Logfile of Trend Micro HijackThis v2.0.2

Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch

;.networkassociates.com;.dir.untd.com;cf.netzero.net;qs.netzero.net;.aolcdn.com;.quicken.com;;*.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
I just did a HJ and I am almost sure the 2 above I can delete but i am not sure at all about the ones below. i just remember on some times when i have been help with HJ that I deleted a couple of the ones that had no file and no names in it. how wrong or right am I?
Sharon

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - (no file)

O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - (no file)
;.networkassociates.com;.dir.untd.com;cf.netzero.net;qs.netzero.net;.aolcdn.com;.quicken.com;;*.local

End of file - 8769 bytes

:slight_smile: Hi :

The “fact” that a HijackThis log entry has “no file” and/or “no name” does NOT
mean it should be “deleted”, but further “research” should be done . For
example, a Google “Search” of “5C255C8A-E604-49b4-9D64-90988571CECB”
shows “Location: %ProgramFiles%\Windows Live\Messenger” which means it is
part of the Windows Live Messenger program . For HijackThis log “02” Entries,
it is recommended to use www.systemlookup.com as part of the Research
“process” .

I do understand in away and would be willing to do research, but really not sure what to look for and what would be the next step. i think i would be looking for some thing that would tell me if the file should be kept or deleted.
thanks Sharon

Hi sham1313,

I checked the orphaned entries and qwave,dll and see no suspicious entries there,

polonus

you say the orphaned entries and qwave,dll is that the name of the no name file? i am glad there is no suspicious entries there. i will still do some reading and see if i can understand any of it. should i delete any of the ones i posted from the scan?
thanks Sharon

Hi sham1312.

As always google is your best friend here. An example from your posting, just give in the CLSID of the entry like: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} and then check what information you get on the B.H.O. Orphaned means you might have deleted it and an empty remnant is there, if it is secure you can either choose to restore the original Browser Helper Object, actually it is a dll module for which the dll is not there anymore or if you have no need of it further tag it in HJT and fix it giving an enter.
So I got the info here:
http://www.systemlookup.com/CLSID/39866-LinkScannerIE_dll_avgssie_dll.html

Do this with all the other entries and you can make up a calculated guess what you have there.
Malware fighting is also teaching users/victims to fish for themselves so they can have a meal everyday, not just giving them a fish once,

Stay safe and secure online, is the wish and command of,

polonus (malware fighter)

can these be deleted? should i post the full log
Sharon

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch

Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

;.networkassociates.com;.dir.untd.com;cf.netzero.net;qs.netzero.net;.aolcdn.com;.quicken.com;;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

i wished i would have red the above before i posted the last post and i well save your last post to help me. thanks Sharon

Hi Sharon,

You could do this and fix these, another manual routine to remove NetZero. if you have the software there is to follow the following 12 steps:

Please follow the below steps to uninstall NetZero software from your
computer:

  1. Click on the Windows “Start” button, point to “Settings” and
    select “Control Panel.”
  2. Double-click on the “Add/Remove Programs” icon.
  3. Click once on “NetZero” to highlight it and click on the
    “Add/Remove” button.
  4. Click “OK” then “OK” again and close the “Control Panel.”
  5. Click on the Windows “Start” button, point to “Programs” and
    select “Windows Explorer.”
  6. Double-click the “Program Files” folder in the left-side window.
  7. If you see a “NetZero” folder, highlight it and press the
    “Delete” key on your keyboard to remove it.

NOTE: If a “NetZero” folder does not exist, you can skip to step 12.

  1. Close Windows Explorer.
  2. Double-click the “My Computer” icon on your desktop.
  3. Double-click the “Dial-Up Networking” icon.
  4. Click once on the “NetZero” icon to highlight it and press the
    “Delete” key on your keyboard to remove it.
  5. Restart the computer.

This will uninstall NetZero software from your computer.

polonus

Did you find this information helpfull?

   netzero use to be my ISP. now I have att. netzero is and has been unstalled four a few weeks. and the removal tool use as well. with help from here and unstalling all the way in safe mode. i have bluelight email address and they send me netzero ads from time to time. i also had trouble getting rid of nortin witch the computer came with and i did use there removal tool also. plus a lot more other troubles in this same kind of way that is going on now. i hope i have not confused you.. 

       the above is what i had went thew and was pertty sure i could put a checkmark by and let HJ delete it. i need to re read your last post a few times to see how much of it i can understand. 

thanks for your help. Sharon

i thought you should know it would not unstall the normal way. i had to do it in safemode. sense the netzero i have in the hj is just from the ads that bluelight send me. that is why i thought it would be ok just to delete them.
thanks Sharon

:slight_smile: Hi :

In order to determine IF certain portions of a HijackThis log should be “fixed”
( what HijackThis generally would be considered “Deleted” ), the entire Log
should be Posted so all Items can be viewed in context .
Years ago, when I switched ISPs, I did a Windows “Search” and based on its
Findings, I “deleted” ( right-clicked on the Entry ) all that the 'search" found.
In my case, that was AOL, so I did a Windows “Search” using “AOL” and later
“America Online” and “deleted” all “Items” found"; in your case, it MAY mean
doing a Windows “Search” using the terms “Netzero” and later “bluelight” and
right-clicking on all “Items” found !?

A “Begineer’s Guide” on interpreting a HijackThis log can be found at
www.bleepingcomputer.com/tutorials/tutorial42.html .

To go further, you would enroll in a “Malware Removal Course” and
“Malware University” would be my Choice .

Thanks for the link Spiritsongs, will be an interesting read :slight_smile:

-Scott-

  when i 1st posted  i did not think any thing was wrong with the log. i just thought that because i no longer used netzero and use there removal tool. got a lot of help from this forum.and beelpingcomputer,com.when it was over my computer got a good bill of health. i just thought sense the 3 lines of the log had to deal with netzero had to do with just the advertisements bluelight sends from time to time. one person here maybe more said not to worry about it. every thing was OK. once again i am confused. but i will do another HJ and post it. it will take a few min.

Sharon

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:50 AM, on 6/27/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TechTracker\VersionTracker Pro\VersionTrackerPro.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.44.66;64.136.52.66;64.136.52.70;searchap.untd.com;127.0.0.1;localhost;microsoft.com;windowsupdate.com;wustat.windows.com;.pogo.com;test-speed.com;liveupdate.symantecliveupdate.com;symantec.com;.nai.com;.networkassociates.com;.dir.untd.com;cf.netzero.net;qs.netzero.net;.aolcdn.com;.quicken.com;;.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [QPService] “C:\Program Files\HP\QuickPlay\QPService.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VersionTrackerPro.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: *.mybluelight.com
O15 - Trusted Zone: *.mybluelight.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9cb4226c992a0) (gupdate1c9cb4226c992a0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - (no file)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe


End of file - 8423 bytes

i am going back and rereading every thing. i do this every time. it take awhile for me to remember what i am reading and learn how to use it.
the url you sent i get almost every question i have ask and i do spend a lot of time there reading and trying to understanding.
i did not thing there was any thing any thing was wrong with the log that i sent a few line only to try to learn what i can and canot delete. if i though there might be trouble i would have posted a full log at the begining. i was surpized that every one thought i was having trouble. like i said before i did not think there was a problem. do you see someting i missed that might be trouble?
thanks Sharon

:slight_smile: Hi Sharon :

You do NOT post a “full” HijackThis log ONLY if you think there may be
“trouble” or something “wrong”, but to provide a more through look at what is
on a computer ; when you post a HijackThis log on a Malware Removal Forum
such as Bleepingcomputer, their Experts FOCUS their attention on the
portions that lead to malware removal and leave the more optional portions
for someone else. By posting the “full” log now, what caught my attention is :
"O15 - Trusted Zone: *.mybluelight.com
O15 - Trusted Zone: *.mybluelight.net "

This shows at least one of the “areas” that you spoke about ; the “Begineer’s
Guide” I spoke about says the following about the “Trusted Zone” portion of
a Log :
"There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone… "

and later on, it says :
"I personally remove all entries from the Trusted Zone as they are ultimately unnecessary to be there. "

I am of the computer “philosophy” of having NOTHING in the “Trusted Zone”
section of a computer and would recommend you do likewise, either by having
HijackThis “Fix” those 2 “Lines” or by going to the “Trusted Zone” section of
your computer and “Deleting/Removing” those 2 Listings .

In you Log, I also saw the unnecessary “Bonjour/mDNSResponder” Service
which you could read about in some of my Posts on this Forum IF you use
the “search” function !?

This is about making minor “adjustments” to your computer, to make it more
secure and less troublesome .

with the opera browser i am not sure where to fine that setting. i can fine it in the IE 7 my husband user’s. it is set on the half way mark saying medium. that is the only place i see the trusted sites. should i mover it higher to restrick more site to view. bluelight is my main e-mail. there should be no more bluelight on this computer. next time i ask a question about the log i will post it all because common sense Say’s it would be the right way to ask and get prober help.
:slight_smile: thanks Sharon

:slight_smile: Hi Sharon :

You will notice that near the top of the HijackThis Log, it says :
“MSIE: Internet Explorer v8.00”, so that means the “Trusted Zone” Info in the
Log ONLY pertains to IE . I would recommend you move the slider from
“Medium” to “Medium High”, which is the One I use . It still would be wise to
go into IE’s “Trusted Sites” and remove those 2 Bluelight Entries . I use Yahoo
and Hotmail for my email and neither “Yahoo” or “Hotmail/MSN” are in my
“Trusted Sites” and “Bluelight” should NOT be in yours either .

most of the time i use opera to check my mail at bluelight. does opera have a setting like that. and thank you i will delete the bluelight in hj. can I delete the netzero in the HJ too.
I did not have a chance to get on the computer yesterday.
thanks Sharon