1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HELP!!! Hijackthis Log

Discussion in 'Virus & Other Malware Removal' started by jester7378, Mar 12, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. jester7378

    jester7378 Thread Starter

    Joined:
    Mar 12, 2009
    Messages:
    25
    I'm not sure. After I ran the batch file, I was prompted to hit enter. After I hit enter, some processes ran and the command prompt closed quickly after that. The batch file disappeared. I did not notice any errors. Should I run it again?
     
  2. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Do me a favor, right-click on the file

    Click on Permissions or Security and let me know if its set to read only. Go ahead and try and delete it by pressing Shift + Delete keys at the same time. let me know if you get any errors. Thanks.
     
  3. jester7378

    jester7378 Thread Starter

    Joined:
    Mar 12, 2009
    Messages:
    25
    I will have to try tomorrow. I already left my office and I left the laptop there.
     
  4. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    okay let me know. Its being a stubborn little sucker :mad:
     
  5. jester7378

    jester7378 Thread Starter

    Joined:
    Mar 12, 2009
    Messages:
    25
    Okay...here's the latest in the battle to remove the addon.dat file.

    The file is not set as read only, but it is set as hidden. I deleted the file by pressing shift+delete. It gets rid of it...but the it comes right back.

    I then reran the fix.bat file and I did see 2 errors. The first being that it was unable to change the permissions of the file. The second is that it could not find the file. I figured that it was unable to find the file because it is hidden. I then tried to change the properties of the file by unchecking "hidden." It goes right back to hidden as soon as I exit out of the properties screen. I changed the properties again, but without hitting "okay" to exit out of the properties screen and running the fix.bat file. It worked...but then it came back.

    Arggh!!!
     
  6. jester7378

    jester7378 Thread Starter

    Joined:
    Mar 12, 2009
    Messages:
    25
    I don't know if this might help, but I should've mentioned this earlier. When I boot up my computer, while Windows is starting up (I can see the desktop) I see a window pop up for about 5 seconds and it says that "winroot2 restart."

    Before I can begin work, I have to unplug the network cable from my laptop. I run Malwarebytes to remove the addon.dat file. I run Hijackthis to remove a registry item about "proxy override" (which always shows up) and 2 line items that include "IXP000.TMP\crypted.exe" (which don't always show up). I then have to run services.msc and start a SQL server in order to run an accounting program called Pfx Engagement. This service is set up to automatically start, but I am assuming that this friggin virus is stopping it from starting up.

    Sometimes while I am working, I get error messages, one of which says something about "generic host process for win32 services." Sometimes I also get "windows cannot find IXP000.TMP\crypted.exe."

    I hope this information allows you to help you help me resolve my issue.
     
  7. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    please delete your current version of ComboFix we need to get a fresh copy.


    Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall
     
  8. jester7378

    jester7378 Thread Starter

    Joined:
    Mar 12, 2009
    Messages:
    25
    Actually, I think I resolved the problem earlier today. I ran Kaspersky online and it found 3 other hidden trojans that Malwarebytes did not find. I've included the log for that scan. I rebooted my computer in safemode and deleted those files along with addon.dat. It seems to be running fine since. I ran the combofix anyway in case I missed anything. I've attached all the logs.

    Thank you for all of your help. I will definitely be making a donation shortly.

    I will mark off this post as resolved in a couple of days. I just want to make sure that my computer is clean.
     

    Attached Files:

  9. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    good. Any other issues
     
  10. jester7378

    jester7378 Thread Starter

    Joined:
    Mar 12, 2009
    Messages:
    25
    The only issue I am having now is that the SQL server for Pfx Engagement still does not start automatically (it is set up to start automatically). This issue started when my computer was first infected. I'm not sure my computer is clean or still infected.

    I ran hijackthis again and noticed that the "proxyoverride" is still coming up after I reboot even after I've removed it. Is this something I should be concerned about?
     
  11. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Post a fresh HIjackthis log here.
     
  12. jester7378

    jester7378 Thread Starter

    Joined:
    Mar 12, 2009
    Messages:
    25
    Here is the latest hijackthis log
     

    Attached Files:

  13. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.1.*

    The ip address is a private ip address usually assigned by a wireless router or home router. Do you use a proxy server for work or home?
     
  14. jester7378

    jester7378 Thread Starter

    Joined:
    Mar 12, 2009
    Messages:
    25
    No proxy server at home or at work.
     
  15. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Open IE
    Click on Tools----> Internet Options----> click on Connections ---> Click on LAN Settings----> uncheck proxy server if checked. Let me know otherwise. Reboot your computer and post a fresh HIjackthis log. Thanks
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/808868

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice