EMERGENCY!! 20 RED files HELP PLZ

[LocoLofa]

im running windows 7 home premium 64bit and im using a brand new computer. my internet keeps dropping and kicking me off and is going really slow. here are my log files:

ran ESET for some reason it didnt do a log file but it didnt find anything.

ran Avira (free edition) did not find anything either and i am also using ZoneAlarm firewall

[jholland1964]

Not sure what you mean by 20 red files. The MBA-M scan you ran was a Quick Scan we clearly request a Full Scan.
I see nothing in your logs to indicate infection. I do see uTorrent, meaning you do P2P file sharing which is one of the easiest and most likely ways to get an infection. I can't believe you would even consider this on any computer, let alone a brand new one.
You say you are running Zone Alarm, is the built in Windows Firewall turned off?
What type of internet connection do you have? Having your internet turn off or kick you off usually isn't an indication of infection, it is usually either a problem with your firewall of a problem with the internet connection itself.

[LocoLofa]

i mean in my htj parse there were 20 red files that showed up, most of them say (file missing) at the end. utorrent is not a problem, ive only used it for one thing. windows fire alarm is turned off. yes i did a quick scan by mistake, but i did a full one and there is nothing. for the internet i have dsl satellite called HughesNet, i use this **** cause i live on a farm and there isnt anything better

[jholland1964]

If you used the HJT parsing here it is worthless. It is years old, has never been updated AND definitely is NOT for use with Vista or Windows 7. In fact the use of ANY HJT parser is never recommended. This program is meant to be used to scan the computer and then to copy/paste the log onto a forum like this one. Unless you know what each and every single entry on the log means you should not be reading it yourself.

Plus, you ran the old version of HiJackThis which is not configured for use on Windows 7 so your scan gave false and incorrect results. The newest version 2.0.4 is the one that should be use and that can be found here
http://free.antivirus.com/hijackthis/

Run the new version and then please Copy/Paste, DO NOT ATTACH, the log back here and I will take a look.

[Ghot]

I sent Locolofa to ur site. I helped him set up Zonealarm and Avira, I told him tom run panda and ESET scans and all showed clean....as for your comments about "attaching", maybe you want to read your own sticky

I quote:

"ALSO, please submit a HijackThis Log along with your post.
**** Also, please run HijackThis and open the Misc Tools section.
Under the System Tools section, Click on Open Uninstall Manager and Click Save list.
Save it to your desktop and then please post this Uninstall List as directed below.
When you post your request for assistance, please be sure to attach these FOUR requested scanlogs:<b>
• MalwareBytes’ Anti-Malware log
• ESET Online Scanner log
• HijackThis Scanlog
• Uninstall List
Please save these Logs as .txt Files and attach them via the "Manage Attachments" tool in the Additional Options section when you post (scroll down).

His problem is intermittent internet drops...as for the version of HTJ he used: That was my fault...he has a 1Mb/s satellite connection...which may be the root of the whole problem. I will call and have him run the latest version (maybe you should have CNET remove the older version eh)?

At the moment we are trying to isolate the problem ....aka....the new gateway desktop running Win 7 or the 2 comp home network....

I thank you for your quick response, and you should seriously update your "read this before posting" sticky BEFORE you tell ppl NOT to attach the requested files.

Anyways we will have the new log from HJT 2.0.4 posted tonight, hopefully, assuming the 20+ RED entries were caused by either the parser or the older version, will no longer be there. Lastly if the online parser is out of date....maybe it also needs updated.

Me= 30 years of working on comps from netbooks to mainframes...when I send someone to your HJT online parser, I expect it to be up to date, as well as the stickies at the top of this forum.

I realize this is all a free service, lately subsumed by Trend Micro, maybe a phone call is in order, if the online parser is also out of date.

Otherwise keep up the great work....HJT has allowed me to help more ppl than you can imagine...thx

[jholland1964]

Thanks for the note concerning attaching logs, that has now been changed.
As for your comment concerning the HJT program from CNET, we have no control whatsoever over another website. BUT that is NOT where you are supposed to download HJT from, click the link given in the sticky and it takes you to Trend Micro which is where you should get the download from.
I have no control over the HJT parser, I don't want it here, none of us do but we cannot remove it. As I said, nobody should use any online parser. They ALL give false info. Also remember HiJackThis is not considered a fixer program, it is to be used for scanning only unless told by a helper to use it to fix something.
Will wait for the log.

EDIT: Just ran that log of your friends through this HJT analyzer here to see what is listed in red. Each and every one of the files flagged is a LEGITIMATE, NEEDED file. And if you will note, one of the files flagged in red is shown in my attachment.

[Ghot]

Thx and regarding the online parser...you do realize it is also on the IANAG site...located here: http://hjt.networktechs.com/...preferabbly I personally would like the parser to remain there and be up to date as I do use it to help other with simpler problems. You guys are the best...just keep up the good work, and thx again.

[jholland1964]

you do realize it is also on the IANAG site

THAT IS this site. It isn't a different site...one and the same and you should NEVER use it. It has been out of date forever. It was put up there in 2005. Complain to the management, I am only a mod here. I have no control over whether it is removed, updated or not.

If you have been using it to parse HJT logs and then alter computers based on those parsers then it is very likely you have removed important files from computers.

Absolutely NO file should ever be removed or altered based on the findings of some crazy HJT parser. I am telling you that NONE of them will give fully accurate 100% readings...NONE of them. No matter how up to date. Do you know why?

Because there isn't any way in the world that one single parser program can possibly know what each and every file that may be found on a computer truly is because of the wide and varied number of computer programs available today. Each day when reading these logs I see at least one program I have never seen before.

I have been working to help remove malware, infections, etc., for probably 5 years...I never use a parser, ever. I research each and every entry. I investigate each and every file name and location. I have never used the parser here and never will. That is not the way to interpret a HJT log.

Please see this information concerning HJT parsers directly from Merijn Bellekom
Merijn Bellekom is a Dutch programmer and anti-spyware specialist, most known for writing the program HijackThis.

... you shouldn't rely solely on the automatic parser since it's pretty flawed. I've only used it a couple of times on infected logs and it shows both false positives as false negatives. You can use it for guidance, but the results should be taken with a grain of salt. Generally I feel that the only parser bound to be perfect is your own mind, together with the lists of Startups from Pacman, and the list of CLSIDs from TonyKlein.

[Ghot]

I realize this quite well and do not use the parser on machines with 25 or so user programs installed. I know what files Windows is supposed to have and not supposed to have, and in the few cases when I don't, I research them thoroughly before making ANY decisions.

I am NOT recommending to anyone to follow the parser results w/o question...however in this particular case, the version Loco used could NOT remove any of the "file missing" RED entries...so I instructed him to post his log here. Most of the file missing entries are related to files and or programs that I had him remove before we even consulted HJT. I'm sure you are familaiar with the cr*apware installed on all Chainstore comps....these are what most of the "file missing entries" relate to. Quite possibly the 2.0.4 version will either remove those entries or not even flag them...this is MY hope.

Don't construe my comments to be advice for anyone on these forums...this is a special case scenario, for one computer in an isolated incident. As soon as Loco is online again I will ofc have him install the latest version and post his log here. Also this is not an attempt to clean an infection so much as to troubleshoot his losing internet connection sporadically. My belief is that his ISP is at fault in this case and I am trying to prove that by making sure it's NOT his computer itself, which is only 2 weeks old...we have already gone thru every malware, AV, trojan etc scan and found nothing...we have also used the excellent www.blackviper.com website to tame a lot of the MS services that come enabled by default. After all this I told him to run HJT and post a log. He should be online in the next 2-3 hours and we will have a 2.0.4 version log for you.

[jholland1964]

The items shown as missing entries were shown as missing entries because you used an out of date version of HiJackThis, NOT because they have been removed from the computer. It was not able to scan Windows 7 properly. You would have received the same results if the computer had been a Vista computer, that version of HJT does not scan properly on any system after XP.
Secondly, HiJackThis is NOT a removal program. It will FIX incorrect entries, it will stop auto starts, but it doesn't remove anything except Active X items, it will not remove services.
When you fix a O23, or Services entry, which is where your "dreaded" red entries a located, Hijackthis will change the startup for this service to disabled, stop the service, and then ask the user to reboot. It will not delete the actual service from the registry or the file it points to.
Whether you believe the files are as you say cr*apware, not all of those listed ARE cr*pware. They are legitimate files and many of them should not have been removed if you actually did so.
I am very familiar with blackviper and have used his lists for nearly 4 years.
I agree with you as far as your friends ISP being the likely problem for the sporadic internet losses. But removing files or programs based on an out of date HJT scan is just not what you should do. Stop them from running, maybe, but full removal from a brand new computer, sorry, but I wouldn't want you working on my brand new computer. What you consider cr*pware he may very well want to use.

You can have your friend post the log, but obviously you don't believe a word I have said and doubt even the creator of HJT when he says he wouldn't trust a parser to decide what to do so I doubt that you will allow him to believe what I say anyway.
I will read the log if I have the time but I know any advice I give will be ignored.