| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 106089 | 2009-12-26 03:16:00 | Hi Jack This Log | katharinem (3459) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 843149 | 2009-12-26 03:16:00 | Does anything here need tweaking/removing please? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:06:36 p.m., on 26/12/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\netdde.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\MailWasher\MailWasher.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [EPSON Stylus CX3900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIB EP.EXE /FU "C:\WINDOWS\TEMP\E_S8A.tmp" /EF "HKLM" O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide O4 - HKLM\..\Run: [CAP2ON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAP2ONN .EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Canon LASER SHOT LBP-1210 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2LAK .EXE O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup\uBBMonitor.exe O8 - Extra context menu item: add to google photos screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [java_sun] Java (Sun) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - download.mcafee.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\ O23 - Service: BootlogService - Greatis Software (c) - C:\Program Files\Greatis\BootLog XP\BootLogService.exe O23 - Service: Google Update Service (gupdate1c9f1528c1e71ac) (gupdate1c9f1528c1e71ac) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NMIndexingService (nmindexingservice) - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\ -- End of file - 6304 bytes Thanks. |
katharinem (3459) | ||
| 843150 | 2009-12-26 03:41:00 | O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\ Is this a fake Windows Update? |
Renmoo (66) | ||
| 843151 | 2009-12-26 09:54:00 | You can tick these then tick fix checked Close browsers O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe Yup I'm not toop sure what these 2 are doing here O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\ O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\ |
Speedy Gonzales (78) | ||
| 843152 | 2009-12-26 11:19:00 | Googled the 023 Auto Updates (wuauserv) unknown owner. Haven't been able to turn the BITS on for ages. Found windows firewall turned off and cannot start services for BITS or Automatic Updates. Having trouble opening Security Centre in Control Panel. Am running the MSWindows Malicious Software Removal Tool to see if that helps. Nothing found there after a quick scan. Really weird. Think I've found something here www.burchwords.com Will try in the morning. Will I try and fix them in the HiJackThis log first, or do as suggested in the link above? |
katharinem (3459) | ||
| 843153 | 2009-12-26 19:29:00 | Get trojan remover below. Update it then scan. Then select all options under the utilities menu. See if that sets everything back to its default settings | Speedy Gonzales (78) | ||
| 843154 | 2009-12-26 23:41:00 | Hi. Thanks for the help. Did the Trojan remover scan which fixed a couple of things but still can't start the auto updates or BITS services. Will have another look at this www.burchwords.com During all the time these services have been turned off, I haven't actually picked up anything too dreadful. How necessary are the updates - isn't there a cutoff date for XP updates? |
katharinem (3459) | ||
| 843155 | 2009-12-26 23:49:00 | XP updates wont die until 2014. So, theres a long way to go yet. Depends if you use whatever, if its affected (what the updates are for. - ie: IE / Outlook / OE). On whether you'll get hit by the flaw / vulnerability, if you dont update it Or try this (helpdeskgeek.com) |
Speedy Gonzales (78) | ||
| 843156 | 2009-12-28 04:58:00 | I tried this and it worked. Rapt! LINK: www.burchwords.com "Hijackthis reported these two entries that didn’t seem legit: O23 – Service: Automatic Updates (wuauserv) – Unknown owner – C:\WINDOWS\ O23 – Service: Background Intelligent Transfer Service (BITS) – Unknown owner – C:\WINDOWS\ I found this article on experts-exchange with a guy with a same problem. I searched long and hard and still no dice. I finally stumbled across a little google groups thread with this advice. Make sure you backup your registry before you attempt this. Also, good idea to do a system restore check point. Solution: start —> run —> regedt32.exe Do a search for %fystemroot% If you find any hits, first change the permissions on the folders so you can edit the registry entry. change %fystemroot% to %systemroot% press F3 until you find all entries and repeat step 4. Try to start BITS and Automatic Updates The orginal quote from the google group’s thread: SOLUTION FOUND: In my registry, the virus had replaced “%systemroot%” with “%fystemroot%” in several spots, so the correct files could not be found. I did a search for “fystemroot” in regedit, and replaced with “systemroot”. (I did have to click “Edit” / “Permissions” and allow full control in each of the folders first. Evidently the virus disabled the permissions first.) I hope this helps anyone else who has a similar issue." I'll post it as a separate heading as from reading through other websites and help pages, it seems that this has affected many people's computers.Thanks for all the help. |
katharinem (3459) | ||
| 843157 | 2009-12-28 05:02:00 | Sweet good to hear u fixed it ! | Speedy Gonzales (78) | ||
| 1 | |||||