TechSpot

Help with Hijack This log

By stacee
Jul 31, 2008
  1. Hello,

    I have XP and have had the hardest time getting rid of a trojan horse that keeps taking over my internet and stopping it from working (I didn't know trojans could do that but I guess they can, right?). ASquared never finds anything and neither does Spybot. I use Sygate, Firefox, and Adblocker Plus, so I thought I was protected... I don't know how it's getting through. Anyway, AVG finds an Adware Generic2 file every other scan or so (a .exe file) in the System_Volume_Information folder in the C drive. Once it's quaranteened I can access the internet again for 5 minutes and then it's off again, so I'm assume then that the trojan has reinstalled itself somewhere. My Hijack This file is below. Any help would be enormously appreciated!!

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
    C:\WINDOWS\system32\WISPTIS.EXE
    C:\Program Files\a-squared Free\a2service.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O14 - IERESET.INF: START_PAGE_
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    --
    End of file - 5236 bytes
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hi stacee,

    An important part of your log is not there, we prefer you attach the log to the thread using manage attachments below, or the paper clip icon above your reply.

    I do notice that your Java is way out of date assuming you have XP SP2 or newer.

    Welcome to Techspot!

    My name is Blind Dragon and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.

    Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

    If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

    1)MBAM log
    2)SAS log
    3)Hijackthis log (scanned after everything else)

    This thread is for the use of stacee only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. stacee

    stacee TS Rookie Topic Starter

    Blind Dragon,

    Thank you for helping me!! I'm attaching the log. My internet works on and off now and I've done more AVG scans that have found nothing. If you don't find anything suspicious in hijackthis, then maybe the problem is with the hardware of my computer (a compaq presario). I look forward to hearing what you think of the log.

    Stacee
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Heads up:

    "in the System_Volume_Information folder in the C drive." This means that the malware is in the system Restore points. Malware cleaning does no reach these protected files. Don't do anything about them now, but "don't use System Restore" until you are clean and those points have been removed or you will reinfect the system.
     
  5. stacee

    stacee TS Rookie Topic Starter

    Wow, thanks for letting me know! How do I get rid of them then?

    Stacee
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The person who is assisting you with the cleaning will instruct you in the removal after you are clean. In the meantime, don't use the feature.
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    can you please attach the other 2 logs so that I can verify the instructions were properly followed

    Also your Java is still out of date please follow the preliminary removal thread that I posted for you
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...