ^
Moderator
Not to worry, no offense was taken.

Now personally I have never actually used the HijackThis software to "fix" anything, strictly analysis. I would just take the information and look at removing the automated updaters, etc myself - manually. So I didn't mean to suggest using HijackThis to "fix" anything I mentioned because I don't know exactly what HijackThis's idea of "fixing" is.

#### Spook72

Ok fellas I did all that you suggested. I am having trouble with these 2
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
and also these 2
these 2 seem to be unable to repair and I had a pop up suggesting spybot to rid me of the 010.. lines..

Last edited:

#### Spook72

I don't know if this helps or not... Windows 7 Home Premium 64-bit SP1
CPU
Intel Core i7 2600 @ 3.40GHz 32 °C
Sandy Bridge 32nm Technology
RAM
4.00GB Single-Channel DDR3 @ 665MHz (9-9-9-24)
Motherboard
Gigabyte Technology Co., Ltd. Z68M-D2H (Socket 1155) 29 °C
Graphics
1024MB NVIDIA GeForce GTX 560 Ti (ASUStek Computer Inc) 31 °C
1024MB NVIDIA GeForce GTX 560 Ti (ASUStek Computer Inc) 25 °C
ForceWare version: 320.49
SLI Disabled
Hard Drives
932GB Seagate ST1000DM003-9YN162 (SATA) 24 °C
Optical Drives
TSSTcorp CDDVDW SH-222BB
HUAWEI Mass storage USB Device
Audio
Realtek High Definition Audio

#### lonewolfmage

HJT Log

Spook~

I had a look at your log file. I'm not only going to address the "missing files" entries but also the ones with "X" marks. Both red and yellow and a ? mark or 2

The O10 entry refers to Windows Live .

Windows Live, generally, refers to anything that has to do with the Microsoft Live suite of software from Microsoft.

What I would suggest. Is to uninstall and reinstall(the latter being if you want to) any of the "Live" suite of software. That MAY clear up the issue.

Keep in mind however. IF you do uninstall the Live suite and IF you have messenger. You MAY not able to get messenger back. It has since merged with Skype.

The O20 entry refers to Spybot Search and Destroy. If you use that software don't worry about it its normal.

If you do use Spybot....make sure to shut off or disable "tea timer" it has a tendency to "bug out" on some systems. Personally I have not used Spybot in YEARS. Too many false positives for my liking.

***End edit***

O23 entry(APPLE CHARGER). no worries it can be left as is.
O23 (Google) entry. If you use the Google tool bar that will be there.
O23 (Nero) entry. If you use Nero uninstall and reinstall.

What I would also suggest, Is to download and run Ccleaner ( found here Link) let it run both the file and registry cleaner at default settings. When you run the reg cleaner, it will fix the "crazy" entries. Let it do its thing .. THEN run HJT again and repost (if you want) your log file and ill take a look at it again and see what is what.

I also looked at your system specs you posted.

Am I seeing things correctly but you DO have 2 Nvidia cards that are NOT SLI enabled ?? or was that just a "duplicate" entry ??
IF that is the case. that you have 2 Nvidia cards. MAKE SURE you get the most updated software for Nvida. If you have already done that .. then the Nvidia entries in HJT are "moot" .

With all that said .. I DID see were people were saying that HJT is not 100% compatible with Win 7 which is PARTIALLY true. But I wouldn't worry about it.. IF after we take care of these issue and those entries STILL show up. we will find out won't we .

Best of luck.
~LoneWolf

Last edited:

#### lonewolfmage

Not to worry, no offense was taken.

Now personally I have never actually used the HijackThis software to "fix" anything, strictly analysis. I would just take the information and look at removing the automated updaters, etc myself - manually. So I didn't mean to suggest using HijackThis to "fix" anything I mentioned because I don't know exactly what HijackThis's idea of "fixing" is.
TM~

Yeah I usually don't use HJT to "fix" things either .. UNLESS I can't figure something out on my own. LOL which is few and far between. BUT in the times I have used it .. I have had next to no issues with it. I think I one MAJOR "mess up"(ended up having to redo my system ) with it. and that was MY OWN doing due to a "mis click" on my part. ( had a PEBKAC moment LOL)

Essentially what HJT does in its "fixing" is a combo of a reg cleaner and a (potential) malware scan. It's GENERALLY pretty safe, unless you do what I mentioned above LOL .

Oh well live and learn
~LoneWolf

#### TrainableMan

##### ^ The World's First ^
Moderator
spook72, I guess my question would be what were you hoping to get from the hijackthis information? If you are worried your system is infected with malware I don't see any indication of that from your hijackthis logs.

As we've mentioned there is software you could remove or at least take out of msconfig services or start-up so they aren't running automatically with every boot, and apparently Windows Live ID uses a DLL which opens a few ports or something but I don't see any software intentionally trying to do your system any harm.

From that other forum link you provided it seems the missing files is a common false positive, possibly caused by not running hijackthis with administrator privileges or differences between 32 & 64-bit OSes. You ran SFC and found no issues and your system is working so I think all that pretty much confirms not to worry about those missing files entries.