View Full Version : Hi Jack This Log

26-12-2009, 04:16 PM
Does anything here need tweaking/removing please?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:36 p.m., on 26/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EPSON Stylus CX3900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIB EP.EXE /FU "C:\WINDOWS\TEMP\E_S8A.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [CAP2ON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAP2ONN .EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LASER SHOT LBP-1210 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2LAK .EXE
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup\uBBMonitor.exe
O8 - Extra context menu item: add to google photos screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261114986750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1261114968484
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: BootlogService - Greatis Software (c) - C:\Program Files\Greatis\BootLog XP\BootLogService.exe
O23 - Service: Google Update Service (gupdate1c9f1528c1e71ac) (gupdate1c9f1528c1e71ac) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService (nmindexingservice) - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

End of file - 6304 bytes

26-12-2009, 04:41 PM
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

Is this a fake Windows Update?

Speedy Gonzales
26-12-2009, 10:54 PM
You can tick these then tick fix checked

Close browsers

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

Yup I'm not toop sure what these 2 are doing here

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

27-12-2009, 12:19 AM
Googled the 023 Auto Updates (wuauserv) unknown owner. Haven't been able to turn the BITS on for ages. Found windows firewall turned off and cannot start services for BITS or Automatic Updates. Having trouble opening Security Centre in Control Panel. Am running the MSWindows Malicious Software Removal Tool to see if that helps. Nothing found there after a quick scan. Really weird. Think I've found something here
http://www.burchwords.com/archives/1240. Will try in the morning. Will I try and fix them in the HiJackThis log first, or do as suggested in the link above?

Speedy Gonzales
27-12-2009, 08:29 AM
Get trojan remover below. Update it then scan. Then select all options under the utilities menu. See if that sets everything back to its default settings

27-12-2009, 12:41 PM
Hi. Thanks for the help. Did the Trojan remover scan which fixed a couple of things but still can't start the auto updates or BITS services. Will have another look at this
http://www.burchwords.com/archives/1240. During all the time these services have been turned off, I haven't actually picked up anything too dreadful. How necessary are the updates - isn't there a cutoff date for XP updates?

Speedy Gonzales
27-12-2009, 12:49 PM
XP updates wont die until 2014. So, theres a long way to go yet. Depends if you use whatever, if its affected (what the updates are for. - ie: IE / Outlook / OE).

On whether you'll get hit by the flaw / vulnerability, if you dont update it

Or try this (http://helpdeskgeek.com/how-to/background-intelligent-transfer-service-will-not-start/)

28-12-2009, 05:58 PM
I tried this and it worked. Rapt!
LINK: http://www.burchwords.com/archives/1240.

"Hijackthis reported these two entries that didn’t seem legit:

O23 – Service: Automatic Updates (wuauserv) – Unknown owner – C:\WINDOWS\
O23 – Service: Background Intelligent Transfer Service (BITS) – Unknown owner – C:\WINDOWS\
I found this article on experts-exchange with a guy with a same problem. I searched long and hard and still no dice. I finally stumbled across a little google groups thread with this advice. Make sure you backup your registry before you attempt this. Also, good idea to do a system restore check point.
start —> run —> regedt32.exe
Do a search for %fystemroot%
If you find any hits, first change the permissions on the folders so you can edit the registry entry.
change %fystemroot% to %systemroot%
press F3 until you find all entries and repeat step 4.
Try to start BITS and Automatic Updates

The orginal quote from the google group’s thread:

In my registry, the virus had replaced “%systemroot%” with “%fystemroot%”
in several spots, so the correct files could not be found. I did a search
for “fystemroot” in regedit, and replaced with “systemroot”. (I did have to
click “Edit” / “Permissions” and allow full control in each of the folders
first. Evidently the virus disabled the permissions first.) I hope this
helps anyone else who has a similar issue."

I'll post it as a separate heading as from reading through other websites and help pages, it seems that this has affected many people's computers.Thanks for all the help.

Speedy Gonzales
28-12-2009, 06:02 PM
Sweet good to hear u fixed it !