We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Hijackthislog - help please
Options
Comments
-
Done, below - thx for all the help on this btw...
All processes killed
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Defender not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\IgfxTray not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\HotKeysCmds not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Persistence not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SynTPEnh not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\WarReg_PopUp not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\TkBellExe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\CTCheck not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe Reader Speed Launcher not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe ARM not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\QuickTime Task not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\AppleSyncNotifier not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\iTunesHelper not found.
========== FILES ==========
< regedit /e "%userprofile%\desktop\HKCU_look.txt" "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /c >
C:\Users\Stuart\Documents\Desktop\cmd.bat deleted successfully.
C:\Users\Stuart\Documents\Desktop\cmd.txt deleted successfully.
< regedit /e "%userprofile%\desktop\HKLM_look.txt" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /c >
C:\Users\Stuart\Documents\Desktop\cmd.bat deleted successfully.
C:\Users\Stuart\Documents\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTM Restore Point
[EMPTYTEMP]
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Lynn
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Public
User: Stuart
->Temp folder emptied: 705824 bytes
->Temporary Internet Files folder emptied: 226115090 bytes
->Java cache emptied: 48575333 bytes
->FireFox cache emptied: 61767244 bytes
->Flash cache emptied: 857 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 5672 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 26826240 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 298427 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 49564329 bytes
RecycleBin emptied: 3214670726 bytes
Total Files Cleaned = 3,460.00 mb
OTM by OldTimer - Version 3.1.21.0 log created on 07222012_160139
Files moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot...0 -
How's it running now - still taking an age to boot up?
Did you run DDS before fixing all those entries with HijackThis, or before rebooting?
A lot of the entries I had you fix showed up in the DDS log, but OTM has reported they weren't found?
There's two notepad files on your desktop, HKCU_look.txt & HKLM_look.txt - post the contents of those two files.
0 -
Yep still taking an age i am afraid... Maybe even worse, altho cant confirm for sure.
HDD light constantly on, on boot up, ticking over all the time until it boots up...
I noticed the entries were still there, so ran the dds again and checked and that the entries were still there (after having done the hijackthis) and they were.
Cant see any files on my desktop that you mention tho "There's two notepad files on your desktop, HKCU_look.txt & HKLM_look.txt - post the contents of those two files."
frustrating...0 -
Press your Windows icon key + R on your keyboard to open a Run command.
Copy/paste this into the run command box and click OK.
"%userprofile%\desktop\HKLM_look.txt"
Let me know what happens.0 -
When you run OTM, do you get a warning from Avast about running OTM in it's sandbox?0
-
This is what I get when I pasted your link into the run comand... (below)
Not sure if i got a sand box warning (might have) but not when I run it now).
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe"
"Microsoft Default Manager"="\"C:\\Program Files\\Microsoft\\Search Enhancement Pack\\Default Manager\\DefMgr.exe\" -resume"
"Malwarebytes' Anti-Malware (reboot)"="\"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe\" /runcleanupscript"
"Malwarebytes Anti-Malware (reboot)"="\"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe\" /runcleanupscript"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"eDataSecurity Loader"="C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSloader.exe"
"DivXUpdate"="\"C:\\Program Files\\DivX\\DivX Update\\DivXUpdate.exe\" /CHECKNOW"
"BCSSync"="\"C:\\Program Files\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices"
"avast5"="\"C:\\Program Files\\Alwil Software\\Avast5\\avastUI.exe\" /nogui"
"APSDaemon"="\"C:\\Program Files\\Common Files\\Apple\\Apple Application Support\\APSDaemon.exe\""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""0 -
You would know, you'd get a pop up in the bottom right hand corner "Avast is analyzing a suspicious program"
before terminating the process and saying "Avast has finished analysis of the program", "for the next execution of this file do the following:" giving you the option to "Open in sandbox (recommended)" , or "Open normally"
You should choose to let it open normally.
The two notepad files are there, as your above post shows. Lets take a look at the other.
Press your Windows icon key + R on your keyboard to open a Run command.
Copy/paste this into the run command box and click OK.
"%userprofile%\desktop\HKCU_look.txt"
Post the contents.0 -
yeah I have seen the sandbox warning come up, what I mean is I cant remember if I got one at the time, but certainly not getting a warning now when I run OTM... Here is the other file (doesnt look right to me) -
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"捁牥吠畯敒業摮牥"="㩃䅜散屲捁牥潔牵剜浥湩敤硥e"
"MobileDocuments"="C:\\Program Files\\Common Files\\Apple\\Internet Services\\ubd.exe"
"CTSyncU.exe"="\"C:\\Program Files\\Creative\\Sync Manager Unicode\\CTSyncU.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
@=""0 -
No, I don't care much for the unknown startup.
Run another OTM script. If Avast prompts you, run it normally - not in the sandbox.- Right click OTM.exe and choose Run as Administrator to run it.
- Copy the following code inside the codebox below. Do not include the word Code:
:reg [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] :Files REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /c :Commands [CreateRestorePoint] [Reboot]
- Return to OTM, right click in the Paste instructions for Items to be Moved window (under the yellow bar) and choose Paste.
- Push the large MoveIt! button.
- Click OK to the prompt
- OTM may ask to reboot the machine. Please Allow it to do so if asked.
- The report should appear in Notepad after the reboot. Copy/paste the contents of that report back here in your next reply.
0 -
2 files appeared on the desktop both named "desktop.ini" below...
Reboot took ages...
Avast didnt highlight it as suspicious...
[.ShellClassInfo]
[EMAIL="LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799"]LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799[/EMAIL]
[.ShellClassInfo]
[EMAIL="LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769"]LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769[/EMAIL]
IconResource=%SystemRoot%\system32\imageres.dll,-1830
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244K Work, Benefits & Business
- 598.8K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.3K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards