New Computer Hope tool

[Broni]

Actually, I was lying. In this brand new log, it's not listed under processes, but I found it as O4 entry:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:47 PM, on 1/28/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\kbd.exe
C:\Program Files\PC Hardware Manager\PCHardwareManager.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


hjt:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PC Hardware Manager] C:\Program Files\PC Hardware Manager\PCHardwareManager.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - .DEFAULT User Startup: Preload.lnk = ? (User 'Default user')
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro2.cce.hp.com/ChatEntry...ds/sysinfo.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ndows-i586.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01...PUplden-us.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

[evilfantasy]

Edit: Maybe I'm thinking of Vista when I saw it in my logs?

This is interesting issue, because 1-2 months ago, I saw quite a few HJT logs from computers running MSE and could be seen in a list of running processes.
I just had another HJT log today from the computer running MSE and.....nada.
Some Windows update hid it even "better"?

Agreed. When I first installed MSE it was in the HJT log. Not now.

would "c:\Program Files\Microsoft Security Essentials\msseces.exe" not be in the processes list from the log?

Nope. Just like Windows Defender, once it went final at also went missing (for the most part) unless you went looking for it.

[BC_Programmer]

come to think of it, hijackthis really should output all the services running on a machine.

[Broni]

It's not a service, but a process, but in any case, HJT since taken over by TrendMicro has been basically dead, development-wise.
So, it doesn't really show everything.
HJT creator, Merijin, joined Malwarebytes crew lately.
I'm pretty sure, TM took HJT over just to kill it.

[evilfantasy]

They recently released a new Beta. v2.0.3 http://free.antivirus.com/hijackthis/

Although there are no apparent changes yet.

[Broni]

Very minor changes and on a top of it, some people with Vista and 7 experience problems, when trying to run it as administrator, so I always suggest to run 2.0.2.

[Broni]

Maybe 5-6 months ago, on some other forum, a guy from TM came to describe how huge changes are coming to HJT under TM (basically, it would be something like OTL), but.....nothing happened.

[Computer Hope Admin]

After playing with my Vista machine I did get HiJackthis to show msseces.exe as broni showed above, believe it may have not been showing earlier because I could have not been running it as administrator. Still unable to get this to show under Windows 7, however this could be once again an issue with it being 64-bit and HijackThis incompatibility with it. Probably most of the issues boil down to the fact that Hijackthis isn't getting maintained.

Maybe we should consider suggesting converting all our recommendations to an alternative solution such as A-Squared HiJackFree or some other alternative. These tools could be easily adapted to the Computer Hope process tool.

[evilfantasy]

I just started testing out A-Squared HiJackFree a few days ago and it works very well. I even have a canned speech for it.

I'll start a topic in the MS section asking what the others think about it and the possible up/downsides. Check in there in a few minutes.

[Broni]

I think, HJT days are over.
With today's sophisticated infections, it really doesn't show much unless the computer is totally messed up.
I still use it as a tool for a final look (garbage, unnecessary startups, etc. - it's handy, because it's compact), but not as a primary tool.
Basically, without scanners like DDS, or OTL, you can't see much.

[Computer Hope Admin]

Doesn't appear that Hijackfree updates that frequently either.  Based off what I happened to see on their webpage as shown below.

Last Update of a-squared HiJackFree: 5/12/2008 8:15 AM
Version: 3.1.0.16
Number of References:
Processes: 1789
Autoruns: 12129

Update: 1.6

- Updated tool to support hijackfree logs and parse through most of what hijackthis logs does.
- Corrected issue with load files such as userinit not being suggested as the file to delete in fixes.
- Change the title of this tool to "Computer Hope log tool", felt since this tool is supporting more logs that the mention of hijackthis in the title isn't needed.
- Corrected with improper <title> tags in HTML code.
- Added "Note: The Windows XP firewall only filters inbound Internet traffic by default." to warning about no firewall detected under XP.
- Additional firewall and anti-virus programs detected
- Corrected footer issues when displaying saved logs on server.
- Updated hijackthis example log linked to on main page to a more up-to-date version
- Several more hundred files listed
- Other small updates and changes

[evilfantasy]

I have run a multitude of logs through the tool this week with all sorts of different AV's so hopefully they are mostly all recognized when you get it updated again.

One bad thing is that Kaspersky is blocking the tool from running.

Exploit.HTML.CodeBaseExec http://www.viruslist.com/en/search?VN=Exploit.HTML.CodeBaseExec

Status: Infected   (events: 1)   
2/6/2010 2:58:27 PM   Infected   Trojan program Exploit.HTML.CodeBaseExec   http://www.computerhope.com/cgi-bin/process.pl   High

I have sent it in as a False Positive. http://support.kaspersky.com/virlab/helpdesk.html

Selected request type     False alarm
Email    ******************
Installed Kaspersky Lab’s software:    KIS 2010
Date of the last successful database update:    02/06/2010

[Computer Hope Admin]

Thanks for the help and notice. This is one of the main reasons I've been using Kaspersky this last month, is because of these false alarms. Unfortunately as far as I can tell I can't seem to make it so these don't appear.

[evilfantasy]

They may have fixed it on their end. I just ran a log through with no warnings.

[Computer Hope Admin]

That's good to hear I'll be updating this some more tonight so it should allow me to see if I'm also getting any errors. Would be really nice to have this fixed since I get users often complaining that the tool is infected when it's really not.