EMERGENCY!! 20 RED files HELP PLZ

[Ghot]

Bro I appreciate your quick responses....but Imma get upset, if you keep assuming I'm a MORON. I know it doesn't remove services.

We simply disabled or set to manual, services his setup did not require. The "missing files" are most probably Gateway crapware that was removed by Decrapifier.

I NOW understand that the older version would not correctly identify entries on Win 7, you have made that abundantly clear 3 times now. I already DL'd the 2.0.4 version and emailed it to Loco. When he gets home we will run the correct version and post it here as I have said 3 times as well.

The problem is NOT with his comp, I THINK...the problem is with his Internet and or router...but to be SURE this is the case, we 1st have to eliminate the computer as a possible part of the problem.

It scans clean with Avira AV, malwalrebytes, Panda and ESET online scanners. I firmly believe that the 2.0.4 version will show few if any RED entries. I do NOT believe the computer is the issue, however, I walked him through all the Win 7 settings / services that can consume bandwidth...for example disabling Windows Time service to cite one of many. We have all auto updates turned off atm, and he still suffers from intermittent internet problems.

The reason for this post is simply to have an expert check the HJT log to see if I have missed anything. I'm not trying to be argumentative but...trouble shooting a Gateway comp from 5 states away, is at the least frustrating. On top of everything else, his comp is on a 2 comp network which also may be the cause of the problem. But until we get an all clear from the experts here...I've delayed opening THAT can of worms

Once we get the log posted, and assuming its clear of issues, we will then tackle the issue from the "back of the comp" to the ISP

As an aside, I still think the parser should be updated, as I use it continually to test new software, before recommending this or that software to someone else.

I have complete faith in the IANAG forums in this respect, and again thank you for your concern.

[jholland1964]

I certainly don't think or mean to imply you are a moron. Remember, this forum is for ALL to read. I am trying to stress to ANYONE and EVERYONE who may read this, that a parser is not what a person using HJT should use. HJT is meant to be run and a log posted for a helper to read and assess what should be done. This means the average user. The use of the parser has caused many, many people to remove important and legitimate files. This is why the helpers here NEVER encourage it's usage and have begged to have it removed.
That is the reason that the helpers here placed this sticky appears at the top of this page in June 2007.
IMPORTANT: HiJackThis Analyzer Information

I sincerely doubt the parser will EVER be updated. If anything does happen with it then it would only be its full removal. It was worthless when it went up more than 5 years ago. It was designed to work with HJT 1.99 and never was updated after that. We have asked multiple times that it be pulled...you see...it's still there.

[Ghot]

Ok for some reason even tho Loco can get on D2 he cant get on the forums here....so I had him email me his 2.0.4 HJT log and here it is:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:32:03 PM, on 7/29/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\James\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx...5v155k4951523r
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx...5v155k4951523r
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx...5v155k4951523r
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx...5v155k4951523r
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files (x86)\ZoneAlarm\tbZone.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files (x86)\ZoneAlarm\tbZone.dll
O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\b in\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.5.5126.1836\s wg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files (x86)\ZoneAlarm\tbZone.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\b in\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Best Buy Software Installer.lnk = C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (User 'Default user')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8 574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\Partner.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 9005 bytes

[Ghot]

OK just cleaned a bunch more things, mainly via add/remove programs and registry editor and here is the resulting log for LOCO's comp:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:40:16 PM, on 7/29/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\James\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 5976 bytes

[jholland1964]

Look, I really am trying to be patient here. For now I have no idea what programs you originally removed, what file alterations you have done, what programs or services you have stopped or disabled, or what programs were originally installed.

I know absolutely nothing about the original set up of this only two week old computer.
You say you have removed unnecessary items, but you have no way of proving to me that these were unnecessary and I do not have the names of any of them. Or why, other than your personal opinion, that they were the unnecessary or why you felt these would have affected the internet connections. Unless they were actually running at the times of disconnect they would not even be considered as part of the problem.

You have installed and excellent anti-virus program, Avira, one of the highest ranked programs and I applaud you for that.

However, you have installed one of the poorest ranked Firewalls around today, Zone Alarm. The built in Windows Firewall gets higher rankings than Zone Alarm does on most tests. And since the disconnect problems have continued the problem obviously was not the Windows Firewall.

Yet you want me to make a determination without having any information whatsoever. You ran an old version of a program that clearly was not compatible with or meant to be run on Vista or Windows 7. You have made what you feel were correct decisions based on the use of a program that was not compatible with the system using a 5 year old HJT parser which was never, ever meant to be used with any other version of HiJackThis except version 1.99.1 OR with any other operating system newer than XP.
You post a new log using the current version of HJT which was great...but, one hour later you post a new log with the message that you have removed more programs, and also a registry editor.

Registry editor? This is absolutely positively something we do not recommend and I have no idea what other programs you felt necessary to remove. There was absolutely nothing on that uninstall list, except for that uTorrent program which I would have declared absolutely, positively needed to be removed or would have had any effect whatsoever concerning the loss of internet service.

Me= 30 years of working on comps from netbooks to mainframes...when I send someone to your HJT online parser, I expect it to be up to date, as well as the stickies at the top of this forum.

I realize this is all a free service, lately subsumed by Trend Micro, maybe a phone call is in order, if the online parser is also out of date.

The acquisition of HiJackThis by Trend Micro is NOT recent. This happened over 3 years ago so if you were truly up to date on this program you would know this. The LAST version created and released in February 2005 by Merijn Bellekom was version 1.99.1. Mr. Bellekom joined the Malwarebytes.org development team in January of 2010.

For you to say you "expect" stickies to be up to date, well all I can say is we try the best we can. The Read Me Sticky IS up to date.

For you to "expect" a parser that we don't even want here to be up to date is also expecting a lot. We don't want it here, we don't EVER recommend it's usage. It cannot be brought up to date because we don't have the capability or the rights here to do that.

Trend Micro owns the program, if you want a parser for THEIR program then you need to personally contact Trend Micro but WE don't want it here so YOU call Trend Micro ask them for one for yourself.

As I stated above I have no clue what has been done to this brand new machine and for me to make any more suggestions would be 100% against my better judgement. I am sorry.

[Ghot]

Microsofts regedit.exe i Dont use registry cleaners i just edit the registry directly....I do NOT reccomend people do this...I have been trained to use registry editor !!

[Ghot]

Ok here is the next LOCO log I have bolded the things I think should be removed....I've googled them to no help....

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:13:52 PM, on 7/29/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Users\James\Desktop\HijackThis.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\NOTEPAD.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 5416 bytes


Ok now I need expert help....I WANT to remove the bolded entries from his system...but googling them gives no positive results so I'll ask here. He uses no Apple Products or services and has no Windows Live account and doesnt want one> Help on the bolded items would be appreciated

IF they are not necessary to Win 7 OS then I will remove them...But sincce I can't find any reliable info on the bolded items....I've posted them here. Please remember...he only has a ONE Mb/s connection shared between two comps....my "mission" is to remove anything that EVER tries to use any of his connection bandwidth.

EDIT: Ok, I just found out that for HIS particular system Windows Live Writer is useless...so that can go...all that leaves is the bonjour thingy...he uses no Apple or Mac devices and will never use them or iTunes....so...axe bonjour also?

DISCLAIMER:

This is ONLY posted for a particular person with a particular comp with particular needs...DO NOT attempt to do the things I have done. Ask a professional on this site FIRST.

[cauzomb]

definately axe bonjour; keep in mind that removing mDNSResponder.exe
may cause another application to fail.. Read up on that.. as well as the other file discriptions and removal.. Google till you can't google anymore.

You are far more of an advanced user than the general crowd that comes here for help, and judging by what you have already done, and the log file, I would say that the computer is squeeky clean, besides some "bloatware" that should not interupt the network connection, double check that the "steam client" isn't attempting to download. have your friend disable the steam client for the time being, untill the network/internet connection issue is resolved with the ISP.

We had a set of instructions, from start to finish that we follow; in order to ensure a complete process that one volunteer on our site could perform with the original poster, since this is not the case here, we cannot just say; assuringly that the computer is clean, but judging by the hijackthis log and the previous virus/malware logs, it would be a viable suggestion.. To give the OK as far as a system being clean, I will leave that for you to decide.. You have my opinion; it looks good to me..

Just a couple of "windows live services" built into windows 7

Unfortunately our read me before posting sticky was down for a bit, as was this site.. We had to use google cache to get it back, it may not be the latest version of the sticky; we don't remember what exactly was on there, it was written by PhillyPhan and maintained by PP as this user was our main volunteer in this section at the time..

The part about not attaching the logs was so that our volunteers do not have to download files from possibly infected computers.. That is where the recommendation to copy/paste the logs into the post came from.. We will update the sticky with this information, thank you for the suggestion.

I cannot recommend using the hijackthis parser either. You will be better off going through each log and researching the files individually. Specifically if you do not recognize them, or you think that they look like bloatware, even so, they may be related to applications that your friend finds usefull, so you need to ask them if they use those applications, or find that they can live without them, to help reduce the bloatware/resource consumption on their PC.. I think you already understand this.. So it doesn't need to be discussed further?

There is another parser available that has more user input regarding file integrity and may support windows 7, but I am unaware of it's current status/compatability.. It is located at what apears to be a dutch website, you can find it by google searching for "hijackthis anylizer" I believe the URL is hijackthis.de I cannot recommend using that "parser" either.. The reason is that those programs just don't work 100 percent, there is room for error, and that leads to damaging a perfectly good install..

They are helpfull in that there are file discriptions for some of the entries, but that is the extent that they should be used. You are again, better off researching each file listed in the hijackthis log, prior to making any changes.. Use the hijack this log as a LIST of files to research on websites that have discriptions of files.. If you can't find a discription, look at the path for the file, the creation date if you can, and then determine what application installed it, this requires hands on interaction, someone to right click on the file in it's home directory and select properties and look at the "version info" etc..

We go by the listings that are left in the final logs after the prerequisite cleaning steps have been performed, according to those instructions in the sticky, to determine if a system is clean, or if it needs further cleaning.. This is the process that we stick to for help requests in this forum, It would have been nice to have the computer in it's unchanged state, with the prerequisite steps/logs, but that is out of the question here due to the out dated versions of hijackthis and the steps not being followed to the T, the water has been muddied for the process to be "complete"

From my understanding of the original post and problems encountered, the issue is related to computer networking and bandwidth sharing, or internet service provider issues.. I think that you can be confident in your diagnostic and go with your original assumption that it is indeed an ISP issue.

On the other hand, the networking side of the issue could be delt with using network auditing software, or directly connecting to the ISP's hardware, rather than through a network/hub/switch. Then logging into the modem/equipment if possible, then checking the signal/connection status and uptime logs for "connection/disconnection" entries..

I could always tell the status of my network connection by the lights on the front of the modem; and if my computer was still not going "ONLINE" with green/good status lights, checking the "connection" logs on the modems built in configuration page would tell me more detailed information about the connection status.... If I didn't have a "DHCP" "DNS" or "DEFAULT GATEWAY" number listed in the status page, the connection to the ISP was DOWN.

If the problem is with bandwidth saturation "too many computers downloading at the same time" the only real way to alleviate networking issues there would be to install a programmable networking router that has port specific bandwidth throttle control, to balance the available bandwidth of the service provider, to each port of the router/switch, so that not one computer on the network can use all of the available bandwidth/networking time.

Other than that, A satalite connection is prone to frequent interruptions based on weather/wind speed, atmospheric conditions, and dish alignment etc.. I don't know enough about satalite connections to make any usefull suggestions on testing the connection.. There is a site called DSLREPORTS aka BROADBANDREPORTS that has extensive tools for line quality monitoring that might be of use to you and your friend.

Monitoring the satalite modem's up/sync status would tell the person using that equipment if it is dropping connection or not.

If your antivirus software is reporting a clean computer, and the computer is able to connect directly to the service providers hardware, without the internal network, you would then be able to log into the hardware if it has a web based status/configuration page.. Then from there loco could monitor the status of the internet connection without worrying about another computer or other networking hardware issues.

Do open that can of worms with the network in question.. Keep in mind, if they can't do it themselfs, their ISP will require a fee based trouble call to determine the issue, or they will need to pay a tech or find a pro-bono tech that can go to the site and is familiar with satalite ISP's, in order to check out their connection/signal quality etc.

[Ghot]

TY much, that answers my questions completely....and the admin poster earlier found the link to the other parser: http://www.hijackthis.de./index.php

so far we are down to no more red entries, and I will definitly make sure to check out mDNSResponder.exe...thx also for the tips on monitoring the satellite connection.

@jholland1964
I apologize for both muddying the waters nd not listing all we uninstalled...trust me...it was bloatware...for example we removed that idiotic 60 MS office trial, adobe acrobat, which I don't trust at all (I use foxit reader)...we also removed Roxio as it and Nero etc are constantly trying to call home. Also a lot of Google toolbars and google updater etc, even found a sneakily installed Zonealarm (free) toolbar...a few Gateway and MS default search pages...nuthin drastic. I should have been more clear in my initial description :/

I tend to agree that at present the comp is not the issue...and the user can't (socially acceptably) bypass the router, but I intend to at least for the short term, have him try that as well. We seemed to have solved the internet connection issues and even increased the time he can spend on Diablo II from 10-15 mins to over two hours. So I sorta have to assume its just that a 1 Mb/s connection is NOT great for even an old game like D2...lol

I feel the problem is more ISP related..but due to his location and financial limitations...he has limited options. I realize that this is more a malware removal help site, but I couldnt think of anyone better to ask about the few bloatware apps than here.

So tomorrow the plan is do better research into ISP options, if there are any.

Thanks for the help guys and as usual I will continue to send folks here with true, nasty, completely infected machines....so you gentlemen can work your magic

Rock on IANAG !!

Here is MY Hijack this log...can we say stripped to the bone

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.24\RivaTuner.exe" /S
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1263345299953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1263345284515
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe