Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hijack Log

Status
Not open for further replies.
lancekidd

lancekidd

Technical User
Jan 26, 2009
55
US
Hi, I'm working on a laptop of nieces with Vista. Some wierd things keep popping up and I can't figure where they're coming from, mainly a couple of warnings of trojans from AVG, but the scan showed nothing.

I've run SAS and Malwarebytes in Safe Mode and then re-run to be sure everything was clear, but I was just hoping someone would look at this log for me. I don't see anything, but then again, I don't understand all of the entries.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:43 AM, on 12/9/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4819 bytes
 
Sort by date Sort by votes
Good news: there is apparently no malware to be seen...

now clean up the following entries:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

left over from McAfee SiteAdvisor...

O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)

no info on this one...

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

now I would uninstall the TuneUp Utililities 2009, and install CCleaner to remove TMP files, old Logs, etc.

Then I would install a good third party firewall, e.g. Comodo, that will block most popups to begin with...

also it would be more informative, if you happen to describe the "weird things" that keep popping up...


Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
Thank you for looking at the log Ben. the line 023 - Google Updater Service will not remove. I went to the folder where it says it's located and don't see it even with hidden folders showing.

I also have a couple of more questions for you that I would really, really like you or anyone to answer if possible because this is getting a lot of people.

First off is there a decent Spyware protector that is free? I have the Pro addition of SAS, but:

I went to IMDB.com the other day and looked up Julia Roberts page. Very popular site that millions of people visit. When I closed out her page, I got my screen covered with the famous pop-up that tells you that you have mal-ware and it starts scanning your machine.

Next day, I was on HBO boxing and clicked on Jermaine Taylors profile and when I closed it, same thing happened. This wasn't a bad link, I mean there was a link for every boxer on the page that other people had visited and left recent comments. But SuperAntiSpyware Pro didn't catch or block anything.

In each instance I did not click OK, but trying to just X the alert box closed does nothing and neither does trying to close the browser. I just powered off the PC by holding down the power button, started it back up and scanned with SAS and Malwarebytes in regular and safe mode and found nothing. I went back to the HBO boxing site and back to Jermaine Taylor's profile link and when I closed it, IE's SmartScreen Filter alerted me that this was a reported site.

How and why in the world does this happen?
 
Upvote 0 Downvote
Actually, this is what I suggest, and as Ben suggests, I believe it'll take care of your problem.

Here's what I personally suggest, and it seems to work wonders:
[OL][LI]Antivirus - I'd start using Avira Antivir - MUCH better than AVG on detection. The only one MAYBE better is Nod32, which is not free. Either of those would be best.[/LI]
[LI]Firewall - Comodo, or my personal favorite, Online Armor. Online Armor works best, I think, unless you're running a 64-bit version of Windows. Comodo is more annoying with more pop-ups than Online Armor in my experience, but either will protect you from such things as you've mentioned here.[/LI]
[LI]SpywareBlaster - it helps make sure your system settings are set best for protection.[/LI]
[LI]Advances System Care by IOBit - Great all-around program in my experience so far - not very old, really. It's mainly for cleaing up stuff, system optimization, etc.[/LI]
[LI]Glary Utilities - same as Advanced System Care, but just like Antispyware apps, they will each pick up a few things the other misses.[/LI]
[LI]CCleaner as well, as Ben mentioned.[/LI]
[LI]SuperAntispyware - great one to keep on the system[/LI]
[LI]Malwarebytes AntiMalware, as you've already mentioned as well. Good to keep it on a system ahead of time, so that if you DO get infected, you're at least a step ahead in not having to install on an infected system.[/LI]
[/OL]

I've personally seen some of those annoying viruses you're talking about stopped in their tracks by Online Armor. I've also seen at least one stopped in its tracks by Avira Antivir.

The reason why Online Armor and Comodo work so well is that they aren't just a basic firewall. They also check for programs trying to run on your computer. So say a virus gets onto your machine, and tries to run... well, guess what, they've still get to get past Comodo or Online Armor before they can do anything, like throw pop-ups, propogate themself throughout the system, etc. By default, both the firewall apps we're mentioning will check every single executable when it runs. Sometimes, this can be annoying, but the protection is well worth it. And once you've gotten everything installed, configured, correctly, you won't hardly notice that either are there. Well, you may notice Comodo more, in my experience, but nonetheless, both are VERY good products.

--

"If to err is human, then I must be some kind of human!" -Me
 
Upvote 0 Downvote
Lance, I agree with what KJV1611 suggested, though I've yet to use either IOBIT Advance System Care or the Glary Utilities, but the rest are installed on my system and I've not had a major malware attack in ages... I also suggest using FireFox with the extension called NoScript, as NoScript will also offer lots of protection from sites that use scripts to inject malware, and it can be individually (per website) tuned...

now to your other questions:

How and why in the world does this happen?
Click to expand...
Some people report to Google or MS, that a site is infected, even though it may not be, it will then get black listed, and the Smart Screen filter will kick in, and block your access... FF uses the Google List and IE the MS one, if I remember correctly...

infected sites, usually do so through a mechanism called JavaScript Injection, with either Comodo (or Online Armor) or JavaScript turned off (or NoScript in FF), this should not happen at all... only draw back with turning JavaScript off, would be that certain websites do not function correctly anymore, until you allow JS again...

and the BEST free AntiMalware out there, is your own head... meaning use common sense, while surfing, do not vistit sites that are known to cause issues (adult sites are well known to be infected, not all but a lot of them)... it would also be prudent to surf with a restricted account, and not with the Admin account, this gives malware less chances to get into the system...


PS: the GOOGLE updater, see if you can uninstall it from the Control Panel Applet... if it is not there, do not worry, it is not dangerous if left in the system...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
Thanks for the help. I've always used CCleaner and Glary's Utilities for about a year or so now.

I just want to clarify one last thing. If install one of the Firewalls that you mentioned, and have the Antivirus suggested, do I still need to have a Spyware "real time" protection program running. I have the Pro version of SAS running in real time also? I got it free for advertising it on a blog I use to have, so if I don't use it to monitor then I've lost nothing.

I really appreciate the help. All of my family comes to me to get this crap off of their computers, so I'm going to set it up like you suggest and then write them a check list on what to do when they screw up, lol.
 
Upvote 0 Downvote
If install one of the Firewalls that you mentioned, and have the Antivirus suggested, do I still need to have a Spyware "real time" protection program running.
Click to expand...
that would be a matter of preference in my opinion, I have not used "real time" protection in ages, what I do though is that I scan my computers once a week or every two weeks, with MBAM and AVIRA...

The safest way to surf, would be to either use a VM, e.g. create a XP VM, clone it and surf with the clone, after you are done delete that clone and create a new one, or use a Linux LiveCD (Knoppix) and surf with it, then power off and nothing is left on the PC...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
I can agree 100% with Ben on the real time spyware protection and the virtual machines. Of course, I know this with the virtual machines and such, but don't bother, myself. I also don't bother with the limited user accounts. I realize that it's safer that way, but in Windows it seems too much a headache to me - I've yet to try with Windows 7, and have tried very little in XP and Vista. Linux is a different story altogether. I think any Linux distro I've played around with really has the limited/full user privileges deal down pat! If I could ever get around the few things I am lacking on Linux - sometimes hardware, and currently with audio/video editing - then I could see myself going 100% Linux... well, maybe. [smile]

--

"If to err is human, then I must be some kind of human!" -Me
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MrMode
  • Locked
  • Question
Can anyone tell me what to remove with hijack this?
Replies
2
Views
96
MrMode
MrMode
DougP
  • Locked
  • Question
Some kind of Browser hijack, Can't click on anything in Browser
Replies
11
Views
157
goombawaho
goombawaho
electricpete
  • Locked
  • Question
ComboFix log 2
Replies
15
Views
309
electricpete
electricpete
electricpete
  • Locked
  • Question
Rootkit Reveal Log 1
Replies
2
Views
82
goombawaho
goombawaho
TheAceMan1
  • Locked
  • Question
Another HJT Log 2
Replies
5
Views
119
BadBigBen
BadBigBen

Part and Inventory Search

Sponsor

Back
Top