Jump to content

HijackThis logs

Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi, i think i may have some browser exploit or graphics card exploit. i have a few browser mods (waterfox userchrome.js), a taskbar mod, and sophia script to un-spyware windows itself.

wheni scroll over something the popup text box stays until i scroll over the taskbar, in the past it would screw with windows focus and programs on the taskbar wewre unclickable until i right clicked it. sometimes id get a box that says search just sit in the middle of the screen for a long time over all apps. i will update all these mods and see if that does anything, but here is a log, i need to know if my computer is being remotely acessed or resources being used in any way. thanks!:

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 12:23:20 PM, on 28/05/2022
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.19041.1566)

Boot mode: Normal

Running processes:
C:\Program Files (x86)\GlassWire\GWIdlMon.exe
C:\Program Files (x86)\GlassWire\GlassWire.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\OpenOffice 4\program\swriter.exe
C:\Program Files (x86)\OpenOffice 4\program\soffice.exe
C:\Program Files (x86)\OpenOffice 4\program\soffice.bin
C:\Program Files (x86)\Battle.net\Battle.net.exe
C:\Program Files (x86)\Battle.net\Battle.net.exe
C:\Program Files (x86)\Battle.net\Battle.net.exe
C:\Program Files (x86)\Battle.net\Battle.net.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = %11%\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - HKLM\..\Run: [UAC-2 MixEfx Startup] "C:\Program Files (x86)\ZOOM\UAC-2 MixEfx\UAC-2 MixEfx Startup.exe"
O4 - HKCU\..\Run: [7 Taskbar Tweaker] "C:\Users\Ross\AppData\Local\Programs\7+ Taskbar Tweaker\7+ Taskbar Tweaker.exe" -hidewnd
O4 - HKCU\..\Run: [CCleaner Smart Cleaning] "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
O4 - HKCU\..\Run: [GlassWire] "C:\Program Files (x86)\GlassWire\glasswire.exe" -hide
O4 - HKUS\S-1-5-19\..\Run: [OneDriveSetup] C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OneDriveSetup] C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup (User 'NETWORK SERVICE')
O4 - Global Startup: SteelSeries Engine 3.lnk = C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Protocol: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: BattlEye Service (BEService) - Unknown owner - C:\Program Files (x86)\Common Files\BattlEye\BEService.exe
O23 - Service: @%SystemRoot%\system32\CredentialEnrollmentManager.exe,-100 (CredentialEnrollmentManagerUserSvc) - Unknown owner - C:\Windows\system32\CredentialEnrollmentManager.exe (file missing)
O23 - Service: CredentialEnrollmentManagerUserSvc_2239cc - Unknown owner - C:\Windows\system32\CredentialEnrollmentManager.exe (file missing)
O23 - Service: @%SystemRoot%\system32\DiagSvcs\DiagnosticsHub.StandardCollector.ServiceRes.dll,-1000 (diagnosticshub.standardcollector.service) - Unknown owner - C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe (file missing)
O23 - Service: EasyAntiCheat - EasyAntiCheat Ltd - C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe
O23 - Service: Easy Anti-Cheat (Epic Online Services) (EasyAntiCheat_EOS) - Epic Games, Inc. - C:\Program Files (x86)\EasyAntiCheat_EOS\EasyAntiCheat_EOS.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GlassWire Control Service (GlassWire) - SecureMix LLC - C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lokinet for Windows (lokinet) - Loki Foundation - C:\Program Files\Lokinet\bin\lokinet.exe
O23 - Service: Malwarebytes Service (MBAMService) - Malwarebytes - C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Container LS (NVDisplay.ContainerLocalSystem) - NVIDIA Corporation - C:\Windows\System32\DriverStore\FileRepository\nv_dispsig.inf_amd64_145fe9c72c40de0a\Display.NvContainer\NVDisplay.Container.exe
O23 - Service: @%systemroot%\system32\PerceptionSimulation\PerceptionSimulationService.exe,-101 (perceptionsimulation) - Unknown owner - C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe (file missing)
O23 - Service: RogueKiller RTP (rkrtservice) - Unknown owner - C:\Program Files\RogueKiller\RogueKillerSvc.exe
O23 - Service: Realtek Audio Universal Service (RtkAudioUniversalService) - Realtek Semiconductor - C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_9971779a1c712866\RtkAudUService64.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\SecurityHealthAgent.dll,-1002 (SecurityHealthService) - Unknown owner - C:\Windows\system32\SecurityHealthService.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe,-1001 (Sense) - Unknown owner - C:\Program Files (x86)\Windows Defender Advanced Threat Protection\MsSense.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SensorDataService.exe,-101 (SensorDataService) - Unknown owner - C:\Windows\System32\SensorDataService.exe (file missing)
O23 - Service: @%SystemRoot%\System32\SgrmBroker.exe,-100 (SgrmBroker) - Unknown owner - C:\Windows\system32\SgrmBroker.exe (file missing)
O23 - Service: @firewallapi.dll,-50323 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spectrum.exe,-101 (spectrum) - Unknown owner - C:\Windows\system32\spectrum.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Stardock Start10 (Start10) - Stardock Software, Inc - C:\Program Files (x86)\Stardock\Start10\Start10Srv.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\steamservice.exe
O23 - Service: SteelSeries Update Service (SteelSeriesUpdateService) - Unknown owner - C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesUpdateService.exe
O23 - Service: @%SystemRoot%\system32\TieringEngineService.exe,-702 (TieringEngineService) - Unknown owner - C:\Windows\system32\TieringEngineService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: zmuac2service - ZOOM - C:\Program Files\ZOOM\UAC-2 Driver\zmuac2service.exe

End of file - 9288 bytes

my intention is to disable absolutely everything i can so long as it doesnt screw with normal operation. i dont need any RCP stuff although i know windows uses them for local tasks now.... (this has to be a security risk) if you give instrucions please dont hesistate to be detailed and go through multiple steps i know my way around windows very well.

Link to post
Share on other sites

Hello. :welcome:

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it


Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner


Attach the clean log. We will do more later.

Link to post
Share on other sites

hi sorry for the late reply, i ran it first with browser open accidentally, then closed the browser and ran it again, both as admin:

# -------------------------------
# Malwarebytes AdwCleaner
# -------------------------------
# Build:    03-23-2022
# Database: 2022-03-15.3 (Local)
# Support:  https://www.malwarebytes.com/support
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    05-29-2022
# Duration: 00:00:03
# OS:       Windows 10 Pro
# Scanned:  32048
# Detected: 0

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.

AdwCleaner[S00].txt - [1405 octets] - [08/06/2021 05:28:02]
AdwCleaner[C00].txt - [1595 octets] - [12/06/2021 18:42:38]
AdwCleaner[S01].txt - [1527 octets] - [29/05/2022 12:30:23]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S02].txt ##########


i ran basic repair afterwards


Link to post
Share on other sites

2 things i was wondering about: 'unknown object' is that a file that exists? like a spoof file placed there by sophia script (a powershell script that cleans everything and i accidentally deleted windows calculator :( oops) should i disable powershell?

second - if i select the nvidia services and hit fix will this reinstall them properly or potentially break them? im pretty eager to select some of them like the realtek audio which i dont need

the winsock basic repair deleted my temp gauges, but i can get them back.

thankyou once again

Link to post
Share on other sites

  • Solution

Please do not go off doing things on your own. I will guide you. I am presuming that this system is on Windows 10. If not, Stop and let me know. Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use thuis guide https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html


Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe


It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.


  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

29/05/2022 23:46:13 PM
Files scanned: 965702
Detected files: 6
Cleaned files: 6
Total scan time 01:36:34
Scan status: Finished

i will not post the rest of the log, they were all PUPs just things i had downloaded years ago in my storage drive, games and applications. i will not post potentially incriminating information. none of the pups were currently installed applications

Link to post
Share on other sites

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 



Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.


This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  


Please attach that log with your reply. We will do more later.

Link to post
Share on other sites

Hello @Czepa The Safety Scanner does not do "microsoft telemetry" other than just sending the scan results to the Microsoft cloud. You may do a new scan with a different tool. 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

  • How to run a scan with Kaspersky Virus Removal Tool 2020


  • How to run Kaspersky Virus Removal Tool 2020 in the advanced mode


  • How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan



Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.


add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.

That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"


In the new window select "Change Parameters"


In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"


Attach the report information as previously instructed...
Thank you
Link to post
Share on other sites

@Maurice Naggar before i do that, can you please let me know if the github HijackThis mentioned above is legit and not potentially dangerous? i originally came here for simple clarification about what 'unknown owner' means, specifically if this means that a file of the same/similar name exists (being spoofed by malware).

Link to post
Share on other sites

What is the Windows operating system Version and build number? That I definitely want to know.
How did you happen to get & run HijackThis ?
What is your main goal as concerns the system ?
I can guide you to running The Windows System File Checker tool ( SFC ) to check Windows system files.
I can relay tips to minimize all auto-starts to the absolute minimum.
While I am glad to see that there is a team working on HijackThis Fork 3, we here rely mainly on using
+ Adwcleaner
+ Farbar FRST
We have not used HijackThis in many years. I have not used HJT in many many years. I am unsure whether it reports on Edge browser or other browsers that have been developed in more recent years.
Today malware is much more complex, and HijackThis cannot be the sole tool. and, imho, really as a last resort type.
I somewhat guess that the "unknown owner" indicates that HJT cannot determine the "publisher" of that particular file or element. I mean the properties of a file, like perhaps, a signature.
Lastly, let me say, you ought not to be running & looking at HJT unless under guidance of a trained expert who is intimately knowledgeable of & regularly uses HJT.
I can help you check on the integrity of Windows. I can help you to check for potential malware infection. However, we will not be using HJT as a primary tool.

Link to post
Share on other sites

version 2


build 19044.1706

4 hours ago, Maurice Naggar said:

Hello. The link cited by Sandor is legitimate. It is not dangerous. as to "unknown owner" that does not by itself mean a actual threat. I suggest you go forward with the scan with Kaspersky tool.

but cause the file is missing too, does this mean that its a file that has been placed there potentially by someone who has gained access to my system?

like this: "Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)"

do you see the capitalization differences in the file name? maybe i can check the publisher somehow? the one actually present in the file system has the capitalizations. i checked alot of the things listed as file missing and i would like it if they actually were deleted altogether, so long as it doesnt destroy functionality. i do not like windows phoning home all the time just on principle, its like android phones and their base band modem

Link to post
Share on other sites

    <Metadata Version="1" PCID="{BEF1DF85-CBE6-5C63-33F1-4F3CB0F0A9CC}" LastModification="2022.05.31 01:16:47.059" />
        <Block0 Type="Scan" Processed="2854011" Found="0" Neutralized="0">
            <Event0 Action="Scan" Time="132983998051681871" Object="" Info="Started" />
            <Event1 Action="Scan" Time="132984046070572687" Object="" Info="Finished" />



Link to post
Share on other sites

Very good result. 

KVRT "Scan" Processed="2854011" Found="0"

No, what you have posted cannot be used to hack you. There are multiple layers of safety practices you can apply & follow religiously to prevent potential threats from even having a foot-hold. 

need more information from this machine. Close as many other apps as you can before running this report. 

I would like a report set for review.   This is a report only.

  • Please download MALWAREBYRES MBST Support Tool
  • Once you start it click Advanced >>> then   Gather Logs
  •  Have patience till the run has finished.
  • Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.
  • Please attach  mbst-grab-results.zip    to your reply
Link to post
Share on other sites

15 hours ago, Maurice Naggar said:

Hello. The link cited by Sandor is legitimate. It is not dangerous. as to "unknown owner" that does not by itself mean a actual threat. I suggest you go forward with the scan with Kaspersky tool.

the reason i ask is because i talked with a developer friend and he said to be cautious of forks like this and mentioned that alot of github malware posting profiles have had provocative political statements. and although i agree with the statement it says on his the page linked: "Hi, I am Stanislav Polshyn - a lawyer, security observer and malware researcher from Ukraine (Chernobyl, Na'Vi, Щедрик, Colony of USA). Yankee go home!" ive downloaded it, but ill wait till later to run it.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.