Does this log  show virus? What should I do?

Posted on 2011-10-04
Last Modified: 2013-12-06
Redirect virus causes BHO trojan to resurface in registry after malbyte scrub removes it (HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO).  Here's the Hijack Log on "cleaned" computer. Does this log show any problems I can fix?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:00:16 AM, on 10/4/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {0222D6D9-E01F-49B0-B6E5-CEA67F24FFF1} - C:\Users\Olivia\AppData\Local\TrayUser.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [WindowsNotifierProfile] rundll32.exe "C:\ProgramData\WindowsNotifierProfile.dll",DllRegisterServer
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Reasonable_Software_House Update] C:\Users\Olivia\AppData\Local\Reasonable_Software_House\Reasonable_Software_HouseUpdate\Reasonable_Software_Houseupdt32.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: WePrint Server.lnk = C:\Program Files\WePrint\WePrint Server.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SATARaid5Manager.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: Garmin Communicator Plug-In -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll
O23 - Service: SATARaid5 Configuration Service (SATARaid5 Config Service) - Unknown owner - C:\Program Files\Silicon Image\3132-W-R\SATARaid5ConfigService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Silicon Image HBA Wakeup Utility (SiHbaWakeupService) - Unknown owner - C:\Program Files\Silicon Image\Silicon Image HBA Wakeup Utility\SiHbaWakeupService.exe

End of file - 6144 bytes
Question by:oliviajones

    Author Comment

    Here's a good one. if you click EE's search tab at top of this page, which uses google, same trojan is placed again in the registry.
    LVL 66

    Expert Comment

    HJT log looks clean.....


    Can you please run a scan (Options>and Uncheck "Hide ms and windows entries") and save the .arn file here?
    LVL 77

    Expert Comment

    by:David Johnson, CD, MVP
    run msconfig and do a diagnostic boot, then run malware bytes and see what results you get... what is this 'reasonable software house stuff is it "legit"? I went to the website and it hasn't been updated in 5 years.
    LVL 77

    Expert Comment

    by:David Johnson, CD, MVP
    also stop that rundlll32.exe
    LVL 66

    Expert Comment

    That rundll might be a part of an NVidia/ATI driver service..... Might want to see what the FULL command line path to it is.... Add the Command Line path in the Task Manager, and see what it points to...
    LVL 69

    Expert Comment

    The hijackthis is clean

    If you need deeper cleaning remember to empty recycle bins and TEMP files in TEMP Folder
    Stop the system restore and restart to start a new settings point
    delete the old one's
    Windows 7 go to control panel> System and Security >System>System Protection>under the panel Local Disc C
    Configure restore points settings,manage disc space and delete restore points>Configure>
    at the bottom Delete all restore points
    LVL 27

    Assisted Solution


    As stated above your HiJackThis log looks clean, but please be aware that several recent Malware are not detected by HiJackThis.

    Suggest you first try downloading & updating Malwarebytes anti-Malware, from here:
    Run in normal mode.
    Tutorial, if required:

    MalwareBytes(free) should remove the problem, but if MalwareBytes won't run, download and run Rkill first.
    Do not boot after running Rkill, then run MalwareBytes.

    Rkill is a small, freeware and portable tool designed to terminate active malware processes allowing you to use other removal tools:

    If you're still having difficulties, try running TDSSKiller to see if removes the infection. Try renaming TDSSkiller if it refuses to run:

    Download the file and extract it into a folder
    Execute the file TDSSKiller.exe.
    Wait for the scan and disinfection process to be over.
    Close all programs and press “Y” key to restart your computer.

    More detail TDSSKiller tutorial:

    Excellent articles for further help, if needed:
    Google Hijack" - Google Search Gets Redirected:

    Infected Router - Google Search Redirects Even on a Clean System
    LVL 27

    Expert Comment

    There's no harm in running TDSSKiller first, you may be fortunate and nail the 'Redirect problem' immediately ...but it's still prudent to follow that with a Malwarebytes deep scan.
    LVL 38

    Assisted Solution

    Please ignore the advice to clean out all of your TEMP folders and empty the Recycle Bin. There are newer variants of malware that will move some of your key files/folders into various paths in your profile and no one should be deleting any files or folders (during the disinfection process) without careful consideration of each one.

    Also ignore the advice to reset (delete) your restore points. Although restore points MAY contain infections, they cannot go active unless the restore point is actually used.

    A really good EE Article by MS MVP 'rpggamergirl' is here:
    Viruses in System Volume Information (System Restore)


    I've been on holiday for a few days and unable to post, but have noticed several questions from you with approximately the same problem. Are your recent questions all about the same computer/infection?

    If you are posting a "Follow Up" question about the same problem, please use the "Ask a related question" function which will allow all of us to read through the prior question/comments before offering suggestions.

    Details here:

    Author Comment

    My original question went dormant while I had to be away for a little more than a week. I was not aware of the ask a related question option. thanks.
    I have tried to remove the reasonable software stuff from an old noclone install.  It no longer shows up in add/ remove programs nor in my program files folder.
    Please tell me how to find the full command path to rundlll32.exe.

    I've attached the autorun scan from    
    LVL 66

    Assisted Solution

    Under the Drivers Tab, you need to find out what this file is.....

    TrueSight                  c:\users\olivia\desktop\truesight.sys

    Take it to and see what the results are..... Not alot of info out there on it.... Shows up in a CF Safe List....

    Other than that, nothing obvious, besides a lot of bloat you can trim out.....

    "Please tell me how to find the full command path to rundlll32.exe. "

    In the Task Manager, click the View>Select Columns, and add "Command Line". Now look at the Processes Tab, and report the FULL path to that rundll32.exe...

    Accepted Solution

    I believe the solution to this problem was to boot in safemode and run mbam followed by AV antivirus. For whatever reason, Mbam found and removed 4 trojans that had not shown up in normal mode, and now I seem to have full browser access and no redirect. Virus could be waiting and lurking. If so, I'll be back. Meanwhile, I want to award points for all the time spent on this. Thanks a lot.

    Author Closing Comment

    As noted above, I believe the solution to this problem was to boot in safemode and run mbam followed by AV antivirus. This was not suggested by EE, but by an IT neighbor. For whatever reason, Mbam in safe mode found and removed 4 trojans that had not shown up in normal mode, and now I seem to have full browser access and no redirect. I believe that cumulative earlier efforts of EE experts assisted in this result. Virus could be waiting and lurking. If so, I'll be back. Meanwhile, I want to award points for all the time spent on this. Thanks a lot
    LVL 27

    Expert Comment

    Thanks for the report!   It is indeed surprising that MBAM found and removed the four trojans in Safe mode after failing to detect them in normal mode, because MBAM has been designed to work in the latter, where Malware is more active.

    You may like to study some of the comments in this MBAM forum link, referred to some months ago by E_E's younghv:

    If you still have access to the computer, the other suggestion is to get a 'second opinion' by trying at least two of the following scanners:

    ESET Online Scanner, a free, & powerful tool:

    McAfee Labs Stinger:
    Recommend you do not initially disable System Restore as suggested.

    Dr.Web CureIt!.

    Author Comment

    Thanks for these useful tools, which I will now run as an added precaution!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
    The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now