PDA

View Full Version : Hijacked? cant update windows.



fEight
2009-02-17, 07:14
Ok, so Ive stumbled onto this site, through this post
http://forums.spybot.info/showthread.php?t=45565
I've done a bit of browsing, and you all seem pretty knowledgable
Almost all of the symptoms in that post are similar to mine.

Last night, I lost access to Windows Media Player Library,
File Sharing Services, Firefox and Internet Explorer got hijacked, When I tried to Update AVG it wouldnt, so I updated it on my buddys pc with Vista and their servers were fine. Same with spybot.

I decided I would take the easy way out and Format my pc..
Got through that and Finished updating to service pack 2 and
got hit with the same hijacker.

I ran countless virus scans, Avg told me it was win32/Heur.
So I formatted again, this time removing both of my external Hdds, and disconnecting my Ethernet cord.

Ran avg and Malwarebytes got nothing,
Hooked up the ethernet to update windows and malwarebytes got 19 hits.
Now everytime I try to update windows I get

"Update Failed for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)"

BITS was showing up as infected yesterday on avg, since my reformat avg isnt compatible with my computer as I cant get SP2. (as windows wont let me update)

well. thats all ive got. besides my hijack this log\\\
_________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:40 PM, on 2/16/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\grcrt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DeskTopSrv] C:\WINDOWS\System32\grcrt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136441110765
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 2525 bytes

fEight
2009-02-18, 03:21
Well, I never figured out the problem.
but my solution was to run avast on startup,
and allow it to delete all of my important system files that were infected,
and then format and reinstall windows a third time.

So I guess you can call it case closed, and close this topic.
Thanks.